Ingenuity Magazine Spring 2019

Pond Ingenuity Spring 2019 5 The theft of financial information is a serious threat, one which responsible companies should take measures to guard against. There is a large financial gain to earn and keep the trust of customers and a heavy burden to shoulder and overcome should that trust be broken. However, more serious to us all is our national security. Facility designers for military and other government installations need to be aware of the importance of the facilities they are working on. Not the specifics, but how the building fits in to our overall national security infrastructure plan. Who will use the building, and how, is important to ascertain when deciding what controls will be placed on people allowed to access the facility, both physically and virtually. The current unified facilities criteria (UFC) standard for “Cybersecurity of Facility- Related Control Systems” (UFC 4-010- 06) addresses big holes that can be created by the installation of control systems. Essentially UFC 4-010-06 requires a facility designer to work with the owner to determine the control system’s impact level on the facility’s confidentiality, integrity and availability based on the facility’s mission. The designer then determines the system’s components and creates a list, which then determines the cyber security measures that need to be taken. The facility designer should work closely with the site security officers and building users to determine the security classification of the building. At this point it also becomes critical that the facility designer employ a Registered Communications Distribution Designer (RCDD), a data and telecommunications specialist with the highest level of design credentials. The RCDD is best qualified to layout a network infrastructure that will maintain network integrity and be auditable for potential threats. UFC standards are made to protect the government, but by nature are static requirements, whereas technology and the ways in which it can be manipulated are constantly changing. We as building designers are more attuned to and aware of the newer technology that is being deployed in government facilities and should take the lead in identifying potential risks. In fact, no one is in a better position to identify the entry points that control systems pose to a building’s IT system. To ensure future cyber security in government facilities, facility designers must become more aware of the technology they are specifying, how it interacts with critical components in the building and where it connects with the building’s IT network. Lists of those connections and impacts should be actively communicated to owners to give IT teams the best possible chance to protect themselves from cyber attacks. With proper visibility, IT managers can passively and actively monitor those connection points to watch for hacking attempts or the presence of hackers searching the network for other possible targets. As Smart Buildings and high-performance facilities become more efficient and desirable to private and government facility developers, the more infrastructure and “stuff” will be connected to our networks as IoT expands. As facility designers, we are introducing additional system connections that can make our clients vulnerable to increased hacking risks. It is up to us to proactively communicate detailed information about those “hidden” connections to the building occupants and IT management team to make them aware of potential threats to the building systems and their network.  George Fragulis, PE, CEM, BEMP, LEED AP, PMP Program Manager The selection of certain equipment and control systems adds vulnerabilities to a building’s IT network that could not be exploited 10 years ago Who will use the building, and how, is important to ascertain when deciding what controls will be placed on people allowed to access the facility, both physically and virtually