Within This Page
Achieving resilience in the design of new facilities and the renovation of existing focuses on increasing the robustness of the structures and establishing warranted redundancies needed to achieve the desired performance in response to hazards. Consideration of resourcefulness and recovery should also be part of the planning process although these Resilience components are more directly related to operational programs. This resource page addresses design considerations to increase resilience primarily through strengthening and configuration to minimize impact from natural and manmade hazard events.
Durability, the ability to resist wear, and decay, to be lasting and enduring over time
Durability for buildings depends on the quality of the design of the building. The physical condition of the building is, over time, dependent on the quality of the materials and systems used and the nature of how all elements are combined and installed to resist degrading in its normal environment as well as during extraordinary events.
Design strategies for durability look to these qualities and to anticipation of both normal and extraordinary events that might impact the viability of the building and its functions.
Design strategies for long-term viability are built on the choices affecting the ability of the building or facility to remain functional over time.
- Lessen the amount of required maintenance
- Design to extraordinary events beyond code
- Plan for upgrades and replacements
Each building system is first considered individually and designed to stand alone, but also is designed to work together in a whole building system. Knowing the level to which each system is designed and knowing the vulnerabilities inherent in each is the basis for its use.
The assessment of each system informs the design on how best it can be integrated into the whole where the vulnerabilities of each system are taken into account.
The goal for planning a resilient building is to design and construct integrated systems, to locate and protect critical elements of each system so as to enhance survivability, and facilitate maintenance and repair.
Climate change and variability are increasing the probability of adverse conditions and events both in frequency and severity. Building design standards that address durability are based on the best estimates of the probability of damaging events and then balancing the probability of those events against the investment it might require to address such occurrences.
Standards based on past performance and probability may not be adequate to address a rapidly changing climate or a sudden break from the "normal" past.
A resilient design strategy for any building needs to assess its particular environment and if any of the potential climatic threats in that environment are likely to increase.
Even the less than extraordinary events that degrade buildings may increase and result in an increased need to repair and maintain elements of the building and site. These should be considered during the design phase so as to mitigate possible degradation.
Another aspect of resilience is the ability to maintain the technology of building functions. Critical design decisions include:
- Systems maintainability over time and ability to adjust to new and evolving systems
- Ease of replacing critical elements of a system
- Capability to add upgrades, or new systems
The relation between resilience and maintainability can be measured on at least two scales. One is the ease and cost effectiveness of regular maintenance; and the other is the ability to restore and maintain a system after a damaging event.
Design considerations for maintainability:
- Standardization and availability of systems or components.
- Ease of access for normal maintenance.
- Access for major maintenance and replacement of components.
- Resilience of logistics affecting service, maintenance and repair.
- Backup for inputs needed to operate systems; including energy, monitoring, control, and spare parts.
- Extent of inputs required for restoration and general maintenance.
Standalone buildings or systems may be less vulnerable to wide area disruptions and require little or no recovery from such events; but those same buildings may be less resilient in an event directly affecting that building. A balance must be struck between on-site resilience, which demands less of the surrounding community in recovery, and off-site resilience, which can support the recovery of each building.
Protection from natural hazard events is broadly identified as "safety" and is analyzed by hazard type. The type of load created by the hazard requires different responses from the building to withstand a threat event.
Gravitational and Lateral Loads
Buildings are required to withstand both gravity loads that act vertically and lateral loads that may either be in the form of wind pressures applied to the building envelope or base motions that generate inertial forces. Both types of these natural occurrences are correlated by statistical studies to determine the magnitude as a function of likelihood (or return period). As would be expected, the moderate levels of such lateral load effects occur frequently with very short return periods but the extreme levels of these lateral load effects are relatively infrequent. Because of this statistical variation in the magnitude of load effects, building codes provide both prescriptive and performance-based approaches to resist both moderate and extreme levels of these lateral load effects. Fundamental to the resistance of both wind and seismic loading is the presence of lateral load-resisting structural systems that are capable of withstanding the corresponding forces and moments and transferring the accumulated effects to the foundation. While these lateral load-resisting systems must be strong enough to prevent material failure or connection dismemberment, they must also be stiff enough to limit lateral sway motions and to prevent secondary P-Delta effects from precipitating global instabilities. Building structures must therefore satisfy both strength and serviceability requirements.
Wind loads are defined in terms of 3–second gust speeds and these velocities are related to design pressures. As wind gusts sweep across a landscape, caused by differential atmospheric pressures, they are influenced by the topography of the region and the density of objects (trees, buildings, etc.) at the ground surface. Wind velocities are found to be fairly constant above a "gradient height" that is determined by the terrain's exposure category, and drag effects reduce these velocities closer to the ground; the smoother the ground surface the lower the gradient height. Buildings are assigned risk categories based on their use and occupancy, and wind speed maps are assigned to each category along with a corresponding return period that ranges from once in 300 years for low hazard structures to once in 1700 years for assembly or essential structures. The wind speed maps account for the hurricane-prone regions along the Atlantic and Gulf coasts and the specified velocities are amplified accordingly.
