Colin Tankard looks at the security of your building now that it is connected to the world
Buildings today often incorporate the use of a building automation system, which provides automated centralised control of systems such as heating, ventilation, air conditioning and lighting. Buildings that incorporate such systems are often referred to as smart buildings. According to AutomatedBuildings, a smart building is defined as one that incorporates “the use of networked technology, embedded within architecture to monitor and control elements of the architecture for exchange of information between users, systems and buildings.”1
One survey from MarketsandMarkets forecasts that the market for smart buildings will grow from more than US$4 billion in 2013 to reach almost US$19 billion in 2018, the largest share of which will be commercial buildings2. The development of smart buildings is part of the fast growing vision of the Internet of Things, in which all sorts of devices will increasingly be connected over IT-based networks, many of which will come into use in commercial buildings, offering smarter and more efficient data management to drive efficiencies. Gartner predicts that 26 billion devices will be connected and online by 20203.
According to Memoori, the value of the Internet of Things in terms of buildings is as much about data as devices as collecting data from more services and equipment will provide a more granular view of overall performance4. For greater operational efficiency, such systems will increasingly collect, store and analyse data in the cloud.
Fig 1: Market for the Internet of Things in buildings spread by region
Smart buildings and security
Commercial buildings and facilities face a range of security threats, including from terrorist issues, disgruntled employees, workplace violence and criminal groups as well as from geopolitical actions such as riots and political unrest and natural disasters. There are also a number of other factors impacting building security owing to the nature of many commercial buildings, especially large complexes and high-rise buildings in dense urban environments that often are rented out to multiple companies that represent significant challenges. Security in such environments is complicated by the relative anonymity of users and occupants. This can lead to a poor security culture and result in interlopers going unnoticed and restricted movement in terms of elevators and lobby areas that can hinder guarding and emergency teams. The fact that services such as utilities tend to be grouped together into one service core, to make them easier to manage, can also make them easier to target.
Because of factors such as these, monitoring systems are in widespread use in a range of facilities that include office buildings and complexes, industrial facilities and campus environments. Capabilities that they offer cover a wide range of physical scenarios, including perimeter protection, video surveillance, employee and visitor screening and access control, and emergency response, including evacuation.
As smart building technology has advanced, such systems are increasingly being ported over from analogue to IP-based controls that offer expanded functionality and improved connectivity, including integration with mobile technologies. However, the expanded functionality that is offered has major implications for operational security since expanded connectivity heightens vulnerabilities to cyber attacks affecting networks.
According to Machina Research, the largest application group within the smart building sector is for security, which will account for 47% of revenues by 2020, with controls such as alarms, CCTVs and access control systems becoming increasingly connected. One of the main trends that will be seen is increased mobile connectivity5.
Checklist: minimum building security
Building security measures should seek to provide:
A consistent, complainant and auditable approach
A strong secure perimeter with a limited number of access points into the building
Controlled access of all people and vehicles onto sites—maximising the benefits achievable from access control systems
Heightened security measures for areas containing particularly sensitive items and/or key operational equipment, documents, records etc
An intruder alarm system to support the physical security arrangements employed, supplemented, as appropriate, by CCTV cameras etc
Trained, knowledgeable security personnel where guarding needs to be deployed
Training of/communication with all building occupants and visitors to make them aware of security issues and the procedures that they are required to follow
Contingency plans and procedures in the event of security alerts and emergencies
Consistent and timely response from internal or external resources
And, solid liaison and network with appropriate external bodies, including police, fire service, ambulance service, local authority, utility providers and communication providers.
The need for more effective controls
As buildings become more connected, one of the main challenges is managing the flow of data so that the current security environment can be understood and incidents can be responded to in an efficient manner based on gaining actionable intelligence from the data. This requires the use of a technology system that can collect, analyse and provide visibility into all information flows, looking for anomalies that could be indicative of a security risk, incident or vulnerability so that corrective action can be taken according to the incident response plan that has been developed in order to safeguard systems and applications. For building controls, it is essential that security incident, logs and events are collected from both IT controls and physical security systems, such as logical and physical access control events, in order to give an overall picture of the environment and to provide visibility over what is happening in the network and in terms of physical monitoring measures.
For data protection purposes, all logs and events should be encrypted both in transit through the network and communications mechanisms, as well as in storage, where they should be held in a repository that is tamperproof and that is robustly protected with adequate access controls and granular, but not excessive, entitlements.
Such a system must provide a central secure online environment that offers proactive task assignment and management for improving process flows, as well as providing a comprehensive audit and reporting facility. The audit trail is based on all events that have been tracked from multiple systems and should indicate what actions have been taken in response to every incident encountered, with reporting capabilities that indicate the effectiveness of the measures that have been taken. This is also useful for governance purposes, such as alerting when security patches have not been applied in a timely manner so that remedial action can be taken.
