Tuesday, August 13, 2019

Cyber threat into Video Surveillance

Cyber threat into Video Surveillance
Yes we all are known US ban HikVision, Dahua and IPVM media cover full story time by time. Security systems are changing at an ever-increasing pace and are making more use of standard Information Technology (IT) products running over a Local Area Network (LAN) or Wide Area Network (WAN) e.g. across the Internet, where they can be remotely monitored and controlled. As a result of using Internet Protocol (IP), the opportunity has arisen for manufacturers to develop new generations of equipment from control panels, cameras, and door controllers, to fully integrated systems combining fire, access control, CCTV, intruder and building control systems. These “integrated” systems are often called security management systems as they bring together the management of all aspects of an organization’s security.
Closed-circuit television (CCTV) is a TV system in which signals are not publicly distributed, but are monitored, primarily for surveillance and security purposes. CCTV systems rely on strategic placement of cameras and observation of the camera’s input on monitors. As the cameras communicate with monitors and/or video recorders across private coaxial cable runs, or wireless communication links, they gain the designation “closed-circuit” to indicate that access to their content is limited to only those with authorisation to see it. First we need to understand below few things:

What is a network?

In simple terms, a network provides a means of communicating data between two or more computer-like devices. A network can be a LAN and can incorporate a Wireless element of networking (WLAN). Where the network has the need to communicate outside of a single LAN, a WAN is used. A WAN can connect LANs together to communicate with users and computers in other locations. The most well-known example of a WAN is the Internet.
Why use an IP network?
Traditionally, many security systems have been linked to remote monitoring centres using modem type devices connected to a telephone line to exchange information. Using a network introduces many benefits, for example a substantial financial saving compared to dial up solutions. Additionally, the use of a network can improve quality of information and the time required to connect and exchange information.

Digital formats are being chosen by many industries such as music, telephone (voice over IP networks), TV, photography etc. With so many industries making use of IP technology, networks have become extremely robust. As a result, the use of a network can make the exchange of information between a security system and a remote monitoring centre more efficient.
Internet Service Provider (ISP)
The connection between your premises and the monitoring location may use an ISP to provide the service. When choosing an ISP, you should endeavour to establish the level of service being offered. Additionally, it may be prudent to have a second ISP link. The connection between your premises and the ISP is perhaps the weaker link so if you do have concerns, you should investigate an alternate means of communication from your premises into the ISP, i.e. GPRS, GSM (mobile service providers).

Bandwidth
Bandwidth requirements (space on your network to operate) should be discussed with your IT manager. The bandwidth required to operate a CCTV system may be considerable. Your security system provider will be able to advise you on the bandwidth requirements. As a general guide, CCTV systems require considerable bandwidth to send video images over a network whereas access control, intruder alarm systems and visitor management systems that only send small amounts of data, do not require much bandwidth.

Company usage policies
You will also need to consider company policies relating to “what is allowed” to use an existing network. If the nature of your business dictates that the network shall only be used for specific applications, then this may immediately determine that a separate network must be installed for the security system.

Now SSA Integrate company Integrating existing security with IP security solutions. As now common backbone are under TCP/IP. The network of connected sensors, devices, and appliances commonly referred to as the Internet of Things (IoT) has completely changed the way business works. This is as
true of the heavy hauling and freight industry as any other. At any moment, various players in the industry can get a sense of vehicle health, cargo safety, and whether or not any infrastructure is in need of repair.
Some products allow a mixture of analogue and digital security equipment to be combined, and this means that there is not always a need to move completely to an IP based system if an existing security system is in place.
The ‘hybrid’ approach is more common where two or more security sub systems are combined to create an integrated solution. The data in a hybrid system will usually come together at one or more PC’s. Non-IP systems are often connected to a PC using a serial port, whereas IP systems will be connected over the network.