Wind speeds are calculated at the elevation of the building and are factored by the effects of topographic directionality and the openness of the building envelope. Pressures are applied to either the windward face as an inward load or to the roof, sides, and leeward faces as a suction load. Openings in the façade will produce either internal pressures or internal suctions. Two sets of forces are calculated based on the calculated wind pressures: forces that are applied to the global lateral-load-resisting system and forces that are applied to local cladding and components. Globally, the net forces collected over the building surface are transferred through the floor diaphragms and these lateral loads are combined with the gravity loads when designing the lateral load resisting system. Locally, the cladding and component loads are used to design the façade elements.
Lateral-load-resisting systems may be composed of combinations of moment frames, braced frames, and shear walls. Moment frames rely on the interactive bending of beams and columns to develop the lateral stiffness whereas shear walls behave as stiff beams cantilevered from the foundation. Shear walls tend to be significantly stiffer than moment frame buildings and in most cases buildings with significant shear wall systems are treated as "sway inhibited" structures. Moment frame construction tends to be less stiff and there is greater concern for secondary P-Delta effects.
For rigid diaphragm buildings, such as concrete floor systems, the percentage of lateral force will be distributed to the various lateral-resisting components in proportion to the relative stiffness of the various lateral-resisting elements. For flexible diaphragm buildings, such as timber construction, the percentage of lateral force will be distributed in proportion to the tributary areas that are exposed to wind.
Buildings are not typically designed to resist tornados; however, buildings in tornado-prone areas often provide "safe rooms" or shelters as areas of refuge. The concept of shelter-in-place requires sufficient space internal to the building, away from the exterior façade, for the building population to assemble. Interior partitions should be constructed of debris-mitigating materials, preferably reinforced block walls.
Seismic forces are induced by the building components as the building's inertia resists the lateral base motions. These inertial forces are related to the base acceleration through Newton's Second Law of Motion (force equals the product of mass and acceleration). Similar to wind loads, seismic base acceleration maps define a short period (0.2 second) and long period (1 second) ground motion parameter. The maps are constructed to provide a uniform probability of hazard, corresponding to a 1 percent probability of collapse in 50 years. These ground motion parameters are multiplied by site coefficient factors, based on site classification, that either amplify or reduce the intensity of design ground acceleration. Since the induced seismic force depends to a great extent on the structure's frequency of vibration, the factored ground motion parameters are used to develop a design response spectra that defines acceleration as a function of building period. In general, the design response spectra is constant for relatively stiff buildings, decays inversely proportional to the building period for more massive or more flexible buildings and decays inversely proportional to the square of the building period for very flexible or very massive buildings.
Building occupancy types, ranging from low-hazard to assembly or essential structures, are used to define importance factors and risk categories. The importance factors are used to scale the intensity of the spectral values and the risk categories are used to define both the analytical methods and the structural systems that may be permitted for a range of building heights. Since earthquakes are extraordinary events that vary in intensity, buildings are expected to be undamaged in response to relatively low-intensity events but are permitted to sustain modest amounts of damage in response to much greater magnitudes of ground motion. In order to enable buildings to sustain these modest amounts of damage, they are required to adhere to relatively strict rules governing structural systems and detailing requirements. By adhering to these rules, the buildings will deform in a ductile manner that will permit large inelastic deformations that dissipate considerable amounts of energy prior to structural failure.
The different structural system types—bearing walls, building frame, moment frame, dual system secondary moment frames (SMF), dual intermediate moment frames (IMF), wall frame, and cantilever column--are permitted for specific risk categories and building heights with corresponding response modification coefficients and deflection amplification factors. In this manner, the appropriate level of ductile inelastic deformation is permitted in response to the most extreme ground motion. Moment-resisting frames, braced frames, and shear wall systems are depicted below. Detailing of the connections, splices, and other structural conditions are required to follow pre-approved and tested practices. Examples of seismic connections for concrete and steel moment frames are shown below. The rigorous analytical methodology and pre-approved detailing is the most effective means of designing structures to withstand extraordinary events and to make sure the details deliver the desired performance.
In order to minimize stress concentrations and eccentric load paths, both vertical and torsional irregularities should be minimized to the greatest extent possible. Similarly, the greatest uniformity in both mass and stiffness are desirable attributes for buildings that may have to resist seismic forces. The following images depict both a damaging torsional mode resulting from a horizontal irregularity and a soft story failure resulting from a vertical change in story stiffness.
Tsunamis and liquefaction are additional consequences of strong ground motions. Tsunamis are the result of fault movements within the ocean floor that propagate tidal waves to distant shores, hundreds (sometimes thousands) of miles away. When a large tsunami approaches a coastline, it may grow to hundreds of meters in height (runup height). The best disaster prevention measures for a tsunami-prone coast involve zoning that controls the types and sizes of buildings that, if any, are permitted. If a site has a high possibility of tsunami incursion, the designer should consider some of the design provisions against flood, such as elevating the building above an estimated waterline. Liquefaction causes water-saturated soil and sand to lose its bearing strength, which results in landslides and widespread foundation failures. Foundation engineers have developed technical methods for controlling liquefaction at a site which include site compaction, change of soil, and dewatering a site.
