ASHRAE has, for years, strived to keep a finger on the pulse of HVAC security through its Technical Committee TC 2.10, previously TG-2. The focus, directed toward HVAC design engineers, contractors, building owners and operators, and academia, suggests HVAC security begins in the building program’s design phase. At the same time, existing buildings can take advantage of the latest security thinking with a review of Chapter 61, “HVAC Security,” found in the 2019 ASHRAE Handbook - HVAC Applications. Chapter 61’s table of contents includes sections on owner’s project requirements, risk evaluation, HVAC system security, environmental health, and safety design, chemical incidents, biological incidents, radiological incidents, and explosive incidents.

This chapter serves as an introduction to HVAC security and is so stated on the first page, “… is intended to be a general overview and not used as design guidelines.” That said, at the beginning of the building program’s conceptual/schematic phase, the owner’s project requirements (OPR), along with a risk evaluation, should be included in the project’s basis of design (BoD) document. But, when it comes to actually drafting the safety/security section of the project’s BoD document, this should be left to the experts that include environmental health and security (EHS) consultants, government security agencies, and cybersecurity experts to ensure the building, its occupants, and the communication infrastructure will be safe and secure.

Integral to these EHS and security measures and the associated policy and procedure manuals will be the coordination with the HVAC design engineer to include within the HVAC Systems section, e.g., building automation system (BAS) safeties and alarms as well as engineered systems, e.g., refrigerant leak detection and evacuation. The same goes for facility management sections of the BoD to address safety and security, e.g., training and emergency drills for the occupants. As part of this, HVAC BoD should be the BAS network and computer design to prevent outside and/or inside incidents disrupting and/or hacking control of the BAS.

Within Chapter 61, there are chemical, biological, radiological, and explosive (CBRE) “incidents” that highlight potential safety and security hazards, but one could better define these incident discussions as follows.

1. Incidents from outside affecting the HVAC systems and the BAS components as well as electrical system and communication system via unauthorized users and cyberattacks (communications network hacking of these building systems for gaining information or causing damages); sabotage (destruction of lab results or data center information or related operations); disconnecting or cutting of communications, (phone lines and internet preventing the reporting of issues (internet-related threats); viruses (unauthorized access to secondary platforms); access to the security, elevators, or fire system because of networking used; and more extreme attacks such terrorists and bomb threats.
2. Incidents from within affecting the HVAC systems and the BAS components/personal computers (PC) via viruses introduction (viruses engineered to damage components or change software); programs set to take the BAS communicate out and provide access from an outside source; not updating passwords and resulting damages caused by previous employees or others with access because passwords were not protected; secondary access to the elevators, security, and fire systems; networking interruption due to construction, cut wires, controllers down, etc.; and inadvertent operations damages (information technology [IT] uses of open protocols, third-party components, certain gateways, communications interfaces, and more extreme attacks, such as cyber-terrorists).

Note; Refer to an article in Engineered Systems magazine’s January 2016 issue, titled, “Creating An HVAC Security Basis of Design,” and an article in the July 2012 issue, titled, “HVAC Security Emergencies: No Terrorist Required.”

The Design Phase

HVAC security and building safety considerations should begin at the start of the building program in the design-schematic phase and not be an afterthought later in this program. Unfortunately, the majority of commercial, industrial, and institutional projects gloss over the needed security BoD, even when a third-party commissioning agent is contracted to provide an independent review of these BoD project documents. The exception to this oversight may be a government new construction or renovation project, where the government will bring in a security consultant or its own security agency to create the building program safety and security BoD. My own experience working on several facilities in Washington, D.C., has been to turn over the HVAC at the design development phase and contract document phase for a security agency project interview and review of such drawings and specifications. At no time did I receive feedback from the agency individual doing the interview and review, but I did know security measures would be incorporated in confidence before the project went out to bid in a separate set of contract documents and that the security systems would be installed during construction. These additions to the design usually weren’t shared with the design team, even as the project construction was completed and commissioned.

I understood the need for maintaining silence about the security measures, but I never got a definitive answer to who will be responsible to commission the BAS security and communication enhancements, nor did I get an answer to who would be assigned the operation and maintenance (O&M) of these security systems. The assurance that security systems performance would be sustainable based on commissioning and continuous O&M was always a concern of mine. Today, with cybersecurity being paramount to the safety of building occupants and security of communication and computer software, I’m left to assume this will be taken care of by others, which concerns me.

