Comment On This Page
Related Resource Pages
View Resource Page Index
This page contains document links to Construction Criteria Base
Home > Design Guidance > Design Objectives > Secure / Safe

Secure / Safe

by the WBDG Secure / Safe Committee

Last updated: 09-06-2012

Within This Page

Overview

The design and construction of secure and safe buildings (minimal danger or risk of harm) continues to be the primary goal for owners, architects, engineers, project managers, and other stakeholders. In addition to those listed, other stakeholders include: construction managers, developers, facilities managers, code officials, fire marshals, building inspectors, city/county/state officials, emergency managers, law enforcement agencies, lenders, insurers, and product manufacturers. Realizing this goal is often a challenge due to funding limitations, resistance from the occupants due to impacts on operations, productivity and accessibility, and the impacts on the surrounding environment and building architecture due to perimeter security, hardening, and standoff requirements. Understanding the impact site security has on the overall security of the building is important as well. A balance between the security and safety goals and the other design objectives and needs of the facility can be attained. The establishment of an integrated design process where all of the design team members understand each other's goals can aid in overcoming these challenges and will lead to the development of a solution which addresses all of the requirements. Understanding the interrelationship with the other WBDG design objectives (i.e., Sustainable, Aesthetics, Cost-Effective, Historic Preservation, Accessible, Functional / Operational and Productive), early in the design process, is an essential step in overcoming the obstacles commonly encountered in the achievement of a secure and safe building.

Exterior of National Museum of the American Indian

Exterior of National Museum of the American Indian—Washington, DC

Designing buildings for security and safety requires a proactive approach that anticipates—and then protects—the building occupants, resources, structure, and continuity of operations from multiple hazards. The first step in this process is to understand the various risks they pose. There are a number of defined assessment types to consider that will lead the project team in making security and safety design decisions. This effort identifies the resources or "assets" to be protected, highlights the possible perils or "threats," and establishes a likely consequence of occurrence or "risk." This assessment is weighed against the vulnerabilities specific to the site or facility. Based on these assessments and analysis, building owners and other invested parties select the appropriate safety and security measures to implement. Their selection will depend on the security requirements, acceptable levels of risk, the cost-effectiveness of the measures proposed for total design efficiency, evaluation of life cycle cost, and the impact these measures have on the design, construction, and use of the building.

Hazard Mitigation refers to measures that can reduce or eliminate the vulnerability of the built environment to hazards, whether natural or man-made. The fundamental goal of hazard mitigation is to minimize loss of life, property, and function due to disasters. Designing to resist any hazard(s) should always begin with a comprehensive risk assessment. This process includes identification of the hazards present in the location and an assessment of their potential impacts and effects on the built environment based on existing or anticipated vulnerabilities and potential losses. When hazard mitigation is implemented in a risk-informed manner, every dollar spent on mitigation actions results in an average of four dollars' worth of disaster losses being avoided.

It is common for different organizations to use varying nomenclature to refer to the components of risk assessment. For example, actual or potential adversary actions such as sabotage and terrorist attacks are referred to as "threats" by the law enforcement and intelligence communities, while natural phenomena such as hurricanes and floods are generally referred to as "hazards" by emergency managers; however, both are simply forces that have the potential to cause damage, casualties, and loss of function in the built environment. Regardless of who is conducting the risk assessment, the fundamental process of identifying what can happen at a given location, how it can affect the built environment, and what the potential losses could be, remains essentially the same from application to application.

Integrating Safe and Secure Design

There are times when design requirements addressing all the various threats will pose conflicts in arriving at acceptable design and construction solutions. Examples include Blast Resistive Glazing, which may impede emergency egress in case of fire; access control measures that prevent intrusion, but may also restrict emergency egress; and Leadership in Energy and Environmental Design (LEED) light pollution reduction and security lighting objectives. Conversely, site design and security can complement each other such as the design of a storm water management requirement that doubles as a vehicle barrier. Good communication between the design team, fire protection and security design team specialists through the entire design process is necessary to achieve the common goal of safe and secure buildings and facilities.