So that senior executives can act on the information, reports should be provided as a dashboard, with information portrayed visually. This will allow those executives to analyse information and to pose questions of those in the organisation which could lead to an overall improvement in security and can lead to more effective, granular policies being set, as well as achieving an easy to digest view of overall security, which is vital for effective governance, and for understanding the full range of threats faced and the effectiveness of incident response actions. Visualisation will also provide a spatial awareness of events, such as those surrounding the building as they unfold. Using such technology, it is possible to plot an incident on a map and apply additional information such as that available through Google street view for more visual description of the area. This provides a vital tool for remotely managing such an incident.
The central management system should also provide a facility for storing key documents, or images, relating to building protection that can aid in incident response, such as floor plans and standard operations procedures. This is also the place where best practices and procedures can be filed so that those in charge of responding to a particular incident can quickly find information that is relevant to dealing with, and recovering from, specific types of incident that could occur. This is also the place where incident response plans such as fire and evacuation planning and incident management procedures and contacts should be stored. Currently, such information is lost in a cabinet on an inaccessible floor!
The interface into the central management system should be web-based so that information is available over a browser interface and can be accessed from any internet-enabled device, including smartphones and tablets.
By providing safe and secure interfaces to mobile devices or web browsers, remote access capabilities can be provided so that security operators can configure and control the system from wherever they are, and even out of hours. To gain full benefits, all components should be web-enabled, including the control panel, access control mechanisms and all monitoring capabilities. All endpoints that are external devices and are digitally controlled such as sensors, cameras, access control mechanisms, door and window locks should be included in the continuous monitoring process.
The central console provided by the security management system provides a policy enforcement point. Policies should be developed that cover every possible security scenario, based on detailed risk assessments that take into account the specifics of each building, its location, level of occupancy and type of business conducted on the premises. In developing risk assessments, it is important to take into account health and safety legislation compliance, which tends to vary from country to country. Policies are only effective if all to whom they apply are aware of their responsibilities, understand what is expected of them and are made accountable for their actions and therefore communicating and training of staff on the provisions of policies is essential.
Checklist: applications and information made available through central console
Incident & crisis management log records and reporting tools
Audit records and reports
Standard operating procedures
Technical security countermeasures including alerts and real time change processes and workflow
Business continuity plans
Health and safety records
And, best practices and procedures for bomb threats and suicide bombers, hostile reconnaissance, lift entrapment, suspect packages, protest/occupation/civil unrest, lost/stolen/found property, workplace violence, active shooter, data centre security, critical alarms, mail room procedures, CBRN(chemical, biological, radiological and nuclear warfare)/HAZMAT (Hazardous materials and items) and domestic extremism.
Source: Global Aware International7
One of the benefits of using an IP-based security system is that a wide range of communications is supported, including call routing and mobile support, providing access to security-related information in a fast and efficient manner, making incident response quicker and more effective. Other communication methods can also be supported, including instant messaging and email for when information needs to be sent as text, such as sending floor plans to an onsite responder. These methods can also be used to send around mass notifications to all occupants or groups within a building—for example, to provide them with instructions or to send around warnings such as when a storm is approaching.
Overall, such a security management system will improve the efficiency of building services and guarding teams by mitigating the risks that are faced and by providing for more effective and efficient remediation of incidents that occur.
Checklist: key benefits
Operational excellence model
Risk and gap analysis
Real time audit and process flow
Paperless and prompt decision-making
Real time change management
Improved productivity resulting in commercial advantage
Source: Global Aware International
A security management system for smart buildings will provide the underpinning for resilience in building management and critical systems, both for single or multiple buildings such as in a campus environment. For maximum effectiveness, it should cover all areas of risk that have been defined and should include mitigation strategies and automation for all security concerns identified. To suit the needs of particular buildings and facilities, the system should provide a choice of integrated applications and components to give facilities managers’ maximum flexibility in terms of risk mitigation and management. This will also avoid having to invest in components that are not required in a particular situation, providing for maximum return on investment.
By choosing a system that is IP-based, it can be more flexibly deployed and reduces the need for deploying physical communication interfaces such as cabling that are limited in their range. With an IP-based system, controls such as wireless intrusion detection units can be placed on each floor, connected via Ethernet or wireless, reducing the cost involved in implementing physical connections and improving overall security by being able to centrally control all devices.
As well as providing benefits for facility managers, a web-based security management system will improve the perception of security among occupants, making them feel safer and making prospective tenants more likely to be interested in taking space in the building. However, in order for this sense of security to be felt, all occupants should be made aware of the protection measures that are being taken so that they buy into the schemes and can achieve peace of mind.