In the schematic design phase, the building owner’s team will work together to communicate its OPR to the design team, who will then draft the initial BoD document. At that time, a “risk evaluation” should be standard procedure for all new projects and not just government agency jobs. The Federal Emergency Management Agency (FEMA) and other similar agencies will have their own support documents to assist in completing a risk evaluation. Unfortunately, outside of the government, many organizations, companies, and institutions do not have their own standardized document to draw upon, but Chapter 61 of the ASHRAE Handbook does offer some guidance to completing a risk evaluation. Based on lessons learned, a simple checklist could be drafted for the building program, and while this may not be considered high risk, it is still vulnerable to the project, and a security BOD action plan could be drafted to avoid this issue. Figure 1 offers a first pass at such a checklist. This template would serve as a guide for the design team, ultimately resulting in a security action plan response to potential risks.

At the end of the design-development phase, the design team should have included within the contract specification — possibly in division one general conditions — a security section highlighting the segments of security and safety criteria that are integral to the project, including an HVAC narrative, that identifies who is responsible for pertinent parts of the security scope of work, such as:

• BAS submittals, installation, commissioning, operator instructions, and remote monitoring of safeties and alarm responsibilities;
• Confidential system submittals, installation, commissioning, operator instructions to security clearance personnel, annual maintenance contract, and reporting responsibilities of the assigned security firm and/or agency;
• Listing of all critical systems and description of importance; architecture of systems that are integrated to each other with description of how and the amount of information shared, e.g., drawing of networks throughout the facility and description of vulnerabilities, etc., shall be the responsibility of the integrations contractor;
• Listing of all safeties, which must be hardwired and/or monitored for HVAC operations, and the contractor performing each, inclusive of those provided by the manufacturers, shall be the responsibility of the mechanical contractor;
• Listing of all systems supported by backup power sources, including identification of the sources (UPS, generator, batteries) as well as documentation on all circuit breakers that are used for building systems, inclusive of networking, shall be the responsibility of the electrical contractor;
• Recommended test demonstration for critical systems and safeties, etc., shall be the responsibility of the commissioning agent.

At the end of the project, building management (with the BAS contractor’s help) should put important recap documentation on the main workstation hard drive for easy access in the event of an emergency.

Construction Phase

In the preconstruction phase, when shop drawing submittals are produced for the design team review, a similar submittal review process should have already been determined so that confidential documents are processed through the proper security consultant and/or security team. As the project proceeds into construction, startup, commissioning, and the production of safety and security systems will follow in-sync while maintaining confidentiality of documentation. The as-builts from all contractors should include directives for upgrading and maintenance so the building owner/IT department does not implement any changes to platforms, which could be damaging to operations without comparable upgrades from manufacturers, BAS contractor’s software, etc.

With appropriate operation, maintenance manuals, and associated training in parallel job closeout activities, there should be a method to sign-off on the security BOD and the security action plan, too. While the systems, of course, are engineered to continuously operate, there must also be a process in place to maintain and continuously commission the HVAC security protection so facility and management procedures and responses are kept up and verified. This process should include evaluation of all platform communications, password accesses, and expansion changes to systems and networks within the building.

Perhaps even testing could be put in place analogous to the golden days of implementing unscheduled fire drills. Dwight D. Eisenhower said, “Plans are worthless, but planning is everything.” Safety and security practices and advance-testing procedures are even more important in our ever-changing world today. Well-thought-out planning does help, even when the least expected occurs.

Eisenhower further stated, “The very definition of ‘emergency’ is that it is unexpected, therefore it is not going to happen the way you are planning.” The practice of security action plans can make perfect in our world today.

Summary

Building and occupant safety and security concerns have spread worldwide, and today’s building owners and design teams should be acknowledging the seriousness of vulnerabilities as they pertain to the HVAC systems and the BAS, both from the outside and also from the inside of buildings. Government projects should not be the only building programs with high-risk HVAC security OPR, BoD, and security action plans implemented throughout the design and into the operational phases. Serious damages can be avoided by planning in advance.

At this time, design teams along with building owners should reference ASHRAE Guideline 29-2017, “Guideline for the Risk Management of Public Health and Safety in Buildings,” at the start of any building program. In 2023, ASHRAE will be publishing its 2023 Handbook — HVAC Applications with revisions expanding Chapter 61, “HVAC Security,” but the revisions will only scratch the surface for incorporating HVAC security and BAS-monitored and -implemented safeguards for our world today. Maybe, someday, there will be safe and secure building (SSB) certifications in addition to the LEED certifications for buildings, and we will all be better for it.

Author's Note: I would like to acknowledge Mary Anne Kirgan, owner, and president of Systems 4 Inc., for sharing her experience with design, build, operation, servicing, and training of building automation systems (BAS) as well as the chronic day-to-day issues and concerns with interfacing the BAS with building owner’s communication network architecture. She has decades of experience and certifications, including Schneider Electric’s EcoStruxure Architecture, Engineering, and Applications; Andover Controls’ Programming Certifications for all product lines; and Modicon 484 and 584 programming.