Flooding hazards are associated with water damage and hydrostatic loading on exposed surfaces. The base flood elevation (BFE) defines the elevation of the flooding, including wave height, with a 1 percent change of exceedance in any year and the corresponding design flood elevation is provided in flood hazard maps produced by the regional authority having jurisdiction. Flood Insurance Rate Maps (FIRMs) are produced by the Federal Insurance and Mitigation Administration to define special flood hazard areas and risk premium zones. Waterproofing must be comprehensive up to the design flood elevation in order to protect property within the building. The structure must be able to withstand the hydrostatic loads, hydrodynamic loads, wave loads, and debris impact loads. Hydrostatic forces are based on the weight of standing water that increases with depth and hydrodynamic forces account for the effects of moving water. Wave loads are associated with the periodic cresting and falling of the water surface; these waves may "break" against the structure. As upstream debris from damaged structures is swept up in the flood waters, downstream buildings become vulnerable to debris impact.
Design level flood loads are based on hurricane-generated storm tides but these loads only apply when the water level exceeds the local ground elevation. As a result, the statistical characteristics of flood loads depend on the ground elevation. Flood loads may be applied laterally to the vertical surfaces that resist the water pressure and as uplift to horizontal surfaces beneath the design flood elevation. Walls and slabs subjected to flood loads must be adequately reinforced and braced to resist the resulting pressures.
Making a building flood resistant involves the use of resilient materials, which must be resistant to excessive humidity and require no more than cleaning and cosmetic repair following three days (or more) contact with floodwaters. Some of the flood-resistant materials include glazed brick, concrete, concrete block, glass block, stone with waterproof grout, naturally decay-resistant lumber, marine grade plywood, and cement board. A more detailed list of flood damage-resistant materials may be found in FEMA Technical Bulletin 2. All structural interfaces below the flood level, such as building foundations and equipment, must be adequately anchored to resist buoyancy uplift forces and lateral movement. Mechanical, plumbing, and electrical systems must be moved above the flood level so as to protect heating, ventilation, plumbing appliances, ducts, electrical panels, meters, and switches. Waterproof enclosures and coatings may be required where sensitive equipment cannot be moved.
In addition to flood waters inundating a property and the forces they may impose, flooding often causes sanitary sewer lines and waste water systems to back-up and cause additional damage. Backflow and automatic shut-off valves must be installed on any pipes that leave the building or connected to equipment below the base flood elevation. Fuel supply lines must be equipped with float-operated automatic shutoff valves.
Fire is among the most common catastrophic hazards in the United States. According to National Fire Protection Association (NFPA), in 2013 U.S. fire departments responded to over a million fires that caused over 3,000 civilian fire fatalities, nearly 16,000 civilian fire injuries and an estimated $11.5 billion in direct property loss. Passive and automatic fire protection systems are effective in detecting, containing, controlling, and extinguishing a fire in its early stages. Designers must take an integrated systems approach to address the four primary sources of fire: natural, manmade, wildfire and incidental. While code compliance will protect against loss of life and limit fire impact on the community, it doesn't necessarily protect the building assets and, as a result, additional considerations should be integrated with the minimum required fire safety measures. The inclusion of a fire protection engineer on the design team will produce a performance-based design approach that addresses both the code mandated requirements and project specific criteria. The Society of Fire Protection engineers (SFPE) and NFPA published the Engineering Guidelines to Performance-Based Fire Protection Analysis and Design of Buildings.
Fire protection involves the construction type and size of a project, exposures, and separation requirements, fire ratings of materials and systems, occupancy types, interior finishes, and exit stairway enclosures. Additional considerations are the remoteness of exit stairways, exit discharge locations, areas of refuge, accessibility of exits, fire detection, notification, and system survivability. The design of fire suppression systems addresses the adequacy of water supply, automatic fire extinguishing systems, standpipes, and fire department hose outlets. Emergency power, lighting, and exit signage must be survivable.
Fire protection engineering is a multidisciplinary field that coordinates mechanical (sprinklers, standpipes, smoke control), electrical (fire alarm), architectural (egress systems) and structural (fire-resistant design) professionals in a comprehensive strategy. In addition to satisfying prescriptive codes and standards, the fire protection engineer will use equivalency or alternate methods to portions of the building that achieves the fire safety goals while preserving project-specific aesthetics and functionality.
Sustained and prolonged exposure to elevated temperatures weakens structural materials and precipitates collapse as shown in the figure below. Fireproofing materials are therefore used to insulate the structural materials to minimize the heat gain and to delay the weakening of the structure. Steel is most susceptible to elevated temperatures and fireproofing materials may be cementitious (such as concrete encasement), board systems (such as calcium silicate and gypsum), spray-on systems and intumescent paints. Each system has advantages and disadvantages, which dictate their use. However, the effectiveness of each system is established through extensive testing in fire labs under controlled conditions. Hollow steel sections can be filled with concrete to improve fire performance and in rare occasions, hollow sections have been filled with water.
Although concrete materials are less vulnerable to sustained heat, concrete spall can leave reinforcing steel exposed to sustained high temperatures and weaken the structure. Adequate thicknesses of concrete cover will limit the potential for reinforcing steel to be damaged before a fire can be brought "under control." Examples of different fireproofing details are shown in the figures below.
