ASHRAE Journal - May 2023 - 24

FEATURE
the internet for a wide variety of reasons. One question
the designer should ask is if this is absolutely necessary
for the facility to operate. Certain facilities can operate
without any outside network connection, thereby significantly
reducing/removing external threats.
An example of a significant external threat is the use
of back-door networks. These are the cellular or open
Wi-Fi connections put in by contractors, integrators or
equipment suppliers unbeknownst to the owner or used
for " temporary " setup and commissioning prior to the
full IT network being in place. However, the temporary
access becomes permanent when the contractor forgets
to remove the interfaces.
One best practice for helping secure building systems
is to build in continuous monitoring of the various
threat vectors in the base system design. Simple
monitoring of communication systems for anomalies
can provide a rapid response mechanism for facility
managers. Often systems are not designed with any
network traffic monitoring. When a breach occurs, it
may be hours, days or weeks before anyone realizes it,
and the damage is done.
Facility Cybersecurity Assessment
Part of any good risk assessment is starting with a good
understanding of the owner's risks and paranoia. " What
could happen? How concerned am I if it does? And what
would be the impact? " The answers vary depending
upon what kind of facility is involved. A model for risk
assessment based on facility type and use is provided in
ASHRAE Guideline 13-2023. The owner should take the
lead when doing the initial cybersecurity assessment
and bring together the right team members and experts.
The outcome is a set of guiding principles, procedures
and requirements that are handed to the design team
to implement.
There are three levels of facility types (Basic, Moderate
and Advanced) based on potential risk and negative
impacts of a cybersecurity breach (Table 1).
Basic Building Type
Basic buildings may have minimal occupant levels per
square foot and minimal information data (such as BAS
access credentials, key cards), health risk or negative
effects if a BAS breach did occur. There may be limited
or no major assets, and the building may only have some
basic HVAC equipment. These buildings often have very
24
ASHRAE JOURNAL ashrae.o rg M AY 2023
TABLE 1 Building types.
BASIC
Small Office Building
Restaurant
Supermarket
Convenience Store
Gas Station
Small Apartment Complex
MODERATE
Schools
ADVANCED
Shopping Center or Mall
Medical Outpatient
Facility
Regional/Local
Government Office
Medium-Sized Leased
Space Office Building
Hospital
University
Manufacturing Facility
Large Office Building
Corporate HQ
Research Lab
Operations Center
Data Center
Government Campus
Military Facility
Broadcast Media Facilities
Emergency Services Facility
transient occupants, such as a store where a person has
a limited amount of time within the facility and minimal
interaction with the BAS system, or where there is
a smaller core group of occupants with a higher level of
transient occupants that arrive for services (shopping,
eating), and then leave. It also may not have many on-site
assets of note. This type of facility typically does not have
any dedicated IT staff or IT resources available locally.
Moderate Building Type
This type of facility has more risk to the occupants and
moderate levels of potential disruption in the event of
a breach. Moderate occupant density and type may put
this facility in a moderate category of risk. There may be
some critical assets like computer systems or products
that are at risk. More specialty systems are found in
these types of buildings, including access to controlled
substances, more personal data and more complex BAS
systems (i.e., air quality monitoring, advanced physical
security screening and risk and more critical workforce
task risk).
Additionally, these types of facilities will often have
some IT expertise available either as part of the local
staff or from an on-demand service supporting the
facility or the organization. The IT staff will typically be
involved in some level of securing the building through
setup of the IP network.
Advanced Building Type
Buildings that could pose a very high risk either to
personnel, information, assets or the facility's process if
compromised cybersecurity-wise fall into the advanced
building type category. These types of facilities require
http://www.ashrae.org
ASHRAE Journal - May 2023

Table of Contents for the Digital Edition of ASHRAE Journal - May 2023