A cyber-attack at targeted points in a country or region’s network could leave it crippled, preventing people from receiving much-needed goods and services. Fortunately, it doesn’t have to be that way.
Now cyberattacks on CCTV systems making news headlines on a weekly basis of late, there is a good deal of concern and uncertainty about how at risk these systems are, as well as why they are being attacked.
In October 2016, 600,000 internet connected cameras, DVR’s, routers and other IoT devices were compromised and used to for a massive Bot Net to launch what was the largest Denial Of Service (DOS) attack the internet had experienced to date.
In 2014, a US ally observed a malicious actor attacking the US State Department computer systems. In response the NSA traced the attacker’s source and infiltrated their computer systems gaining access to their CCTV cameras from where they were able to observe the hackers’ comings and goings.

In the lead up to the 2017 US Presidential inauguration, 65 per cent of the recording servers for the city of Washington CCTV system were infected with ransomware. How did the attack take place? Whilst unknown, it most likely occurred by the same means as other common PC hacks such as infected USB keys, malicious web sites, or phishing attacks.
What was the impact? The system administrators had to wipe the infected systems and reinstall the video management system so it’s entirely possible a good deal of footage was lost, and the system was rendered inoperable for a time.
May, 2018, over 60 Canon cameras in Japan were hacked with “I’m Hacked. bye2” appearing in the camera display text. How did the attack take place? Simple. IP cameras were connected to the internet and were left on default credentials. It appears that the hackers logged into the cameras and changed the on-screen display. What was the impact? Other the defacement of the camera displays and some reputational damage, there doesn’t seem to have been much impact from these attacks.

How did the attack take place? Yet again, devices were left connected to the internet and were left on default credentials. In this case, the attackers developed software that scoured the internet searching for vulnerable devices, which they then took control using their own malicious software.

What lessons can we learn from these attacks?
Don’t connect your devices directly to the Internet. If you need to have a camera or CCTV system be remotely accessible, port forwarding all inbound traffic to your system is just asking to be attacked. Use a VPN, use non-standard network ports, enable 2 factor authentications, or use a remote access service. While these measures won’t guarantee your security, they will certainly make you less of a target for attackers that are scouring the internet for vulnerable systems.
Just because it connects to a bunch of cameras, doesn’t mean that your NVR isn’t a computer. All the cyber security advice that is applicable to traditional IT is just as applicable when said computer is used as part of a CCTV system.

On Aug 13, 2018, The US President has signed the 2019 NDAA into law, banning the use of Dahua and HikVision (and their OEMs) for the US government, for US government-funded contracts and possibly for 'critical infrastructure' and 'national Security’ usage.
US government is effectively blacklisting Dahua and HikVision products, this will have a severe branding and consequentially purchasing impact. Many buyers will be concerned about:
·         What security risks those products pose for them
·         What problems might occur if they want to integrate with public / government systems
·         What future legislation at the state or local level might ban usage of such systems

On Jun 06, 2019 Hanwha Techwin is dropping Huawei Hisilicon from all of their products. Its belongs to China’s origin. Backdoor entry are open on product.

The tightening noose around Chinese technology firms is driven by the Trump administration’s view that China poses an economic, technological and political threat, a stance that country is likely to retaliate against. The two companies prompted concern that they could be employed in espionage, according to people familiar with the matter. Last week, the administration banned Huawei Technologies Co. from purchasing American technology amid similar suspicions of spying capabilities and Chinese laws that could require home-grown firms to hand over information if asked.

Hikvision, which is controlled by the Chinese government and Dahua are leaders in the market for surveillance technology, with cameras that can produce sharp, full-color images in fog and near-total darkness. They also use artificial intelligence to power 3D people-counting cameras and facial recognition systems on a vast scale.

A Chinese firm whose subsidiary has been shortlisted to supply security cameras for the national capital is on a US watch list, with an advisory on threats, including remote hacking and potential backdoor access. 