A physical attack against a facility, its assets, or its occupants, may potentially disrupt building operations and functionality. The duration and magnitude of disruption will depend on the type of attack (vandalism up through weapons of mass destruction), the areas/functions/personnel impacted, and the mitigation measures in place at the time of the attack. A facility may also experience collateral effects of an attack on a nearby facility, including a potentially similar level of disruption. Inclusion of appropriate security and hardening features into the site and facility design will aid in providing robustness against such attacks, resulting in a more resilient facility.
Design provisions should also be considered for maintaining an appropriate post-event security posture for the facility after a disruptive event has occurred (including deliberate physical attack, accident, or natural hazard).
Explosions can be generated from a variety of sources and conditions, and can be intentional (e.g. terrorist attack) or accidental (e.g. chemical plant malfunction). An explosive event results in a blast wave or shock front that expands outward in all directions at high velocity that will produce time-variant pressure loads on any surface that is directly or indirectly exposed to the blast wave as it expands. These loads can vary significantly across a building's exterior surfaces based on the size, geometry, and location of the building. Explosions can also be either external or internal to the building. The two must be treated differently, as effects from reflections and gas pressure buildups are typically more pronounced in an interior blast event.
There are three ways to approach blast protection for buildings:
- Reduce the blast loading on the facility
- Increase standoff to the facility, and/or
- Decrease the design basis explosive charge size
- Structurally harden the facility
- Accept a higher level of damage/risk for the facility
One or more of these constraints are typically fixed for design projects, which limits available options for blast resistance.
Blast design considerations for exterior explosive threats include:
- Perimeter protection (standoff distance, vehicle barrier design, screening)
- Structural response (walls, slabs, roofs, frames/columns, foundation)
- Windows (glass, frames, and attachments)
- Fragments (primary and secondary)
Blast design considerations for interior explosive threats include:
- Confined volume
- Location (basement, exterior room)
- Windows (glass, frames, and attachments)
- Structural response (walls, slabs, framing/columns)
- Proximity to critical systems or personnel
- Fragments, fire, smoke damage
A balanced design approach through ductile response and detailing should be a goal of the design. This approach achieves optimal blast resistance through a series of controlled failures, wherein secondary elements fail before stronger primary support elements in a progressive manner. As structural response for blast loading involves complex interactions of responding components, blast designers and vendors of blast mitigation products should provide test results and/or analytical calculations demonstrating the design/product will perform as intended. Due to the wide range of potential blast loads and levels of protection, specific protection details are often developed on a project-by-project basis. However, the following measures can help mitigate hazards for critical life-safety systems.
Provide at least 1–bay of standoff between critical infrastructure systems (fire, water, power, communications, alarms, etc.) and vulnerable locations such as the building exterior, lobbies, mail rooms, loading docks, and the like.
Infrastructure systems should be provided in hardened utility risers. Isolate critical infrastructure systems from riser walls that may be exposed to either direct or indirect (infill) blast loads.
Chemical and Biological Protection
Protection against chemical and biological agents can be implemented at both a point level and a system level. Primary methods of transmitting such agents throughout a building are airborne delivery via building HVAC systems, and waterborne delivery via building freshwater systems.
Design considerations for point-level protective measures for building HVAC systems include:
- Providing fences, walls, gates, or other barriers to prevent unauthorized access to restricted areas and/or equipment
- Elevating HVAC air intakes, typically at the upper floors or roof level, to make them inaccessible and to mitigate the impact of chemical agents which may be more dense than air and settle near the ground or low-lying locations
- Installing detection devices at or near air intakes to detect released agents
- Installing particulate and adsorption filters (HEPA and MERV 10 to 13 or higher) at air handling units
Design considerations for system-level protective measures for building HVAC systems include:
- Locating critical systems and areas at least one bay away from loading docks, entrances, mailrooms, personnel, and package screening locations, and uncontrolled parking
- Protecting the system controls from unauthorized access
- Providing separate isolated HVAC systems in lobbies, loading docks, mailrooms, and other locations susceptible to chemical and biological attack
- Installing an emergency shutoff and exhaust system for air handlers
- Controlling movement of elevators, and close applicable doors and dampers to seal building
- Designing emergency exits to discharge outside and not into a lobby which is a potential agent release site.
Design considerations for protection of building freshwater systems include:
- Providing building-level filtration and treatment systems
- Providing locked points of access
- Installing point-of-use filters
- Installing backflow prevention devices
Radiological and Nuclear Protection
Radioactive fallout is produced by dirt and debris swept up in the rising fireball of a nuclear detonation. Radioactive material fuses with the debris in the fireball and subsequently falls on buildings and ground, causing a radiation hazard to nearby populations and can contaminate a large area. The area of deposition depends on several factors: device yield, weather pattern, height of burst, surrounding environment, and other factors. Regardless, the primary concerns for the affected buildings are 1) radiation hazard to the inhabitants and 2) long-term surface contamination.