Most security and safety measures involve a balance of operational, technical, and physical safety methods. For example, to protect a given facility from unwanted intruders, a primarily operational approach might stress the deployment of guards around the clock; a primarily technical approach might stress camera surveillance and warning sirens; while a primarily physical approach might stress locked doorways and vehicle barriers. In practice, a combination of approaches is usually employed to some degree and a deficiency in one area may be compensated by a greater emphasis in the other two.

In addition to the operational/technical/physical taxonomy, it is useful to characterize risk reduction strategies as either structural or non-structural. Structural mitigation measures focus on those building components that carry gravity, wind, seismic and other loads, such as columns, beams, foundations, and braces. Examples of structural mitigation measures include building material and technique selection (e.g., use of ductile framing and shear walls), building code compliance, and site selection (e.g., soil considerations). In contrast, non-structural strategies focus on risks arising from damage to non-load-bearing building components, including architectural elements such as partitions, decorative ornamentation, and cladding; mechanical, electrical, and plumbing (MEP) components such as HVAC, life safety, and utility systems; and/or furniture, fixtures and equipment (FF&E) such as desks, shelves, and other material contents. Non-structural mitigation actions include efforts to secure these elements to the structure or otherwise keep them in position and to minimize damage and functional disruption. These measures may be prescriptive, engineered, or non-engineered in nature.

It should be noted that in any given building, non-structural components, including general building contents, typically account for over three-quarters of the cost of a building; this figure can be even higher for specialized occupancies such as medical facilities. Additionally, structural and non-structural components can potentially interact during an incident, requiring a deliberative approach to implementing a comprehensive agenda of structural and non-structural mitigation actions.

Consistent with areas of professional responsibility, it is useful to identify four fundamental principles of all-hazard building design:

  • Plan for Fire Protection
    Planning for fire protection for a building involves a systems approach that enables the designer to analyze all of the building's components as a total building fire safety system package.
  • Protect Occupant Safety and Health
    Some injuries and illnesses are related to unsafe or unhealthy building design and operation. These can usually be prevented by measures that take into account issues such as indoor air quality, electrical safety, fall protection, ergonomics, and accident prevention.
  • Natural Hazards and Security
    Each year U.S. taxpayers pay over $35 billion for recovery efforts, including repairing damaged buildings and infrastructure, from the impacts of hurricanes, floods, earthquakes, tornados, blizzards, and other natural disasters. A significant percentage of this amount could be saved if our buildings properly anticipated the risk associated with major natural hazards.
  • Provide Security for Building Occupants and Assets
    Effective secure building design involves implementing countermeasures to deter, detect, delay, and respond to attacks from human aggressors. It also provides for mitigating measures to limit hazards to prevent catastrophic damage and provide resiliency should an attack occur.

Note: Information in these Secure/Safe pages must be considered together with other design objectives and within a total project context in order to achieve quality, high performance buildings.

Back to top

Related Issues

Information Sensitivity

As a result of the heightened level of interest in homeland security following the attacks of 11 September 2001, the public is even more interested in efforts to protect people, buildings, and operations from disasters. This interest presents both benefits and challenges, because much of the same information that can be used to gather support for mitigation can also be of use to potential terrorists, saboteurs, or others with malevolent intent. For that reason, project delivery teams must carefully maintain the security of any information that pertains to vulnerabilities or facility infrastructure particularly when the building is part of a critical infrastructure or system. Per Department of Homeland Security (DHS), critical infrastructure is defined as "the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, public health or safety, or any combination thereof." The Department of Homeland Security Protected Critical Infrastructure Information Program (PCII) was developed as an information-protection program that enhances information sharing between the private sector and the government. PCII is used by DHS and other federal, state and local organizations to analyze and secure critical infrastructure and protected systems, identify vulnerabilities and develop risk assessments, and enhance recovery preparedness measures. Legal counsel should be obtained on how best to protect such sensitive information from unauthorized use within the provisions of applicable local, state, and federal laws.