Concerns have also been raised on the firm being owned by the Chinese government, adding a twist to the controversy over a Delhi government project to install 1.5 lakh CCTV cameras across the city.  Now question is how you Prevent Malware Attacks:
1.   Manage your router: Earlier this year, the FBI recommended that everyone reboot all home routers and small office routers. In a previous blog on the subject, Davis stated that “rebooting will disable the active malware called “VPN Filter" which has infected hundreds of thousands of routers across the Internet, and it will help the FBI assess the extent of the infection.” While this was an isolated incident in time,
2.   Disable UPNP: UPNP will automatically try to forward ports in your router or modem. Normally this would be a good thing. However, if your system automatically forwards the ports, and you leave the credentials defaulted, you may end up with unwanted visitors.
3.   Disable P2P: P2P is used to remotely access a system via a serial number. The possibility of someone hacking into your system using P2P is highly unlikely because the system’s user name, password, and serial number are also required.
4.   Disable SNMP if you are not using it. If you are using SNMP, you should do so temporarily, for tracing and testing purposes only.
5.   Disable Multicast: Multicast is used to share video streams between two recorders. Currently there are no known issues involving Multicast, but if you are not using this feature, you should disable it.
6.   Cameras connected to the POE ports on the back of an NVR are isolated from the outside world and cannot be accessed directly.
7.   Only forward the HTTP and TCP ports that you need to use. Do not forward a huge range of numbers to the device. Do not DMZ the device's IP address.
8.   Protect your computer from vulnerabilities: Clean up your computer by removing old software programs no longer in use, and make sure to install patches regularly. Updating firmware safeguards equipment by patching known vulnerabilities often adds features and sometimes will improve system performance.
9.   Use firewalls and firebreaks (network segmentation): Place devices behind firewalls to protect them from untrusted networks, such as the Internet. And, use network segmentation—splitting a network into separate networks that are isolated, not connected—so a compromise in one part of the network won’t compromise the other (i.e. human resources and finance). This works much like a firebreak, which is a strip of land in a wooded area or forest where the trees have been removed to prevent a fire from spreading.
10. The network your NVR and IP camera resides on should not be the same network as your public computer network. This will prevent any visitors or unwanted guests from getting access to the same network the security system needs in order to function properly.


Some Protection Protocols:

Cyber security procedures for video surveillance devices across the threat spectrum require certain protection protocols.

Weaponizing IP Cameras (Threat High)

Most IP cameras today are manufactured with an open operating system, or basic kernel, that gives no real consideration to data or cybersecurity. For years, people have asked about the security of the video that their system produces; now, people are asking if their IP camera system can be used against them.
Think of an IT administrator who has worked diligently to secure a network, servers and mobile devices who then finds out that the 200 recently installed IP cameras on the edge of that network that are vulnerable to root kits, can be weaponized and used as attack platforms against their own network – and there is no way to monitor them.

This may seem far-fetched, but in Sept. 2016, 1.5 million IP cameras, DVRs and L3 network devices were highjacked in the largest DDOS attack ever seen. So what are the current fundamental considerations that an organization needs to take into consideration before placing an IP camera on their network? 

Protection Protocol:

·         The operating system (OS) on a video device should be a closed OS that runs in limited memory space.
·         Nothing should be able to be written to the device itself with the exception of digitally signed firmware. If the device has the ability to run third-party apps, it can be weaponized.
·         Common ports should be disabled by default. From a vulnerability and pen testing perspective, the more ports that are open, the more opportunity there is to leverage a device or the services on that device.
·         Video devices should utilize HSTS/ HTTP Strict Transport Security if you are going to implement end-to-end security. This protocol helps protect against protocol downgrade attacks, cookie high jacking, as well as forces an HTTPS connection to the device.
·         Consider devices with a built-in “firewall” to prevent dictionary attacks from Botnets.
·         Monitor user accounts and access to the video devices. Most IP cameras are installed with the default user name and password, and if installed on an accessible network, a connection can be established from anywhere in the world. Devices should have a force password feature that also adheres to password policies, such as length and complexity.
·         Monitor a device’s chain of custody. The vendor should have a secure chain of custody during a manufacturing process all the way through to the final sale. If they are not manufactured in a controlled environment, video devices can be tampered with at any time prior to being sold to the customer