For the indoor population, fallout radiation presents a hazard primarily through gamma-ray exposure. The protection, or reduction in the radiation dose rate, afforded by the building for inhabitants depends on the distance and the mass between inhabitants and fallout deposits. In a multistory building, interior rooms afford better protection than rooms closer to windows, exterior walls, and entryways. In addition, buildings constructed with heavier frames and panels afford greater protection than light-framed buildings; for example masonry buildings afford greater protection against fallout radiation than wood frame houses. In fact, because of both distance and mass considerations, the basement of a building often is the most sheltered location against fallout radiation. The protection afforded by a building is indicated by its protection factor, which is determined by the ratio of exterior to interior exposure. A higher protection factor indicates greater protection. A graphical illustration of the protection factor afforded by various types of buildings and locations inside a building is shown in the figure below.
Aside from protecting the inhabitants from radiation exposure, remediation of contamination on building surfaces is another major concern for buildings exposed to fallout particles. Depending on the surface composition of the building, certain elements from fallout particles may chemically bond with building surfaces. For example, radioactive cesium may migrate and bond in concrete. Soil and vegetation may also be difficult to clean up if exposed to fallout particles. Exterior building materials that are nonporous and can be easily cleaned with aqueous solutions will aid in decontamination. In addition, replaceable panels, such as vinyl siding, can help mitigate long-term contamination concerns following a building's exposure to fallout particles.
While protection from radiological effects may be achieved at varying levels using standard building construction and best practices as described above, protection from direct nuclear detonation requires extreme hardening measures to resist the demands placed on the facility such as airblast, ground shock, thermal radiation, and electromagnetic pulse. Design for such environments is very costly and is typically reserved for facilities requiring survival from nuclear attack.
Ballistic-resistant design considerations include:
- Underwriters laboratory (UL) or National Institute of Justice (NIJ) rated window glazing (typically several inches thick with multiple glass, polycarbonate, and laminate layers).
- UL or NIJ rated doors
- Tested steel inserts placed in window and doorframes
- Wall panels/materials tested to the desired level of protection with detailing for panel-to-panel seams. Note that most standard or layered building materials do not currently have standard ratings for ballistic resistance.
Vendors of ballistic mitigation products should provide test results demonstrating the design/product will perform as intended.
Forced Entry/Physical Attack Resistance
Forced entry design considerations for exterior physical attack include:
- Door and frame assemblies, including sidelights, door glazing, door louvers, and corresponding hardware (locks and latch sets, hinges, strikes, door closers, and frame anchors)
- HVAC and related ventilation louvers
- Window systems, including glazing and framing, frame anchors, deal trays, pass-through drawers, and speaking apertures
- Walls and wall panel systems
Validation of forced entry systems is performed through testing, typically using methods developed by the U.S. State Department, ASTM, and others. Ratings requirements should be provided in the project specifications and are typically defined in terms of method of physical attack and minutes of protection provided against such attack. Vendors of forced entry systems should provide test results showing compliance with the desired level of protection. Systems validated through testing should be installed using the configuration under which it was tested.
The Target Stores data hack in 2013 brought increased attention to the network connectivity of facilities/buildings operations and maintenance vendors, the organizations business IT systems, and the facility/building control systems.
Buildings are increasingly relying on building control systems with embedded communications technology, with such technology enabled via the Internet. These systems provide critical services that allow a building to meet the functional and operational needs of building occupants, but they can also be easy targets for hackers and people with malicious intent. Attackers can exploit these systems to gain unauthorized access to facilities; be used as an entry point to the traditional informational technology (IT) systems and data; cause physical destruction of building equipment; and expose an organization to significant financial obligations to contain and eradicate malware or recover from a cyber-event.
The facility/building control systems such as the Building Automation Systems (BAS), Energy Management Systems (EMS), Physical Security Access Control Systems (PACS), and Fire Alarm Systems (FAS) are just beginning to be considered as potential hacking points into an organization. These control systems are often referred to as Operational Technologies (OT) and use a combination of traditional IT protocols such as TCP and UDP, but also use controls systems unique protocols such as Modbus, BACnet, LonTalk, and DNP 3 to communicate with the sensors, devices, and actuators.
IT is about data; OT is about controlling machines and OT is increasingly becoming more Internet Protocol (IP)-based. The Internet of Everything, Smart Grid, Smart Cities, Smart Buildings, and Smart Cars are redefining the boundary between IT and OT. As the IT and OT systems have converged, so have the risk and vulnerabilities of hacking and using the OT systems as a point of entry and then pivoting up the network and taking control of other system assets.
Comparing IT and OT Systems
|Information Technology||Operational Technology||Purpose||Process transactions, provide information||Control or monitor physical processes and equipment|
|Architecture||Enterprise wide infrastructure and applications (generic)||Event-driven, real-time, embedded hardware and software (custom)|
|Interfaces||GUI, Web browser, terminal and keyboard||Electromechanical, sensors, actuators, coded displays, hand-held devices|
|Ownership||CIO, IT||Engineers, technicians, operators and managers|
|Connectivity||Corporate network, IP-based||Control networks, hard wired twisted pair and IP-based|
|Role||Supports people||Controls machines|
The National Institute of Standards and Technology (NIST) has been a primary source of IT cyber standards and guides. The NIST SP 800-37 and NIST SP 800-53 publications, the SANS Top Twenty controls, and ISO standards have been used by both government and industry as IT best practices for many years.
