It’s 3 a.m., and the network administrator has just received a text alert on his mobile phone, notifying him that the connection to an building access system has been lost. Since he’ll be at work in a few hours anyway, he decides that it’ll keep until morning. Unbeknownst to our network administrator, however, the door to an important machine room is now unlocked. Later, when the incident is reviewed, he’s informed that unauthorized access to that room could have cost the enterprise hundreds of thousands of dollars and affected employee safety.
There’s an information security maxim that states, “There’s no security without physical security.” Buildings and infrastructure (other than specifically IT infrastructure) are usually the domain of a department other than IT, but the technology used to monitor and secure facilities of all types usually utilizes the IT infrastructure, and that may require the support center to become involved.
Heating, ventilation, and air conditioning (HVAC) systems rely on network infrastructure, whether wired or wireless, for operation and oversight. Likewise, building-access control systems, security cameras, alarm systems, refrigeration monitoring, and other facilities and engineering systems all tie into networks at one point or another, and those networks likely belong to, or are managed by, IT.
Support organizations that don’t have mature IT processes in place, or that don’t develop excellent relationships with their business units, may only become aware that a certain piece of equipment exists when it breaks and someone contacts the support center. In addition, IT infrastructure may need capacity upgrades (to handle increased video surveillance, as one example), and there may be impacts on existing IT maintenance windows.
To add further complication, HVAC and building-access controls are often handled by third-party specialists—companies that “do this for a living”—and this can put IT at a distinct disadvantage. For example, we all know that Windows XP is no longer supported by Microsoft and, therefore, is no longer receiving security patches. Even though your organization’s security policy may state that unsupported/unpatched operating systems aren’t allowed on internal networks, what do you do if that unpatchable system is owned by a third party that says it can’t be upgraded because of compatibility issues? And what if that system controls all of your building access? Taking the system offline means doors won’t lock or open, and leaving it online may introduce unwanted vulnerabilities to your network. To top it all off, the system itself may be off limits to IT, since it’s a third-party asset. The support center and/or desktop support may not have remote access to the system at all and, even if they did, they might not be able to perform routine maintenance.
So, what’s the solution?
Build Solid Business Relationships
Without good information about how facilities systems are interrelated and what critical controls are in place, IT—and hence support—is flying blind. To combat this effect, you need to build solid business relationships.
- Open good, clear communication channels with facilities, maintenance, physical security (i.e., guards and monitoring), information security, legal, and all other business units—especially network administration and operations.
- Establish contact methods and procedures for third-party providers and contractors.
- Know what your business’s critical assets are and how they need to be protected to ensure day-to-day security and function.
- Have clear agreements on what happens if/when there’s a failure of security systems or any network or information systems that affect access, HVAC, monitoring, or other high-priority functions.
Know What You’re Doing
Don’t leave anything to chance or fall into the habit of thinking that “everyone will know what to do.” Document everything, and make sure that documentation is accessible even in the case of a complete network or data center outage.
- Include facilities devices in your configuration management system.
- Have clear, enforceable procedures in place so that the support center knows what course of action to take in case of a failure or degradation of facilities systems.
- Communicate clearly about when, when not, and how to escalate.
- Train staff as often as practicable, and empower them to access information and execute plans.
- Reinforce the differences between everyday concerns (like paying attention to keycard access systems) and emergencies.
Have the Right Technology
Monitoring and reporting tools can go a long way toward alleviating or even eliminating the blind spots you may have in your connected facilities systems. Having a configuration item (CI) “go red” on a monitoring display is far better than having someone report that they’ve discovered an open door, a broken card reader, or—worse yet—an area they shouldn’t be able to access. This means working closely with your security departments (physical and information) to identify and prioritize CIs so that important systems can stand out and not disappear in the noise. Being able to tell what’s important is critical to good decision making, especially in emergency situations.
It’s equally important that the people who monitor the systems have access to the tools they may need to turn off alarms, restart computers, and reach the people they need to reach in any given situation.
Prepare for the Future
Many organizations are moving toward a Support Center 2.0 model, where the service desk or help desk that was formerly concerned only with IT now handles contacts for other business components as well, and prime among these is facilities. Work orders and reports of malfunctions (i.e., incidents) come into the support center and may need to be escalated to a specific group within facilities or engineering, or to an outside vendor or contractor. The lines of contact should be clear and open, and there shouldn’t be any confusion or delays when someone from the support center calls ABC Building Access Company and reports a fault.
The Internet of Things (IoT) is already here—and has been for some time in the facilities world. It will, however, grow more and more complex over the next few years as more and more devices related to facilities management become connected and smart (i.e., able to make rudimentary decisions). Three-dimensional location awareness and connected “wearables” like Google Glass present both challenges and opportunities. Consider, for example, the possibility of a technician on your office campus wearing Glass (or a competing technology) and working to restore service on a device while a technician at the company that manufactures the device talks them through it. This will increase the traffic on your network and, therefore, the noise in your monitoring systems.
As a well-known proverb says, “The best time to plant a tree was twenty years ago. The second best time is now.” If the headlong rush toward the consumerization of IT has taught us anything, it’s that having good processes, procedures, and policies in place can go a long way toward cutting down on the chaos and firefighting that attend any major change. Begin by asking questions, connecting with your peers in facilities and security, formulating plans, and building the relationships that will form the foundation of a secure and stable environment.
Roy Atkinson is HDI’s senior writer/analyst. He’s a certified HDI Support Center Manager and a veteran of both small business and enterprise consulting, service, and support. In addition, he has both frontline and management experience. Roy is a member of the conference faculty for FUSION 14, and he’s known for his social media presence, especially on the topic of customer service. He also serves as the chapter advisor for the HDI Northern New England local chapter.