Attacking Servers and NVRs (Threat High)

Most VMS servers and NVRs reside on either a Windows operating system or some flavor of Linux. There is an illusion of security that most of us have with regards to OS security, but just take a look at an OS vulnerability chart and that illusion will quickly disappear.
A base unpatched Windows Server 2012 OS has 36 vulnerabilities; a standard Linux distribution has 119. Most vulnerability that machines are subject to are a result of “add-ons” – such as Internet Explorer (242) and Chrome (124). While Windows Server is a more secure platform, it is also a bigger target due to its market share and utilization.

Protection Protocol:

·         As with any machine on a network, it is imperative that the most current updates and patches are applied to video system devices.
·         Ensure a VMS can work within your network policies and environment while a network firewall and anti-virus software are operational.
·         Use hardened password policies, restricted physical and network access, and disable USB ports.

Recorded Video (Data at Rest-Threat Medium)

The two primary purposes of any video system are to act as a deterrent and to be used as admissible evidence in a court of law, if needed. Technically, digital video falls under the scrutiny of the Federal Rules of Evidence (FRE) as it pertains to digital evidence, and authenticity affects admissibility.

Most NVR systems write video in a base file format such as *.AVI,*.G64, *.MKV. If the video drives are accessible via network share, they are subject to tampering.

Protection Protocol:
·         Video, if written in a readable format, should be encrypted to reduce accessibility and the possibility of tampering.
·         Video devices should use some form of hashing as a form of authenticity. Hashing provides the “Data Fixity” of a file and is a form of admissible evidence. Older forms of authenticity, such as water marking can be considered video tampering.
·         The VMS should also provide a way to protect original incident video for any undefined time beyond the system’s retention time in case of prolonged court cases.  

Playback and Export (Data in Use-Threat Medium)
The current biggest threat to recorded video is internal employees posting incident video footage to social media or leaking it to the press. The need to keep recorded video secure is paramount for many reasons. Unrestricted access to recorded video can cause several different types of issues, including legal and HR incidents. 

Protection Protocol:
·         Be sure your VMS provides granular privileges concerning the export, deletion and protection of recorded video.

Streaming Video (Data in Motion-Threat Low)
While the actual threat of streaming video being intercepted and used in some way is low, the knowledge that the data from a specific IP address is video can be used against you. From the aspect of network enumeration, an attacker now knows he has non-PC target(s) that he can try to leverage.

Protection Protocol:
·         Video devices should be able to utilize HTTPS communications, with certificates. This ensures secure end-to-end communications including control channels and video payload.
·         Video devices should be equipped with a Trusted Platform Module (TPM) to securely store certificates utilized in different secure network scenarios such as 802.1x  and Public Key Infrastructure (PKI).
·         Your video devices should have features that provide the ability to disable certain protocols such as ICMP, Telnet, and FTP.

Few Current Development:





3. IPVM Report

Sunday, July 28, 2019

Procure BACnet System

Procure BACnet System

BACnet was designed to allow communication of building automation and controlsystems for applications such as heating, ventilating, and air-conditioning control (HVAC), lighting control, access control, and fire detection systems and their associated equipment.
The UDP port number 47808 (in hexadecimal, X'BAC0') identifies BACnet messages and is the UDP port used by PAD devices. BACnet/IP devices use this UDP port by default but may be configured to use a different number if necessary. An open protocol should be powerful and robust, capable of meeting all future communication needs, as well as the present needs throughout all system levels. Any communication protocol which doesn't meet these criteria should be eliminated from further consideration.