Key Cyber Issues
- Building control system protocols such as Modbus, BACNet, and LonTalk are not encrypted or authenticated.
- Many system integrators do not employ basic cyber hardening of the IT front end of the control systems
- Many of the operator log-ins Web portal access use http (port 80) and not https (port 443)
- Social engineering and phishing of facility operators and maintainers will likely succeed, limited tools to prevent or identify the exploit
- NIST SP 800-82 R2 Industrial Control Systems Security Guide provides guidance and best practices
- Tools like Kali Linux, DHS CSET, Shodan, Sophia, and Diggity need to become part of the facility tool bag
- Continually Monitor and conduct security audits of the building control systems
Control System Cyber Exploits Increasing in Number and Complexity
On the OT side, the ISA 99 and NIST SP 800-82 Rev 2 Industrial Control Systems Security Guide provide the standards and guides for Industrial Control Systems (ICS)1. (Note that the NIST definition of ICS includes a wide range of control systems; an emerging term to categorize these converged systems is Cyber-Physical Systems, or CPR.) ICS and OT have traditionally not received the same level of cyber scrutiny as the IT systems; however, malware such as Stuxnet, Duqu, and Flame are now specifically designed to infect the OT components and devices at the firmware or project file level, and then inject false commands to spoof the operators' Human Machine Interface (HMI) console, establish a command and control channel to exfiltrate data (technical specifications, floor plans, drawings, etc), create Botnets, or physically destroy the equipment and other IT systems.
Defending Building Control Systems
A Cybersecurity Resource Page has been added to the Whole Building Design Guide. All facility/building owners, property managers, engineering and security staff are highly encouraged to understand the basic principles of NIST SP 800-82 R2, know how to use the DHS CSET tool, understand how the Shodan, Kali Linux, SamuraiSTFU, and other tools work for penetration testing and prepare to adopt new acquisition and procurement processes into their organizations. Whereas the IT community has had almost two decades to learn and implement cybersecurity, the OT community will have an accelerated learning curve and will need to work closely with senior management, IT, and other stakeholders to properly cyber-secure their assets.
Every building owner should have a building cybersecurity strategy and have the following key documents that cover both the IT and OT assets:
- System Security Plan (SSP);
- Plan of Action and Milestones (POAM);
- Information Technology and Concept of Operations Plan (ITCP);
- Incident Communications Procedures (ICP);
- Security Auditing Plan (SAP)
DHS ICS-CERT maintains the list of vulnerabilities and alerts for control systems, and publishes the Cyber Security Evaluation Tool (CSET) which is free of charge to any organization and contains standards, guides, references, networking diagram tools, compliance evaluations, and can generate System Security Plans and other key documents.
Another effort being led by the DHS Interagency Security Committee is the Securing Government Assets through Combined Traditional Security and Information Technology White Paper . This document outlines the Risk Management Framework process applied to Physical Security systems such as Closed-Circuit Video Equipment (CCVE) or video systems, Intrusion Detection Systems (IDS), and electronic Physical Access Control Systems (PACS). Key to the recommendations is to bring the physical security specialists, facility engineers and managers, IT, system integrators, and property owner to the table to conduct assessments and develop System Security Plans. Another key change is to the procurement process to initiate the converged systems baseline risk assessment in the planning and design phases, conduct Factory Acceptance Testing (FAT) in the construction phase, and conduct full Site Acceptance Testing (to include penetration testing) for system turnover.
An underlying fundamental concept of the NIST SP 800-82 Rev 2 Industrial Control Systems Security Guide is the concept of "Inbound Protection and Outbound Detection". All control systems should be on a separate network with multiple levels of DMZs (perimeter networks aka demilitarized zones) and subnetworks.
This security audit process documentation details the steps taken to verify an organizations software and hardware is functioning as intended, event and audit logs are reviewed, potential vulnerabilities are identified and addressed, patch management is current, continuous monitoring is functional and indicators of compromise or exploit are identified and appropriate action is taken in a timely manner. The security audit process is done on a monthly basis and is compared to previous and baseline configurations to identify any systemic changes. This document is used in conjunction with the IT policies and procedures, ITCP and ICP documents.
The security team needs to get all building controls systems properly configured and the team registered with ICS-CERT to get Alerts and Advisories, and they need to exercise the ITCP at least annually to defend against the increasing likelihood that building control systems will be exploited.
Security Planning and Design: Continuing Education
Security planning and design is an important area of expertise for architects and engineers, and will likely remain so for the foreseeable future. As acceptable security planning and design approaches and best practices continue to evolve, the role of continuing education, especially with regard to professional licensure and protecting public health, safety, and welfare, will take on greater urgency.
However, it is possible that security planning and design issues and related guidelines may not filter into academic programs or professional licensing examination criteria for several years. Students, emerging professionals, and seasoned practitioners alike must understand that what they once learned in school may be superseded by ongoing research, changing building codes, and industry standards that are developed in response to previously unimaginable acts of terrorism, natural disasters, and other catastrophic events.
