We live in an increasingly online world. Our lives, both personal and professional, are accessible with just a few clicks, swipes or taps from just about anywhere on Earth. In many ways, this kind of streamlined convenience has improved our day-to-day in ways we never dreamed. But in turn, it also makes us vulnerable.
The security of the data we put into cyberspace is as critical as the lock on our front doors. It protects us from those that would take what doesn't belong to them and leave a wake of destruction. Unfortunately when it comes to cyberspace, there are often more doors than locks, and attackers are becoming alarmingly adept at letting themselves in. We hear about it in the news, and an unfortunate number of us have experienced it firsthand. But with every new cyberattack...we learn, and our methods for protecting ourselves and our businesses improve.
In this edition of Plains Talk, we'll discuss the various building and infrastructure design considerations for enhancing cybersecurity across a variety of industry types. Out of caution, and an extreme respect for our clients, we won't share the particulars of any one project - but instead allow our team of professionals to discuss the overarching themes they face when supporting cybersecurity.
|
|
The Importance of Designing Building System Cybersecurity |
|
When most people think of cybersecurity, they think of firewalls, encryption, and software systems to protect sensitive data from outside internet-based attacks. But securing data isn't just an I.T. role. Systems like data cabling, HVAC and building management also need to be designed to assure they aren't allowing an easy access point for cyberattacks, and that the data they carry and intersect cannot be compromised.
The design considerations and requirements geared toward cybersecurity vary from industry to industry, depending greatly on the end user and the type of data being stored or communicated. Below, our team dissects several of the most common building types and industries where cybersecurity has become a hot button issue.
|
|
Balancing Progress with Protection |
|
Businesses across all industries are adopting the latest technology to their workplaces to improve efficiency and productivity at record pace.
Most of these advanced building systems like lighting control, CCTV, security, and access control are networked where devices rely on IP addresses to communicate with one another and their main control panel. While efficient and convenient, the downside is that this puts these types of systems at a higher risk for cyberattacks since they can provide back door access to the end user’s information network. For instance, these types of systems may be connected to an outside cloud-based software that allows the end user to manage the system from anywhere.
To help minimize some of this risk, these systems should be placed on separate networks to keep a physical separation from the owner’s information network. The designer should also work closely with the end user’s I.T. department to assure their security requirements are being met by the design and they are aware of any potential risks and can plan accordingly with regard to implementing software or hardware requirements. The end user’s I.T. department may also need to implement firewalls or advanced security measures where these building systems interconnect with the building’s I.T. network.
In scenarios where an extra degree of detail is needed, owners should add a Registered Communications Distribution Designer (RCDD) to collaborate with their I.T. staff. An RCDD can be an important link between the project design team and I.T., helping to assess not only current needs, but to also plan for the inevitable upgrades that come with technology.
|
|
Matt VonHaden, P.E. is an Electrical Engineer in our Rapid City office. He has been with West Plains Engineering since 2009.
|
|
Many military facilities have areas where classified information will be transmitted, received, analyzed and discussed. These areas include Joint Operations Centers (JOC) that then include Sensitive Compartmented Information Facilities (SCIF).
The JOC is established for planning, monitoring and guiding the execution of the joint force commander’s decisions. Within a JOC (although not always), many facilities also have a SCIF, which is taken to still another level of heightened security.
Both JOCs and SCIFs are designed to meet specific classification and anticipated threat levels. Things for the design team to consider include:
- What level of classified information will be processed/reviewed/discussed
- Projected number of occupants;
- Sound transmission levels;
- Security access controls;
- Radio frequency shielding;
- Light levels and controls;
- Power distribution/standby power requirements;
- Data communications requirements
Data cables serving higher threat level secure networks cannot be installed above false ceilings, below computer floors, or within walls unless these areas are able to be visually inspected. These inspections must be performed along the entire length of the raceway/cable. Raceway, boxes, and raceway connections must be assessed for signs of penetration, tampering, and any other anomaly that could cause deterioration of the protection of the secure network. Where visual inspections are not practical, an alarm system is required to monitor the raceway/cable or to monitor the entire space that the raceway/cable occupy.
The secure network data cables or the raceway that contains them must be labeled but cannot be labeled to indicate that they serve a secure network. These cables also need to be separated from non-secure network cabling to prevent unauthorized access by those without the appropriate security clearance, and to inhibit inappropriate cross connection of the secure and non-secure data cabling.
Where raceway is used, it must be metal, such as EMT, IMC, or rigid steel conduit. Conduit joints must be minimized, and have all surfaces sealed to prevent tampering. Pull boxes must have their covers secured by welding or epoxy after cable installation or be secured with an approved lock or tamper evident seal.