BACnet's open structure and object-oriented commands enables developers to provide enhancements or features, while still maintaining full interoperability for all core operations. If use of a new control feature becomes widespread and there is a need for it to be standardized among vendors. ASHRAE provides a procedure for it to be adopted as a standard BACnet object or service.
BACnet is a widely accepted, non-proprietary open protocol standard. Companies began announcing their support for BACnet even before the final draft of the standard was released. The fact that ASHRAE developed BACnet plays a significant role in this acceptance. ANSI perceived BACnet to be a significant development and adopted it as a protocol standard within months of acceptance by ASHRAE.
Components vs Systems
For many years the BACnet community has worked hard to ensure that BACnet is a global standard and that it’s implemented consistently across multiple supplier product lines.  BACnet International devotes substantial resources to the BACnet Testing Lab (BTL) and to annual device “plugfests” to support that objective.  We regularly point out that BACnet is a global consensus standard and we trumpet the value of standards.  We talk about component interoperability and in some cases even interchangeability.  All of this is good.  Users need to understand the power of standards and how specifying systems that incorporate BACnet can add value to their building automation investments.  However, by promoting BACnet as standard and then using the shortcut term “BACnet System” we invite the unschooled to mistakenly extend the concept of “standard” from the communications protocol to the system.  That seems to lead some of them to the conclusion that all “BACnet Systems” are essentially equivalent and can be procured like commodity products … even to the point of the “reverse auction” procurement process for an energy management system I recently encountered. 

Reverse Auction Procurement
Reverse auctions have been around for more than a decade.  They evolved as a “simple” way for buyers to drive down the cost of components.  The essence of reverse auctions is that suppliers bid back and forth for a well-defined piece of business on the basis of price.  Full-featured web platforms have evolved to support this purchasing model but, even so, it has its limitations.  One of the biggest limitations is that for it to be effective, the product and its associated transaction attributes (e.g. lead time, delivery date, etc.) need to be unambiguously defined in terms that can be readily measured.  And therein is the rub.  Energy management and building automation systems are complex so fully defining all of the important attributes is a huge challenge.  Leaving any important attribute undefined results in suppliers compromising on those unspecified attributes to achieve the lowest cost and win the business.  On the surface the result might look like a good deal for the buyer.  But those compromises might well come back to haunt the buyer in the long run.


Lessons Learned
It was an attempt to give people new to the BACnet community some insights based on the experience of people who have already designed and operated systems built around BACnet.  One of those “lessons learned” was that a “BACnet System” is still a system. The BACnet standard can make system integration faster, simpler and more effective but it is not a substitute for system expertise, creativity or design rigor.  Nor does BACnet provide any assurance of product quality or system effectiveness.  These come only through knowledge and experience.  So, I encouraged owner/operators to develop a partnership approach to working with suppliers who have that knowledge and experience. I saw first-hand what happens when complex systems procurement is driven from a “first cost” perspective without sufficient focus on supplier partnerships.

Benefits of BACnet Protocol

  • Single operator workstation for all systems
  • competitive system expansion.
  • Eliminates fear of being an owner to be locked in with a single vendor.
  • Possibility of integrating all BAC Functions.
  • Interoperability
·         Data sharing
·         Alarm and event management
·         Trending
·         Scheduling

·         Remote device and network management

Summary
BACnet is a standard. All the necessary elements are in place: strong customer demand, a robust open standard and manufacturer's support of the standard. BACnet seems to provide a complete solution to interoperability issues for building procurement  team.  Understanding the difference is important in establishing a procurement process that builds positive supplier relationships and generates maximum value in acquiring an energy management or building automation system. SSA Integrate can guide how to utilize this.


Wednesday, July 10, 2019

System Integration for High-rise Buildings

System Integration for High-rise Buildings

Integrated systems, or systems integration (SSA – Security Safety Automation), is the process of bringing together component sub-systems into one functional system. It provides a system with coherence by making the parts or components work together, or 'building or creating a whole from parts.