Because security design elements are subject to change, especially regarding codes, technology, insurance policies, construction costs, types of threats, local and regional regulations, and a variety of other factors, architects should be familiar with security design best practices. Continuing education opportunities include books, magazine articles, newsletters, newspapers, websites, conferences, seminars, industry organizations, and recommendations from public agencies.
The NIST Report
On June 23, 2005, almost four years after September 11, 2001, the U.S. National Institute of Standards and Technology (NIST) released a final draft report on the World Trade Center (WTC) disaster, along with 30 recommendations for improving building security. The two-year, $16 million federal study included 200 building science, engineering, and code experts. NIST is a federal regulatory agency, without enforcement power.
The NIST Report is the product of the Federal Building and Fire Safety Investigation of the World Trade Center Disaster. Grouped into eight categories, the recommendations are based on the agency's scientific analyses of the fires and collapses of the Twin Towers, and lessons learned from September 11, 2001.
The findings address issues relating to the collapse of the Twin Towers. Some of the recommendations will be debated by segments of the building industry and the real estate community for years to come, perhaps without consensus. Nevertheless, the findings provide a framework of issues to be studied for enhancing building security in the future. See the NIST WTC website at http://wtc.nist.gov for the full study and the complete list of recommendations.
An abbreviated summary of categories and recommendations includes the following:
Increased Structural Integrity
The standards for estimating load effects of potential hazards, such as progressive collapse and high winds, and the design of structural systems to mitigate the effects of those hazards, should be provided to enhance structural integrity.
Enhanced Fire Resistance of Structures
The procedures and practices used to ensure the fire resistance of structures should be enhanced by improving the technical basis for construction classifications and fire-resistance ratings; improving the technical basis for standard fire-resistance testing methods; using the "structural frame" approach to fire-resistance ratings; and developing in-service performance requirements and conformance criteria for spray-applied fire-resistive materials (SFRMs, commonly referred to as "fireproofing" or "insulation").
New Methods for Fire-Resistance Design of Structures
The procedures and practices used in the design of structures for fire resistance should be enhanced by requiring that uncontrolled fires result in burnout without local or global collapse. Performance-based methods are an alternative to prescriptive design methods. This effort should include:
- The development and evaluation of new fire-resistive coating materials and technologies
- The evaluation of fire performance of conventional and high-performance structural materials, such as fire-resistant steel and concrete
- Technical and standards barriers to the introduction of new materials and technologies should be eliminated.
Active Fire Suppression
Active fire-suppression systems, such as sprinklers, standpipes, hoses, fire alarms, and smoke management systems, should be enhanced through improvements to design, performance, reliability, and redundancy of such systems.
Recommendations in this group include use of real-time secure transmission of data from fire alarm and other monitored building systems for use by emergency responders at any location, and presentation of that information, either off-site or in a black box that can survive a fire or other building failure. The use of a black box would parallel those used in aircraft to provide technical data, especially after a disaster or significant event.
Improved Building Evacuation
The process of evacuating a building should be improved to include system designs that facilitate safe and rapid egress; methods for ensuring clear and timely emergency communications to occupants, better occupant preparedness for evacuation during emergencies; and incorporation of appropriate egress technologies.
Recommendations in this group address some of the problems that occurred on September 11, 2001, including:
- Improving occupant preparedness for building evacuations through joint and nationwide public educational programs
- Designing tall buildings to accommodate full-building evacuation of occupants if needed, including stairwell and exit capacity that accommodate counter-flow due to access by emergency responders
- Using pagers and cell phones for broadcast warning systems and Community Emergency Alert Networks
- Evaluating for future use such advanced evacuation technologies as protected and hardened elevators, exterior escape systems, and stairwell navigation devices
Improved Emergency Response
Technologies and procedures for emergency response should be improved to enable better access to buildings, response operations, emergency communications, and command and control in large-scale emergencies.
Improved Procedures and Practices
The procedures and practices used in the design, construction, maintenance, and operations of buildings should be improved to encourage code compliance by nongovernment and quasi-government entities; adoption and application of egress and sprinkler requirements in codes for existing buildings; and retention and availability of building documents over the life of a building.
Education and Training
The professional skills of building and fire safety professionals should be upgraded through a national education and training effort for fire protection engineers, structural engineers, and architects.
NIST advocates designing tall buildings to accommodate full-building evacuation, with wider stairwells and exit capacity for first responders and occupants. The number, location, and stair widths in the Twin Towers were critical in determining how rapidly thousands of people evacuated the buildings, and were part of the detailed analysis.
The NIST report urges that immediate and serious consideration be given to these issues, by the building and fire safety communities, especially designers, owners, developers, codes and standards development organizations, regulators, fire safety professionals, and emergency responders.
NIST urges building owners and public officials to:
- Evaluate the safety implications of these recommendations against their existing building inventory
- Take necessary steps to mitigate any unwarranted risks without waiting for changes to occur in codes, standards, and practices
NIST further urges state and local agencies to rigorously enforce building codes and standards, since enforcement is critical to ensure the expected levels of public safety.
Global terrorism, natural disasters, and crime have underscored the need for design professionals to understand and apply security planning and design criteria to new construction, renovations, and existing facilities.