Development and Training on Occupant Emergency Plans

Occupant Emergency Plans should be developed for building Operations staff and occupants to be able to respond to all forms of attacks and threats. Clearly defined lines of communication, responsibilities, and operational procedures are all important parts of Emergency Plans. Emergency Plans are an essential element of protecting life and property from attacks and threats by preparing for and carrying out activities to prevent or minimize personal injury and physical damage. This will be accomplished by pre-emergency planning; establishing specific functions for Operational staff and occupants; training Organization personnel in appropriate functions; instructing occupants of appropriate responses to emergency situations and evacuation procedures; and conducting actual drills.

Building Information Modeling

Building Information Modeling (BIM) can be a useful tool for building security. For example, intelligent objects in 3D provide better understanding of vulnerabilities and better correlation with other design aspects like building and site access, location and types of doors and windows, and structural design characteristics for seismic versus blast design. BIM will further the integration between project team members, design disciplines, and the various stages of a project to achieve the goal of a high performance building. Properly maintained, BIM can provide complete, up-to-date information on the building and its' systems throughout the building service life.

Resilience

Resilience relates to the design, construction, and operation of buildings and infrastructures that are resilient to natural and man-made disasters. Buildings designed for resilience can absorb and rapidly recover from a disruptive event. Continuity of operations is a major focus of resilience. The National Response Framework presents guiding principles that enable all response partners to prepare for and provide a unified national response to disasters and emergencies.

Back to top

Emerging Issues

Cyber Security of Operational Technology and Industrial Control Systems

The control systems used to connect and manage infrastructure are different than the traditional information technology systems used for business systems, and are often called Operational Technology (OT). The National Institute of Standards and Technology refers to these systems as Industrial Control Systems (ICS). NIST SP 800-53 Rev 3 Appendix I defines ICS as:

"information systems that differ significantly from traditional administrative, mission support, and scientific data processing information systems. ICS typically have many unique characteristics—including a need for real-time response and extremely high availability, predictability, and reliability. These types of specialized systems are pervasive throughout the critical infrastructure, often being required to meet several and often conflicting safety, operational, performance, reliability, and security requirements such as: (i) minimizing risk to the health and safety of the public; (ii) preventing serious damage to the environment; (iii) preventing serious production stoppages or slowdowns that result in negative impact to the Nation's economy and ability to carry out critical functions; (iv) protecting the critical infrastructure from cyber attacks and common human error; and (v) safeguarding against the compromise of proprietary information.

Previously, ICS had little resemblance to traditional information systems in that they were isolated systems running proprietary software and control protocols. However, as these systems have been increasingly integrated more closely into mainstream organizational information systems to promote connectivity, efficiency, and remote access capabilities, portions of these ICS have started to resemble the more traditional information systems. Increasingly, ICS use the same commercially available hardware and software components as are used in the organization's traditional information systems. While the change in ICS architecture supports new information system capabilities, it also provides significantly less isolation from the outside world for these systems, introducing many of the same vulnerabilities that exist in current networked information systems. The result is an even greater need to secure ICS."

The term "ICS is used in its broadest sense which includes:

  • Supervisory Control And Data Acquisition (Energy, Water, Wastewater, Pipeline, Airfield Lighting, Locks, and Dams, etc.)
  • Distributed Control Systems (Process and Manufacturing, etc.)
  • Building Control Systems/Building Automation Systems
  • Utility Management Control Systems
  • Electronic Security Systems
  • Fire, Life Safety, Emergency Management Systems
  • Exterior Lighting and Messaging Systems
  • Intelligent Transportation Systems

The systems and subsystems are a combination of operational technologies and information technologies.

examples of DoD OT and ICS systems and subsystems

Figure 1 - Examples of DoD OT and ICS Systems and Subsystems
(Courtesy of Fred E. Abbitt, CISSP-ISSEP, CSSA / Physical and Control System Security SME, Information Systems Engineering Command, Information Assurance and Security Engineering Directorate)

The majority of these systems were historically proprietary, analog, vendor supported, and used direct serial, and/or wireless connection, and were not IP enabled. The systems components such as Remote Terminal Units, Programmable Logic Controllers, Physical Access Control, Intrusion Detection Systems, CCTV, fire alarm systems, and utility meters have long equipment life spans, and are typically designated as Operational Technology (OT) and Real Property Equipment.