A component means HVAC / VRV, Plumbing, Fire Fighting with Detection, Electrical Systems, Lifts, elevators, Intrusion Alarm, Access Control, UPS & Lighting Automation etc. The result of integration creates BMS.  The powerful combination of open systems protocols and a scalable platform means the BMS can help support growth and expansion of the system in the future. So Building Automation System (BAS) or Building Management System (BMS) is the automatic centralized control of a building's heating, ventilation and air conditioning, lighting and other systems through a building management system or building automation system. The objectives of building automation are improved occupant comfort, efficient operation of building systems, and reduction in energy consumption and operating costs, and improve life cycle of utilities. The Building Automation System (BAS) core functionality is to keep building climate within a specified range, light rooms based on an occupancy schedule, monitor performance and device failures in all systems and provide malfunction alarms. Automation systems reduce building energy and maintenance costs compared to a non-controlled building.
Now we consider a building having 62 floors height is 268 meters (The 42 is a residential skyscraper in Kolkata in the state of West Bengal in India.) tower that is technically advanced, sustainable, and forward-looking. Designed by Hafeez Contractor Architect. Excerpts from the mechanical, electrical, plumbing (MEP), communications, security, and sustainable design specification sections for that building are provided below. For our reader this is just an examples, we are not confirm reality of System integration at “The 42”.

Mechanical
Chilled water:
The building’s cooling will be provided by offsite district chilled-water production plants via pipe connections from street distribution to the energy-transfer room located at the lower level.

Heating systems:

  •        Electric-resistance heating coils will be provided with each dedicated outside air handling unit, as well as each amenity and lobby air handling unit.
  •          Electric-resistance baseboard heaters will be provided along perimeter windows and walls for the ground-floor lobby and at all floors with perimeter glazing higher than 9-ft 6-in.
  •      Baseboard heaters will be interlocked with the fan-powered box serving the respective perimeter area.
  •       Electric-resistance baseboard heaters along perimeter windows and walls for ground-floor retail areas will be provided by the tenants. Baseboard heaters shall be interlocked with the respective air conditioning units provided by the tenants.
Air conditioning
·    Four factory-packaged dedicated outside-air units will be provided in the Level 20 mechanical room to provide minimum code-required ventilation air to all of the typical office floors.
  •         Conference center and fitness area: Variable-volume factory package units will be provided in the mezzanine space above the Level 2 locker room and toilet space to serve the conference center and fitness areas.
  •         Ground-floor lobby: A variable-volume factory package unit will be provided in the basement level to serve the entrance lobby and lounge.

Duct distribution systems
Perimeter offices and interior offices will be supplied from separate variable air volume series flow-fan-powered boxes, system pressure-independent direct digital control (DDC) by the building automation system (BAS) or Building Management System (BMS), low leakage and low-pressure drop for space-temperature control. Perimeter fan-powered boxes will include electric heating coils for envelope heat.

DDC/BAS network, communication, and software
  •   The DDCs and BAS shall provide central control and monitoring of major HVAC equipment. The DDC/BAS will consist of two tiers or levels of networks.
  •    The first-tier network shall provide connectivity between all DDC network controllers (B-BC), the BAS server, and dedicated BMS operator workstations. It shall be Ethernet-based and shall serve as a backbone for all base building technology systems. A virtual local area network (VLAN) may be portioned by the owner and dedicated for BMS communications.
  •    The second-tier networks shall provide communications from each DDC network controller (B-BC) to all DDC controllers, variable-speed drives, equipment-mounted controllers, and other smart field devices.
  •    The BAS shall have custom graphical displays to monitor the operation of HVAC equipment connected to the BAS. User displays shall also include floor plans. Graphical displays shall be submitted electronically to the client and the engineer for review.
  •    Each DDC shall connect to a communication network for central monitoring, remote override, setpoint adjustment, history collection to archive, and alarm annunciation. The BAS shall be capable of generating both advisory and critical alarm-notification messages via email to the designated recipients as determined by the client. Each DDC shall monitor and control the associated HVAC unit in a stand-alone configuration, independent of any other DDC.

BMS hardware features 
All BMS network communications shall use a physical layer of Ethernet and EIA-485. Ethernet cabling will be provided by structured cabling. EIA-485/twisted pair cabling shall be provided by the DDC contractor.

