The COVID-19 pandemic has been upon us for several months now, and 20/20 hindsight is asking, “Why weren’t we ready for the pandemic?” So, as I sit and listen to the daily news while “sheltering-n-place,” it got me thinking of another potential pandemic: building security and safety. 

I was recently interviewed by Partners IN Progress on the topic of HVAC and security. This article was just one more early warning directed toward our exposure to cybersecurity and HVAC security (ASHRAE 2019 HVAC Application Handbook, Chapter 61). A few years back, Engineered Systems magazine published a similar article, titled, “Creating A Security Basis Of Design.”

It has been said that this COVID-19 pandemic is a 100-year occurrence and follows the 1918 Spanish Flu. Aside from 9-11 and a few other occurences, there was another notable cyberattack that came through a building’s HVAC system at a large retail store in 2013. This cyber criminal gained access to that store’s customer credentials via the HVAC’s building automation system through an external vendor portal. 

In another case of 20/20 hindsight, facility managers and consultants (security and HVAC consultants) should have implemented a basis of design policy and procedure that included a risk evaluation-risk management document, covering building and occupants, potential threats and vulnerabilities, first responders, and post-event remediation opportunities. 

Just like HVAC commissioning requires the writing of a basis of design, the building’s security system also requires a commissioning basis of design. And, much like HVAC commissioning requires functional performance test (FPT) narratives based on action-reaction, a security’s system required FPTs should be recommissioned annually, if not more often, to protect from potential security breaches. 

The security FPT manual should cover all aspects and responses to potential threats and vulnerabilities with the first responders following the FPT action-reaction. 

Schools deem fire drills necessary. HVAC security drills should also be required; otherwise, a security breach may occur, resulting in panic, untested reaction plans, and more severe consequences.

It’s safe to assume a cybersecurity crime will occur well before the next international pandemic, and this security breach, as we’ve seen before, may involve an HVAC system. At a minimum, design engineers, contractors, equipment suppliers, and building operators should take the time to read Chapter 41, “Computer Applications,” and Chapter 61, “HVAC Security,” in the ASHRAE 2019 HVAC Application Handbook. There is no excuse to not read these 24 pages today. 

Then, present your notes during in-house meetings and draft a building security mission statement, tactical plan policy, and procedural manual, while there’s still time.