Conduit, duct work and other components used to build a facility are in and of themselves able to transmit sound due to vibrations caused when people are talking. Sensitive equipment has been developed by intelligence gathering communities to monitor and capture this information. So when designing a space such as a JOC or SCIF, the team needs to safeguard these spaces to reduce or eliminate the potential of this information being transmitted along these building elements. Conduits and duct work are installed continuous until just inside the secure side of the space, and then provided a flexible fitting before connecting to the conduit and duct work within the secure space. This transition of flexible material greatly reduces the sound transmission along these elements to provide further security of the information inside.
|
|
Mike Sigman is an Electrical Engineer and Office Manager in Rapid City. Mike has been with West Plains Engineering since 1998, and frequently works on projects for both the U.S. Air Force and National Guard.
|
|
Jeff Reinhart, P.E. is an Electrical Engineer in our Cedar Rapids office. He has more than 30 years as a consulting engineer in Eastern Iowa.
|
|
|
Yes, Mechanical Matters, Too... |
As the previous two articles identified, cybersecurity isn't solely a design consideration for electrical engineers. In fact, there are several elements and requirements within mechanical design that can also reduce cyberattacks.
As Matt's article mentioned, at a minimum this includes isolating the Building Management System on a separate network to keep it independent from the end user's secure data. A 2019 Kaspersky report found that cyberattacks impact nearly 40 percent of building control products and systems. This was the case in the well-known 2013 Target credit card breach, where hackers utilized the retail giant's remote access HVAC system as a gateway into the company's network.
In addition to this separation, the design team must evaluate the system with the end users to determine any further levels of care. For instance, health care systems require a higher level of security due to sensitive patient information, which would require protection of penetrations into IT rooms from outsiders. In other high-security spaces, like the JOCs and SCIFs discussed above, room penetration may require further measures still to isolate the room from sound and electronic signal transmission, or the relay of vibrations.
-------------------------------------------------------------------------------------------
Michael Heinrich, P.E., BEAP, BEMP is a Mechanical Engineer and head of the Mechanical Department in Rapid City. He has more than 20 years of experience designing mechanical systems across all industry types, including business, military, education, finance, industrial/manufacturing, etc. for both private and government clients.
|
|
|
|
Safeguards for Firewalls in Finance |
|
Financial services providers such as banks, credit unions, credit card companies, and investment firms are entrusted with the personally identifiable information (PII) of every customer and client. This information includes home address, Social Security number, banking details, phone number, email address, and income information. The high value of this data on the darknet makes this sector an attractive target for cyberattacks.
The advances in internet banking, mobile apps, and instant payments all require new technology, and heightened technology use invariably increases the industry’s attack vector and introduces new vulnerabilities.
Not only are generator and Uninterruptible Power Supplies (UPS) crucial to keeping these institutions up and running, but they also play a critical role in keeping firewalls and security measures up and running. The inability for firewalls and I.T. protocols to perform as designed due to something as relatively simple as a power outage, could result in a major data breach costing the institution, and it's customers, significant damages. The design of reliable emergency backup power is yet another way this industry protects against cybercriminals.
Building security, as well, can be a factor in mitigating a breach by marrying access control and video surveillance. Cameras in data centers and IT rooms are a must to determine if unauthorized access occurred, and by whom. Badge in and badge out of buildings and these spaces are also common protocol.
Cameras now have onboard analytics for tracking, focusing and finding particular images in the raw video. Video analytics include:
- Facial recognition & license plate reading
- People counting & dwell time monitoring
These analytics can then be used to prevent, or hold those accountable, for a cyberattack.
|
|
|
|
|
Todd Weidner, P.E., RCDD, CESCP is a Principal Electrical Engineer and the head of the WPE Electrical Specialties Division. Todd has worked with a number of large financial institutions during his more than 25 year career. As a Registered Communications Distribution Designer, Todd acts as an important link between the Project Design Team and I.T. to integrate telecom and data communications into critical I.T. infrastructures.
|
|
Maintaining Control of Our Grid |
|
Cyber Resiliency for Infrastructure |
|
Cyberattacks against infrastructure are increasing and becoming more damaging to not only infrastructure providers but the customers they serve. We saw the cyberattack this year on Colonial Pipeline that disrupted the gas supply to the east coast and many others targeting the electrical grid. Studies indicate 50 percent of infrastructure organizations have experienced at least one cyberattack that has caused downtime to their system in the last two years.