Electrical Systems
Electric service
  •          Primary distribution: Service feeders, originating from separate networks, to the project via underground concrete-encased duct banks. These duct banks shall enter into a utility-owned main-line switching station and transformer vault located in the basement level.
  •          Secondary distribution: The building shall be provided with service entrance switchboard rooms and vertically aligned branch electrical closets strategically located to provide an efficient and economical distribution of wiring systems throughout the facility.
Lighting
  •          Provide lighting systems for base building lobbies; electrical, telephone, mechanical, and elevator equipment rooms; parking; service areas; corridors; stairways; toilets; storage rooms; dock area; elevator pits; supply and recirculation fan plenums; roof hatches; exit signs; etc. The lighting system shall be complete with fixtures, ballasts, drivers, lamps, branch circuits, and controls to interface with BMS and accessories.
  •          Daylighting and shade controls.
Plumbing
Domestic cold water
  •          Provide dual domestic water services connected to the water main in the street per the local water department’s requirements and route into the building’s dedicated pump room.
  •       Provide and install domestic-water service, water meters, and all associated valves on the water services as required by the City and a branch with water line with a double-detector check-valve assembly for continuation by the fire protection contractor.

Storm water system
  •         Furnish and install roof drains at all roofs along with the interior drainage system and downspouts for a complete operable storm water system.
  •          All storm/waste piping, above grade level, shall be connected to a gravity storm sewer. Collect all storm piping and route to the storm detention structure included with overflow. The civil engineer will continue the sewer from that point.

Fire Protection
NFPA 13 apply for High rise building,
Standpipe system
  •          A standpipe system shall be provided for the new proposed high-rise building.
  •      The water supply for the combination sprinkler and standpipe riser shall be hydraulically calculated to supply a residual pressure of 65 psi at the top most outlets, with a flow rate equal to 250 gpm plus actual sprinkler system demand but not less than 500 gpm approx. Through the flow switch BMS get data.

 Automatic sprinkler system
  •      A supervised automatic sprinkler system shall be installed throughout the entire premises, except in dedicated electrical transformer rooms, dedicated main-building switchboard rooms, dedicated electrical closets or rooms where voltage exceeds 600 V, base building life safety emergency generator rooms, elevator shafts, and elevator machine rooms.

Fire Detection
Most fire alarm systems on the market today have the capability to output fire alarm signals over BACnet protocols. This is accomplished via a BACnet gateway that allows the fire alarm system to output signals to third-party equipment as BACnet objects. The third-party equipment can be configured to read and react to data received from the gateway. In order to ensure life safety is not impacted by any integrated non-fire system, a listed barrier gateway, integral with or attached to each control unit or group of control units, as appropriate, must be provided to prevent the other systems from interfering with or controlling the fire alarm system.

The BACnet interface is a standalone piece of fire alarm equipment, so it is constantly online and goes offline only if it loses both primary and backup power, or if it is being serviced. Therefore, there is no downtime or signal restoration necessary when the fire alarm system is reset. If any of the fire alarm points that are being supervised by the gateway change state at any time, the BACnet gateway will automatically change the status of the BACnet objects associated with those points.

Communications
Spaces and Pathways
  •     Spaces—TEF: Two separate telecommunications entrance facilities will be located on the basement level. These are small rooms where the telecommunications service providers will transition their outside-plant cabling to indoor-rated cabling and shall bond the cable sheaths. Multiple service providers may enter the building via the same TEF. They will each be given proportioned wall space to place their splice equipment.
  •      Pathways—incoming services: conduits from the property line are specified for incoming serve to each of the two TEF rooms.

Structured Cabling
Backbone
  •      Vertical fiber backbone: One 12-strand OM4 multimode fiber-optic cable will be provided from telecommunications room to every 5 floors as well as the basement.
  •        This backbone is for the building’s network and other systems the building wishes to deploy. It will allow the IP devices (BAS controllers, lighting controllers, security-access control panels, security cameras, etc.) on each group of three floors to connect to the building LAN access switch.
  •          There may be a consideration for additional single-mode fiber-optic cabling if it is required to support a distributed antenna system implementation.

