English for Electrical Engineers
..pdfentire building for a weather emergency. It should also be easy to check the system to see what schedules are in place, what setpoints are being used, and what points are "locked." Human nature being what it is, it's all too easy to make a quick change to meet an emergency condition and then forget to undo that change later. Make certain it's easy to find and adjust key settings. One of the fundamental rules of any BAS: If it's hard to do, it won't get done.
4.Years ago, you needed a dedicated computer terminal to access a BAS. Now it's possible to access some systems from virtually anywhere using a browser, PDA, or cell phone. It's important to note, however, that "possible" doesn't mean it's free or that the interface will meet your needs. Make certain you can perform the activities you need through the interface you're buying.
5.Managing energy is fast becoming one of the most important functions of a BAS. Most systems have access to a great deal of energy data, but getting the data is only a small part of the challenge. Summarizing data in a concise, easy-to-understand manner and providing meaningful comparisons is critical. It's also important to be able to measure how effectively the energy is being used. In other words, is the energy you're using providing a healthful, comfortable, and productive indoor environment? We learned in the '70s that it was easy to save energy if you turned off lights and air-conditioning, and let people sweat in the dark. We also learned that this strategy wasted far more money in lost productivity than it saved in energy, destroyed morale, and simply didn't work in the long run. Look for a BAS that makes it easy to see, at a glance, how well the system performs and how much energy it uses. www.buildings.com/article-details/articleid/5591/title/building-automation-systems-what-to- look-for.aspx
After you read
Choose the correct question for the paragraphs: Does it meet the needs of your facilities staff?
Is it easy to use?
What is building automation system about?
Can you access the system from where you need it? Can you manage your energy program effectively?
As you read
Choose key words which can help you to describe the Building Automation Systems.
Before you read text 20
Explain the following statement:
Automated management systems help competitive companies streamline their business systems.
Text 20. WHAT ARE THE ADVANTAGES
OF AN AUTOMATED MANAGEMENT SYSTEM?
Automated software can eradicate many tedious and time-consuming business tasks, making business management more effective. Advantages of an appropriately selected and correctly used automated management system include control over processes, clearer visibility of operations, supply chain streamlining, and more efficient information storage and recall. Such systems also can help a business increase efficiency, keep staff accountable, increase customer service, and bring greater value to the business.
The dashboard viewing capabilities of most automated systems can help management quickly obtain a clear picture of operations by allowing instant access to quality management information, personnel updates and informational statistics. Superior business
61
results often come from a complex understanding of performance and business strengths, and increased visibility can lead to better control over processes. Visibility software can also stream actual video feed over plant management or manufacturing floors at all times, making it accessible from any location.
Often in competitive industries knowledge is power, and access to information databases and libraries can help provide this power. Management information systems provide immediate access to historical and real-time data to help increase effective management. Programs are composed of hardware and automated software and have the capacity to compare data from all necessary departments. They usually are designed to archive, backup, and manage all files and documents as well
Internal processes such as inventory management, product planning and customer service can often be more easily managed by Automated Enterprise Resource Planning (ERP) software. Through radio frequency identification (RFID) and other tracking and identification technologies, ERP programs handle supply chain interactions, such as invoicing, order tracking, and interacting with suppliers. For example, when inventory reaches a predetermined level, ERP systems send reorder forms to suppliers. Internet purchasing and delivery sites often use an ERP system, as response time must be rapid and orders often are individualized.
Automated management systems can help reduce redundancy by quickly and accurately completing tasks that would take a human much longer and likely result in more errors. An example of this is the outsourcing of human resource departments. Human resources management software automates payroll calculation and issuance, logs employee updates and benefits status as well as sends out notices. Automated management systems cut time, employees and human error out of processes that once took more people and time to complete.
Staff accountability also can be increased by automated management systems that are programmed to assign and track the completion of worker responsibilities. This can be done in the form of quotas, communication logs, and task reviews. Information logs require employees to document their leads, creating evaluation opportunities based on qualitative data. These programs can help encourage employee growth and keep employees aware of their tasks, accomplishments and productivity.
Customer satisfaction can be enhanced by automated relationship management systems as well. All client communication and information is stored digitally, becoming available from multiple locations. This helps to ensure speedy dispute resolutions and creates opportunities to capitalize on additional sales. Letters, fax, e-mail, SMS and other forms of communication distribute automatically through automated software. Customized mass communication through automated resource management systems can be designed to reflect information tailored to a customer’s historical purchasing trends or interests.