To prevent or minimize these attacks, infrastructure systems are engaging in planning efforts called cyber resiliency. Part of this effort involves risk management by complying with new cyber security standards for Operational Technology (OT) control systems or SCADA systems. UL Standard 2900 for Software Cybersecurity for Network Connected Products along with IEC 62443 for Industrial Control Systems, which assures products used and specified will have the secure supply chain in manufacturing and software development, were created to minimize these risks to the OT infrastructure. Companies such as a Schweitzer, Eaton, S&C, and others are leading the charge of cybersecurity for software and hardware development that complies with these standards. In turn, electrical providers such as rural electric utilities are using the National Cybersecurity Protection System developed by the federal government to employ intrusion detection and prevention into their IT systems through a system called EINSTEIN that is actively looking for malware and cyber threats worldwide.
Since the threat of cyberattacks are not going away, critical infrastructure will need to continue to combine efforts to strengthen the electrical grid and its resiliency. The Electric Power Supply Association is requesting that the Department of Energy consider strengthening procurement efforts by developing cybersecurity standards in contracts for suppliers of critical OT equipment. Most local utilities don’t have the resources to implement this supply chain tracing of products, so the federal government mandating these requirements on product manufacturers and suppliers could be a major step in the cyber war on critical infrastructure.
|
|
Daren Beckloff, P.E. is an Electrical Engineer and head of the WPE Power Division. His work focuses on relay protection, programming and integration, and he has designed various SCADA systems for both the electrical utility and water industries. Daren has been with West Plains Engineering since 2007, and has been a consulting engineer for 30 years.
|
|
|
West Plains Engineering News |
|
Ladies and gentlemen...introducing Connor Swiontek...P.E.
In September, Connor passed his Principles and Practice of Engineering exam and earned his license in the State of South Dakota!
A graduate of North Dakota State University, Connor has been a mechanical designer with WPE since 2015 and has completed nearly 200 projects as part of our Sioux Falls office.
Congratulations on an incredible achievement Connor! We look forward to working with our newest Professional Engineer.
|
|
|
|
WPE Sponsors AIA Annual Conferences |
|
The sponsorship wheels were rolling in September, with WPE supporting annual AIA conferences in Iowa, South Dakota and Wyoming!
In Iowa, Office Manager Mike Drahos and Building Services Division Manager Marty Christensen joined our architectural partners in Des Moines, while in Wyoming, Casper Office Manager Rob Armstrong headed to Jackson Hole.
Last but not least, Marty and Sioux Falls Office Manager Mike Fisher were in Sioux Falls with AIA-SD, where WPE sponsored the luncheon keynote speaker - Matt McMahon from SnØhetta Architecture. Matt's message focused on the importance and inspiration of nature in design (and we agree!) so we created the video above to introduce him.
Thank you to all of the AIA groups who welcomed us this Fall. It's always a pleasure!
|
|
Quince!
Congratulations to Mechanical Designer Darrin Tille on 15 years with WPE! Darrin has been part of our Sioux Falls office since 2006.
Happy Anniversary!!!
|
|
|
|
Please join us in wishing our president, Doug Feterl, a happy 30th anniversary!
Doug was one of the earliest team members hired after our company was founded, and he’s worn just about every hat there is along the way. Today, he continues to steer West Plains through one of the most unique times in our industry’s history and we’re grateful for his leadership.
Congratulations Doug! And from all of us in Casper, Cedar Rapids, Rapid City & Sioux Falls – thank you.
|
|
|
|
WPE Holds 2021 Design Conference |
|
After taking 2020 off, our annual all-staff Design Conference was back in full swing this year!
Our team met in beautiful Deadwood, SD for three days in October to reconnect, learn, laugh, and get inspired. Check...check...check...and CHECK.
Thank you to the planning committee who put together this amazing event, and to our guest speaker, Dee Dee Raap, who joined us to talk about the importance of self-care during these stressful times.
|
|
What's Deadwood without casinos!? Pictured above: Winners of the WPE Design Conference Slot Tournament (l-r): David Clark (1st), Darrin Tille (2nd), Richard Panton (3rd) and our unfortunate last-place finisher, Mike Sigman. |
|
Our Design Conference includes ample opportunity for on-going education, including a special session this year that pitted groups against each other to see who could come up with the best schematic-level design for surprise project scenarios. |
|
We're excited to share the addition of two new team members this coming January! |
|
 |
Dalton Buck will join the West Plains Engineering staff as a full-time mechanical designer.
Dalton has spent two summers as an intern in our Sioux Falls office and will become a permanent part of our team after finishing his degree at South Dakota State University in December.
|
|
|
|
Messo Hekima joins us as a full-time electrical designer..
Messo has been an intern in our Power Division since 2019, and is completing his degree in Electrical Engineering from the South Dakota School of Mines and Technology this December.
|
|
|
|
Rapid City, SD | Sioux Falls, SD | Casper, WY | Cedar Rapids, IA |
|
|
|
|
|
|