As these systems and components became digital and IP enabled, the interconnects to the organization network and business systems began to expose the organization to exploits and significant vulnerabilities. Typically, there was not a clear line of demarcation where one system started and one ended, for example a EMCS meter could be on the utility SCADA system, or on the buildings BAS.

The Department of Homeland Security Control Systems Security Program is part of the United States Computer Emergency Readiness Team (US-CERT) and provides tools, standards, training, and publications for ICS. The DHS Cyber Security Evaluation Tool is used extensively by government and private industry. The tool incorporates a number of standards and publications, including the NIST and DoD standards.

The NIST Computer Security Division, Computer Security Resource Center is where the standards and publications are maintained. NIST 800-53 Recommended Security Controls for Federal Information Systems and Organizations, and NIST 800-82 Guide to Industrial Control Systems (ICS) Security are used by most federal agencies as the baseline to evaluate their systems. Both publications are in the process of being updated with a release date expected in early 2013.

The STUXNET, FLAME and other cyber attacks have shown how vulnerable the nations ICS is. As the Smart Grid develops, enhanced security controls are being developed by NIST, to include the NISTIR 7628 Guidelines for Smart Grid Cyber Security, and the NIST Framework and Roadmap for Smart Grid Interoperability Standard, Release 2.0. Buildings that have Advanced Smart Metering and other web or wireless connections to the system should be secured and tested to ensure vulnerabilities are mitigated and risks minimized.

DHS S&T has developed several tools to assess the risk and resiliency of buildings, to include the cyber threat. The Integrated Rapid Visual Screening Tool, and the Owners Performance Requirement Tool assist building owners and operators evaluate the threats, vulnerabilities, and consequences and compare mitigation options.

The ICS Overlay is based on:

  • ANSI/ISA
  • CNSSI No. 1253, Revision 1.1, Security Controls and Control Selections for National Security Systems, Final March 2012
  • DoD Unified Facility Criteria 3-470-01, LonWorks Utility Monitoring and Control System (UMCS), Date TBD
  • DoD Unified Facility Criteria 4-010-01, Minimum Antiterrorism Standards for Buildings, February 2012
  • DoD Unified Facility Criteria 4-022-01, Security Engineering Manual, March 2005
  • DoD Unified Facility Guide Specification 25 10 10, Utility Monitoring and Control System, Date TBD
  • Energy Sector Control Systems Working Group, Roadmap to Secure Energy Delivery Systems, January 2011
  • Executive Order 13514, Federal Leadership in Environmental, Energy and Economic Performance, October 2009
  • Executive Office of the President of the United States, A Policy Framework for the 21st Century Grid: Enabling Our Secure Energy Future, June 2011
  • FEMA 426 Reference Manual to Mitigate Buildings Against Terrorist Attack, December 2003
  • International Building Code
  • ISO 50001, Energy management systems—Requirements with guidance for use, November 2011
  • National Defense Authorization Act, 2012
  • National Fire Code
  • National Science and Technology Council Committee on Technology, Submetering of Building Energy and Water Usage, October 2011
  • NIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, August 2009
  • NIST SP 800-53, Revision 4 Draft, Recommended Security Controls for Federal Information Systems and Organizations, February 2012
  • NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security, June 2011
  • NISTR 7628, Guidelines for Smart Grid Cyber Security, September 2010
  • NIST SP 1108R2, Framework and Roadmap for Smart Grid Interoperability Standards, Release 2.0, February 2012
  • White House, Implementing Instructions—Sustainable Locations for Federal Facilities, September 15, 2011

Cybersecurity evaluation tool 4.1

Back to top

Relevant Codes and Standards

Back to top

Major Resources

WBDG

Design Objectives

Historic Preservation—Accommodate Life Safety and Security Needs

Publications

Websites

Training Courses

Back to top