Data Network
The data network provides the delivery of information services throughout the building. The data network is a single, unified physical network that is comprised of several independent logical networks. A wide variety of network-enabled devices use the data network utility to send and receive information. A device’s ability to communicate with other devices is governed by the security policies that are implemented throughout the data network. By designing and implementing the data network to be flexible and adaptive, this reduces the management and operational expense of reconfiguration once the network is installed.
The systems/devices that will use the unified data network include the following:
  •        Security (access control, video surveillance, visitor management, intercom).
  •        Building control systems (integrated automation system (IAS), BAS, lighting/shade controls, elevator controls).
  •        Audio/video (digital signage, background music, control system).
  •         Wireless.
  •        User devices (PCs, phones, printers, multifunction devices).
  •        Servers.

Voice system
The main voice system will be completely Voice over Internet Protocol, with voice servers residing in the hosted offsite. The voice system shall have a redundant voice server with automatic failover capabilities.

Distributed antenna system
The building will deploy a DAS that will provide cellular enhancement for multiple wireless carriers over a common infrastructure. It also will allow for two-way radios used by building operations staff to utilize the same infrastructure.

Security system
General description
System purpose: The security system is designed to control authorized access and prohibit unauthorized access to private or restricted spaces and to record access events for later investigation or audit purposes. The security system will consist of card-reader access control, Boom barrier / Flap Gate, visitor management, intercom, and security camera subsystems. Duress- or panic-alarm systems and intrusion-alarm systems are not included.

Access Control System (ACS)
The purpose of the ACS is to control authorized access and prohibit unauthorized access to private or restricted spaces and to record access activity for later investigation or audit purposes. The ACS will consist of card readers, data-gathering panels, door controls/sensors, and door alarms.

Visitor Management System (VMS)
·         The purpose of the VMS is to register and log visitors, print badges, track visitors, and provide reports.
  •        The VMS will consist of a standard PC with a camera and badge printer for lobby reception desk use and a stand-alone kiosk for visitor self-registration.
  •          The system will be able to register and log visitor information.
  •          The VMS shall issue visitor credentials (“digital credentials”) to mobile devices to allow those devices to allow access via turnstiles and at elevators based on specific access-authorization rights per tenant.

Video Surveillance System (VSS)
The purpose of the security camera system is to augment the ACS by providing a means to remotely assess activity at access points and to record video images of activity at those locations for later investigation or audit purposes. Not mandatory to use same display with BMS. The security camera system will consist of IP cameras and a network video recorder (NVR).
  •        NVRs will have a TCP/IP network interface for control and operation.
  •        All camera monitoring, playback, and control will be via standard web browser interface.
  •        Personnel with proper system authorization will be able to access live and/or recorded video from desktop PCs. Video verification; “see” what camera “saw” is most valuable part in high rise building. Not mandatory to install AI based Costly video analytics software.
  •        The cameras will be high-resolution color cameras. Additional camera features, such as low-light capability and wide dynamic range, will be provided with specific cameras where those features will be necessary to provide a quality image.

Smart buildings need to meet the expectations of the occupant and technologies must work together flawlessly to provide a personalized experience, now for the security integrator, the key is how do you create an integrated security framework that allows that customer to benefit from that data? To execute this doesn’t look back your cost, find good services, good OEM with quality product & good SI or SSA Integrate Company.

Ref:
http://bhadrafiresafety.blogspot.com/2019/02/nfpa-13-in-high-rise-buildings.html

If you found this artical is gain your knowledge then you can donate some amount through below bank details:-
A/C Name: Arindam Bhadra
A/C no: 19251050015468.
Name of Bank: HDFC BANK.
Branch: Belgharia.
RTGS/NEFT IFSE: HDFC0001925
Your support is highly appreciated to continue / maintain this blog.