As the building industry develops new codes, standards, materials, and best practices, design professionals will be expected to maintain a high level of expertise to protect public health and safety. Public and private sector building owners and landlords will increasingly demand a range of security measures for their facilities, perhaps as required under local building codes, law enforcement directives, liability and insurance policies, or even by legislation.
Thus, the standard of care regarding building security will evolve, especially if more catastrophic events occur, and as the resulting litigation passes through the American court system. Design professionals who participate in continuing education programs relating to security planning, and who collaborate with a skilled security planning team, will be better prepared to protect the public and society from future acts of terrorism, natural disasters, and catastrophic events.
Sustainability focuses on decreasing the environmental impact of a building's construction and operation. That focus results in design strategies that decrease overall energy and material use and incorporate renewable resources wherever possible. Sustainability can play an important part in overall resilience by improving the ability of buildings to withstand threats, and recover from damaging events.
Energy and Environmental Impact
Reducing energy and other resource consumption and waste generation during the building process and in building operation reduces the impact on the environment and contributes positively to sustainability of the design.
- Lower energy demands to decrease size and vulnerability of supporting infrastructure
- Prioritize energy use to aid response and recovery from damage
- Renewable materials that lessen the impact of providing materials for repair and restoration.
- Renewable and recyclable materials to lessen the impact of disposal and replacement
- Maximize use of available natural resources.
Interaction with Resilience Strategies
Sustainability strategies can be cross-purposed with resilience strategies in many aspects of building and site design. Site selection and design are important aspects of both sustainable and resilient design.
- Avoid areas and sites of greater environmental vulnerability from water, fire, and wind threats.
- Maintain natural barriers and systems that prevent damage from environmental threats.
- Implement water management and natural water flow and drainage to both lessen environmental impact and to protect buildings from such events.
- Install renewable on-site energy production to maintain operations.
- Employ water and rainwater reuse and recycling to enhance potable and non-potable availability pre- and post-event.
- Use natural systems to improve the building's ability to recover operations.
- "A Framework to Qualitatively Assess and Enhance the Seismic Resilience of Communities" by Bruneau, M, Chang, S, Eguchi, R., O'Rourke, T., Reinhorn, A., Shinozuka, M., Tierney, K., Wallace, W., Winterfelt, D. Earthquake Spectra Journal Vol. 19, No. 4: 733-752, Earthquake Engineering Research Institute, 2003.
- ASEC Report Card for America's Infrastructure by American Society of Civil Engineers, Reston, VA: ASCE 2013.
- Costs and Benefits of Natural Hazard Mitigation by Federal Emergency Management Agency Report, Washington, DC: FEMA, 1996./li>
- Critical Infrastructure Resilience Final Report and Recommendations by National Infrastructure Advisory Council (NIAC), Washington, DC: NIAC, 2009.
- EM-DAT: The OFDA/CRED International Disaster Database by Université Catholique de Louvain. Brussels, Belgium: EM-DAT, accessed on April 2014.
- Exploring Risk Communications by Gutteling, J. and Wiegman, O. Dordrecht, The Netherlands: Kluwer Academic Publishers, 1996.
- High Performance Based Design for the Building Envelope: A Resilience Application Project Report, Building and Infrastructure Protection Series, Washington, DC: DHS 2011.
- Infrastructure Health in Civil Engineering: Applications and Management by Ettouney and Alampalli. Boca Raton, FL: CRC Press, 2012.
- Infrastructure Health in Civil Engineering: Theory and Components by Ettouney and Alampalli. Boca Raton, FL: CRC Press, 2012.
- Integrated Rapid Visual Screening of Buildings, Building and Infrastructure Protection Series, Washington, DC: DHS, 2011.
- Integrated Rapid Visual Screening of Mass Transit Stations, Building and Infrastructure Protection Series, Washington, DC: DHS, 2011.
- Integrated Rapid Visual Screening of Tunnels, Building and Infrastructure Protection Series, Washington, DC: DHS, 2011.
- Multihazard Considerations in Civil Infrastructure by Ettouney & Alampalli. Boca Raton, FL: CRC Press, 2016.
- National Infrastructure Protection Plan by Department of Homeland Security, Washington, DC: DHS, 2009.
- Natural Hazards Mitigation Saves: An Independent Study to Assess the Future Savings from Mitigation Activities: Volume 1 - Findings, Conclusions, and Recommendations by National Institute of Building Sciences Report, Washington, DC: MMC, 2005.
- Personal Communications by Hynes, Mary Ellen. Vicksburg, MS: 2001.
- Review of the Department of Homeland Security's Approach to Risk Analysis, National Academic Press, Washington, DC: NRC 2010.
- Risk Assessment: A How-To Guide to Mitigate Terrorist Attacks, Risk Management Series, FEMA 452 by Federal Emergency Management Agency, Washington, DC: FEMA, 2005.
- Risk Assessment and Decision Analysis with Bayesian Networks by Fenton, N., and Neil, M. CRC Press, Boca Raton, FL: 2013.
- Risk Management in Civil Infrastructure by Ettouney & Alampalli. CRC Press, Boca Raton, FL: 2016a.
1 [The NIST definition of ICS includes a wide range of control systems; an emerging term to categorize these converged systems is Cyber-Physical Systems (CPS)]