Cyber attacks hit record numbers in 2012. Hackers commandeered contact information for 24 million Zappos customers, breached computer systems at Wells Fargo and JPMorgan Chase, seized 65 million LinkedIn passwords, and acquired social security numbers and banking information for 8,000 employees of the Environmental Protection Agency.
Protecting mission-critical institutions from remote attacks—as well as from acts of terrorism—is a paramount concern in our data-dependent society. Though buildings alone cannot prevent computer warfare, architects must guide project teams comprising everyone from structural engineers to information technology (IT) specialists to provide facilities with the physical and virtual tools to block increasingly sophisticated hacking attempts.
“It’s one thing to have a great software security system that’s hard to hack into,” says David Mecham, an associate at Denver’s Fentress Architects. “It’s another to provide redundancy to the mechanical and electrical systems.”
Software consultant Ted Neward of Irvine, Calif.–based Neudesic says designers must find a balance between security and usability. “If you want to secure something, put it into a safe, and throw the safe in the deepest part of the ocean. But it can’t just be secure: It has to be usable. As soon as security becomes an obstacle, people avoid it.”
A building with any activity, device, service, or system that cannot fail or be disrupted can be considered mission-critical architecture. NASA first used the term to reference spacecraft components that support life functions; over time, it has grown to refer to critical facilities on Earth as well. Ronald Luman, AIA, vice president of Dallas-based Rees, an architecture firm that has designed mission-critical buildings for public- and private-sector clients, says that the phrase can apply to a physical or virtual asset that is “so vital … that its destruction or elimination would have a devastating impact to a company’s business or a country’s national security.”
Though architects will likely not be directly responsible for designing a project’s cyber protection, they are crucial in the ultimate goal of preventing data from getting into the wrong hands. Physical and virtual lines of defense are only as strong as their weakest points; by ensuring each subcontractor’s and consultant’s work satisfies the project’s specifications, architects can help prevent a facility, its hardware, and its contents from being breached.
A Secure Foundation
Firms pursuing public and private sector mission-critical projects must meet preconditions. Many government agencies, particularly those associated with national defense, require architects and other building team members to follow particular criteria and guidelines. Private-sector clients, such as data centers and other projects with cybersecurity needs, generally require firms to have certification in building-technology security from third-party organizations.
The Uptime Institute (UI), a private-sector consortium of IT companies established in 1993, issues the most common seal of approval in the data-center industry. Similar to the USGBC’s LEED rating system, the UI certifies a building’s physical and technological security level in a succession of tiers. Each of the four major certification tiers is tied to past levels of infrastructure design.
The UI white paper “Tier Classifications Define Site Infrastructure Performance” describes the system’s origins and classifications. Tier 1 certification, the lowest standard, was developed in the 1960s. It indicates that a facility provides 99.67 percent availability—that is, servers are out of operation for only 0.33 percent of the time. This certification level does not require redundant capacity; that is, the facility has only single electrical and water lines connecting data processing equipment for power and cooling rather than duplicate, separate systems. As a result, outages—planned or unplanned—can adversely affect the hardware.
Tier II certification, dating to the 1970s and indicating a server availability of 99.75 percent, requires electrical redundancy that allows components to be taken offline without disruption to the broader array. However, power and cooling are still provided by a single path.
Tiers III and IV both date to the early 1990s, and offer 99.8 to 99.9 percent availability, respectively, as well as redundant components and multiple electrical and HVAC paths serving computer hardware. While Tier III has only one electrical path active at a time, Tier IV makes all power and HVAC paths available to support all server equipment, so that the failure of a single component will not bring down the rest of the system.