Over the last two months, I’ve examined how to determine the risk to a facility and a methodology for performing a relatively simple risk analysis. One of the remaining questions is what to do once you've determined the risks? This column will explore that question, again using the American Society of Civil Engineers (ASCE) Manuals and Reports on Engineering Practice No. 128, “Building Security Rating System,” to illustrate the concepts. The overall risk in the manual is quantified as one of five required levels of security ranging from “Rated,” the minimum security that any building should implement, to “Platinum,” the highest level of security appropriate for the most valuable or vulnerable buildings. Based on the required security level, the document directs users to several countermeasures that are divided by the building system category and increase in number, effectiveness, and cost as one moves up the required security rating ladder.

Let’s focus this discussion on the “mechanical” and “equipment maintenance and operations” categories and explore how the countermeasures build on each other to provide increasing levels of protection. Starting with operation and maintenance, at the Rated level, there is only a single countermeasure suggested, “Access to building information is restricted.” This is a very basic precaution and is meant to ensure that only those who need to know are aware of how the building operates. At Bronze-level security, the requirements are having up-to-date drawings of major systems and an updated operations manual. At the Silver level, a preventive maintenance schedule for ventilation systems is additionally required. In addition to rebalancing critical air systems once a year and testing backup power monthly, as are required for the Gold level, the Platinum level adds performing periodic recommissioning of systems. What we can see is that each step of enhanced security builds on the previous steps, generally comes at an increased cost, and that the implementation effort involved reflects the risks that are being addressed.

The list of countermeasures for the mechanical systems security is more extensive, and only a few highlights that demonstrate the type and escalating nature of actions as the threat/impact increase are discussed. Starting with access to equipment, at the Rated level, the only requirements are that access points, both interior and exterior (ladders, hatches, etc.), are restricted to authorized personnel, and that doors to mechanical rooms are kept locked. No additional security requirements regarding access are provided for the Bronze level. The Silver risk level requires that air intakes are moved from easily accessible areas; HVAC equipment is not kept in high-risk areas, such as loading docks; and that return air grilles are secured from general access. Finally, at the Gold and Platinum risk levels, the physical security of mechanical systems is further enhanced with monitoring (CCTV, guards, etc.) of air intake locations, and that an automated system is used to control and monitor access.

When considering countermeasures involving air filtration or advanced design, the normal building design practices are deemed sufficient for Rated and Bronze risk level categories, and no further action is required. However, as the threat/impact level increases, additional measures are required. HEPA filters are required on all air-handling systems at the Silver level, and gas adsorption filters are additionally required at the Gold level. The use of air-plume models to determine threat to the facility are implemented at the Gold level, while the results of that analysis are further implemented to locate air intakes at the Platinum level. The Platinum level has several additional requirements, such as the use of low leakage, fast-acting dampers on the air intakes, and designing with sufficient space and access to allow the future installation of CRB-detection technology and large filter assemblies.

Achieving appropriate security for a building requires that the entire process be put together in a logical manner. The level of risk faced by a building must be combined with the goals of the owner, and appropriate security measures must be subsequently designed and implemented to achieve those goals and mitigate the risks all while keeping in mind the cost-effectiveness of the solutions. In future columns, I will discuss other questions, such as how to handle a change of occupancy, that can affect security or the development of new threats that were not initially considered.