How Secure are Your Facilities?
By Ted Weidner - October 2004 - Security
Three years ago in September, the typical maintenance and engineering manager’s opinion of the importance of facility security changed dramatically. Even if one had thought about planning for a bomb attack like those at the World Trade Center and Pentagon, the reasons for taking stock of facility security changed abruptly on 9/11.
In addition, the Oklahoma City bombing, anthrax scares, Tokyo subway gas attacks and other attacks have brought the issue to the forefront. In the ensuing years, many managers have overseen or taken part in security audits, particularly if they work in a large or high-profile facilities or if the facility houses sensitive activities.
What’s in an Audit?
In its simplest terms, a facility security audit looks for threats that could disrupt a facility and its operations. These include but are not limited to: threats or attacks on housed employees or visitors; damage to facility components or systems that will affect occupants; and damage to the area around the facility affecting non-building property or the ability of occupants to safely evacuate the building.
An audit should identify possible entry points for these and other disruptive activities, and it should provide a way for facility personnel to plan for physical changes or modifications to the facility or to develop a response plan. The next step in the planning process — identifying the way the organization responds to potential threats or disruptions — is left to a separate step called the emergency or security response plan.
The security audit should look at threats, access points and types of attack. These areas are not necessarily sequential in a facility security audit, although they can be. They are starting points that allow a manager or security specialist to begin the process.
Managers first need to identify facility threats to help determine the level of detail for the audit. For example, if a facility houses critical public services, such as police, firefighters, or emergency medical services, managers might review it differently than if it housed commercial activities. That difference does not diminish the need to audit a commercial facility; it simply allows the manager to focus on different areas.
Managers also will need to assess whether the facility is susceptible to attack because it houses a controversial activity and whether a disruption would have an immediate affect on more than just the facility and its occupants. They can address many threats by using perimeter solutions, which keep unauthorized people far enough away from a facility to minimize damage.
Identifying threats requires that managers know about activities going on in their buildings. Talking with occupants regularly will help identify potential threats. When managers are accessible, occupants are likely to be more willing to identify potential security problems in advance.
The challenge with many threats is that they often arise from insiders, such as disgruntled employees or the estranged spouse of a current employee. Such threats are particularly problematic because these people can easily gain access to a facility, due to their personal familiarity with a facility or its occupants. Perimeter solutions might prevent such problems, but managers also need to incorporate non-facility solutions.
Access points are those facility areas at which a facility’s security and safety can be breached. The most obvious access point is a door or operable window at or near grade level. Other access points include: fresh-air intakes; utilities, such as water, sewer and electric service; roofs; adjacent facilities; and the Internet.
Some access points are easier to control than others. For example, a receptionist or security guard can staff public entrances, and cameras can record activity and assist in identifying a threat. Also, cameras and door-open detectors can monitor private entrances, emergency exits and windows.
Facility access points located in remote areas present the greatest challenges. Building designers purposely locate fresh-air intakes away from air exhausts — often on the roof — so hazardous fumes do not circulate back into the building. These intakes also are located away from loading docks to avoid the fumes associated with idling delivery vehicles.
Air intakes also are often large to limit their number and might be at or below grade level. The goal is to have them above grade, high enough so they are not accessible without equipment while still being located away from building exhausts. This is a significant design challenge on a one- or two-story building.
Utilities — those with entrances large enough to accommodate a human or those that provide critical services to a building — represent another set of access points that managers must control. Critical utilities should have back-up systems where possible; emergency generators for electricity and local water storage are two examples.
Finally, the Internet provides a new and challenging access point for maintenance and engineering managers. While building automation systems have become essential tools for managers, they also have provided a potential access point for outsiders to control the same systems a manager does. Electronic firewalls and other security software are essential tools in preventing unauthorized access to these systems.
Types of Attacks
Individuals can carry out an attack on other individuals — a disgruntled employee against a supervisor or peers, an estranged spouse against an employee, or a disaffected individual against a social group. These attacks can occur with handheld weapons, explosive devices, poisonous gas, toxins and other biohazards. They also can occur through various Internet denial-of-service or virus attacks.
A face-to-face attack can occur when an individual enters a facility with a weapon. A faceless attack can occur through a remotely controlled explosion or introduction of a chemical or biological hazard.
