There is some guidance available to help with security design for HVACR systems. ASHRAE Guideline 29 presents a framework for risk analysis, and the American Society of Civil Engineers (ASCE) has published a Building Security Rating System that contains a simplified method for risk analysis. The ASCE method considers both the threat — how likely is a given threat to occur for your building — and the impact — what are the consequences of an event. The combination of the threat and impact determines the appropriate level of risk for design consideration, and thus the countermeasures that should be implemented.
A useful set of questions that can help focus design efforts is found in FEMA 426, Reference Manual to Mitigate Potential Terrorist Attacks Against Buildings. The questions are paired with guidance and range from “Where are the air intakes and exhausts located?” to “What are the types and efficiency of air filtration?” to “Does the HVAC maintenance staff have the proper training, procedures, and preventive maintenance schedule to ensure CBR equipment is functional?” This last question is crucial, since even the best design will not serve its intended purpose, whether for resilience, security, or normal operations, if the system is not properly installed, commissioned, and maintained.
Chapter 61 of the ASHRAE Applications Handbook discusses risk analysis and security measures in a general sense but also provides some basic steps that can be used to reduce risks. In addition, the handbook provides descriptions of the threats posed by chemical, biological, radioactive, and explosive events with some references for obtaining further information. As yet there is no single reference that provides all the material needed to design HVACR systems for enhanced security, but with a little digging and connecting of the dots, an engineer can put together a security plan for most typical facilities.
Cybersecurity was not addressed in this column, even though it is a major concern as our buildings and their systems become more interconnected, accessible, and, therefore, more vulnerable. The recent hacking of a water treatment facility has highlighted the cybersecurity threat for what are commonly considered nontraditional targets. Any system connected to the outside world is potentially subject to unwanted intrusions, while internal actors remain the greatest threat for most facilities. Cybersecurity is a complex topic on its own, which I’ll discuss further in future columns.