Are Your Engineered HVAC Systems Safe from Contamination and Cybercrime?

We are starting a new year, and I believe the HVAC consulting engineers responsible for design engineering need to make a change in 2019 as to how HVAC systems are engineered to be safe. ASHRAE’s 2019 Handbook will be out this coming June, and I encourage readers to take the time to review chapter 59 on HVAC security as an introduction to this topic or as a refresher course for others. The chapter isn’t intended to be a comprehensive security guide but instead is intended to raise a reader’s awareness.

The chapter also recommends design engineers consider directing their clients to procure the consulting services of a specialist in security whether it is to design a security system, design software to protect the building’s combined automation network, hazmat protection, and terrorist protection. From there, one can research security further on the internet with its wealth of information as well as make time to attend seminars on building security to learn more on this topic.

Security and safety topics to research prior to engineering one’s next HVAC system design are:

Safe from outside sources penetrating the HVAC automation from the internet to create havoc and steal information on the building-wide network;
Safe from outside contaminated air being introduced into the building as ventilation; and
Safe from within the building causing personal harm as well as harming the building itself.

Here are a few examples of security attacks coming into buildings from the internet:

About 54 percent of organizations surveyed by Enterprise Strategy Group (www.esg-global.com) in December 2016 said firms have experienced at least one type of cyberattack and/or cybercrime security incident. Getting into the building’s network can happen, and has happened, through the HVAC BMS.
Cybercrime currently costs the global economy about $3 trillion, according to Microsoft. Companies today understand cyber-security protocols and policies are increasingly important parts of environmental, social, and governance considerations. Part of this environment should include the BMS.

Here are a few examples of outside contaminated air being introduced into the building with outdoor ventilation:

Natural events such as toxic fume accidents adjacent to buildings (e.g., railroad car accidents) occur annually and HVAC building system designs may not take into account what potential accidents can occur just outside the building allowing contaminated air to be drawn through the HVAC system. (Refer to “Creating an HVAC Security Basis of Design,” Engineered Systems, January 2016).
Potential for terrorism can be a very real possibility with the introduction of airborne chemicals at outdoor air intakes serving the HVAC systems. BMS sensors need to be able to pick up these deadly particles in the airstream upstream of the initial air filters.

Here are a few examples of harmful incidents within a building:

The delivery of packages into building mailrooms containing deadly chemicals (e.g., ricin and anthrax) can be further compromised by HVAC system operation. These incidents have been occurring going back to 2001, but today, government and corporations have adopted techniques to detect and handle ricin as well as other poisons that may arrive in the mail. The HVAC system design needs to be capable of complimenting these detection techniques and not compromising them.
Accidents within buildings, as well as specific rooms designed to handle explosive chemicals, have been an issue of concern for years, particularly in laboratories. For the most part, HVAC design engineers are not qualified to design the HVAC system and/or emergency evacuation system for a project without consulting a specialist in chemical spills and explosion-prevention techniques.

Security leaks through your HVAC system design can come in a multitude of ways, and it is safe to say that the HVAC design engineer does not have the solutions to all these potential deadly and/or expensive compromises within a building. This year’s chapter 59 of the ASHRAE Handbook will raise awareness to HVAC security, but it will not provide all the answers to the problems. That said, experienced HVAC design engineers must keep current with what is happening in cyberspace, what is happening in the world pertaining to terrorism, and what hazards can occur within a building. When it is not safe to simply go shopping in a populated mall, HVAC designers should think about how they can be more vigilant with their HVAC system design.