The mail has been used as a vehicle for this latter form of attack with explosive letters or packages and anthrax powder. Mail sorting facilities — both the U.S. Postal Service and department mailrooms — should be investigated and assessed. Are there adequate fresh-air and exhaust systems? Can they be sealed off easily if needed?
Each facility should have an emergency operations center or crisis communications room. In this room in or near the facility, a crisis response team will conduct response activities in a safe and secure environment.
Initiating a security audit might seem overwhelming for someone who has never conducted one before. Often, consultants can lead the effort by providing guidelines and suggestions and facilitating contacts with other interested parties. But they can’t write the audit alone. The organization must provide site-specific technical details.
Managers understand the construction and operation of buildings. They know the weak points, including components that are old and might no longer meet code but are considered safe due to grandfather provisions in the codes.
They also know the effects on operations of shutting down building systems. For instance, if an incident compromises a fresh-air intake, a first response might be to shut down intake fans or close intake dampers. But if exhaust fans are not turned off or changes are not made to replace the air, the building could become negatively pressurized, and exit doors would be hard to open, trapping occupants.
Audit from the Start
A more recent event in the news suggests a different kind of security audit that could be included during building commissioning or construction. The school attack in Beslan, Russia, apparently was accomplished through years of planning. As the school was being renovated, contractors or their employees smuggled explosives and other materials into the building and hid them under floors and behind walls.
This strategy suggests that organizations also must have a security audit for the planning, design and construction phases of the building, not just for occupancy. Managers should implement inspections of a facility during construction to look for unusual objects or components that are not part of the approved plans.
Knowing the people working in a facility or on a construction site is also an important element of overall security. Does the facility have a system of photo identification tags? Do tags for contractors look different from those for in-house personnel? A construction project with a great deal of turnover of subcontractors and workers might require managers to change the color or style of ID tags daily to prevent unauthorized access. Fences are not necessarily enough to secure the site.
A facility security audit does not have a particular place it must start. Managers can initiate it at the:
- system level, such as HVAC or access control
- floor level for multi-story buildings
- building level for a campus
- departmental level for large organizations.
Perhaps the biggest challenge facing managers is starting and following through with a reassessment schedule so the audit remains current with physical configurations and systems, logical organization of departments and activities, and potential threats.
Once a facility audit is completed or updated, managers should share it with appropriate parties to ensure the facility emergency response plan — a separate effort — conforms with the audit and vice versa. The current heightened awareness of terrorism and threats might be temporary, but overall facility security concerns must be ongoing.
Critical System Checklist
Facility security audits must include critical systems and equipment, including these:
Utilities Sufficient redundancy or back-up to address evacuation and a facility's potential continuous-operation needs, such as emergency generators, secondary fuel sources, back-up potable water, and Internet firewall and encryption systems.
Structure Redundancy and protective systems, usually through perimeter protection, to prevent catastrophic and sudden failure.
Envelope Blast-resistant walls and glass or designated pressure-release panels, perimeter protection.
Interior Fire walls, fire doors, smoke doors, clearly marked exits and egress plans with alternate egress, and an emergency operations center or room with back-up.
Access Control points staffed with knowledgeable and suitably protected individuals, monitoring at other non-public access and egress points, roof-access control, key-control system and policies, and ID tags for all employees, visitors and contractors.
Vertical transportation Monitoring for elevators, escalators and stairs, as well as the ability to seal off floors or levels.
Fire control A fire sprinkler system, fire-control panels at appropriate entries, standpipe systems, and fire extinguishers appropriate for emergencies.
HVAC Air intakes that are remote or protected from unauthorized access, an alternate fresh-air source, damper controls, appropriate filtration, and intakes and exhausts that are coordinated and controllable.
Electrical Emergency generators, clearly identified emergency power sources, emergency lighting, adequate exit lighting, and power conditioning and uninterruptible power supply for critical equipment.
Communications A building automation system integrated and coordinated with the security system, public-address system, emergency power for telephone, and radios.
Ted Weidner, Ph.D., P.E., AIA, is the president of Facility Asset Consulting and provides planning, design, and operational consulting services primarily for non-profit facility owners/operators.