Benefits of automated management systems can lead to increased business value, which often leads to increased profitability. To enhance the likelihood of this, the automated system and business software must be used efficiently. The use of the system must provide more value than the high costs of purchasing, implementing and training employees. http://www.wisegeek.com/what-are-the-advantages-of-an-automated-management- system.htm
As you read
Find the sentences which contain the modal verbs and translate them.
Paraphrase the sentences highlighted in the text.
Write down verbs which are used to describe the Automated management system.
62
Before you read text 21
Find as much as possible word combinations and phrases with the word “Risk”
Suggest your own idea about risk in the information management.
Text 21. INFORMATION RISK MANAGEMENT:
RISK HUNTING
Risk is addressed in a generic context within control frameworks and compliance requirements; most of which refer to a need for risk assessment. This article provides practical techniques to seek out and identify residual risk within an organization.
1.Adherence to standards alone amounts to security at arm’s length. Effective risk management is personal, intimate. It requires a thorough understanding of the people, processes and technology within your environment.
Embed Risk Professionals within business units to ensure appropriate controls are in place. Ask to be invited to staff and project meetings. Send threat landscape advisories with details of compromises to help establish and maintain a risk culture. Conduct briefings to teach employees how to identify risk on their own. Provide advice tailored to business processes such as restrict employee access to one customer record at a time and monitor logs for suspicious activity.
Listen closely when participating in a project meeting. Review process and technology diagrams in a quiet environment, without multi-tasking. Consider what could go wrong. Chaos Theory tells us that systems are predictable, then appear to become random [i]. Identify opportunities for errors or other failures. Consider opportunities to access sensitive data for profit. Make recommendations for preventive or detective controls such as quality assurance or layered controls to prevent compromise.
Provide prompt risk transparency when an Issue is discovered. Document the Issue. Determine if there is an existing process that should resolve it. If not, identify who is accountable for remediation. Get the right people to the table. Establish a plan with action items, timelines and named parties. Document risk exposures within security issue records or risk registry entries. Use established remediation processes as an efficiency play.
Conduct root cause analysis after an incident occurs. Consider how it happened and what can be done to prevent reoccurrence. Determine if this issue is likely to exist elsewhere in the company.
2.Risk scenarios are a method to consider how real world outages and compromises could impact your organization. A scenario may be identified through analysis, by experienced intuition or by an event in the media. Start by taking an inventory of the business products, services and strategic objectives. Obtain an organization chart and meet with leaders to understand the processes they have responsibility for. Discuss your role and provide a list of initial risk scenarios.
Website down |
Office down |
Security incident |
Data breach |
Insider threat |
Privacy breach |
Fraud |
|
3. Ask leaders for their feedback and if they have scenarios to add. That amounts to known risk or exposure. Next, ask if there are risks they suspect from their knowledge of the environment and experience. Suspected risk may go unreported by those who are datafocused or are concerned about their credibility. Flesh out the list of scenarios as you gain a better understanding of the processes, technology and the people that support them.
63
Expand on the list by identifying scenarios that result in that high-level risk. For example, a data breach can occur through production data stored in a test environment.
Consider scenarios where adherence to standards is resource intensive and difficult to
audit.
Denial-of-service attack Data center outage Human error
Social engineering and phishing
Malicious USB flash drives, bar codes, DVDs Process failure (e.g. Target data breach) Direct access to data (outside of applications) Domain or SSL certificate registration expires Malware spread through advertisements System or application missed by assessment or scan
Legitimate traffic causes performance degradation or outage Technical change results in a service outage Physical security breach
Privacy issues can result in business impact. Privacy and terms of use statements Failure to adhere to the Do Not Call List
Natural disaster Malicious insider threat Data exfiltration
Compromise through a supplier
Copies of data (e.g. in test environments) Shadow IT (rouge suppliers)
Newly adopted technology
Project does not receive an assessment or scan
Data cannot be restored from backup Personnel with access to sensitive data Exploitation of a security vulnerability
Be sure to account for that as well. Failure to adhere to Opt-In / Opt-Out Violation of privacy laws and regulations
4.Prioritize scenarios by potential business impact and likelihood. Evaluate each scenario against the control environment. Risk Scenarios should be 'known unknowns', meaning they have a reasonable likelihood of having business impact. The scenarios within this article are examples. They may not apply to your organization and are not all inclusive.
Monitor many sources of information to account for emerging threats and compromise trends. RSS feeds are an efficient way to tap into information from many websites. Review industry reports and surveys such as the Verizon Data Breach Investigations Report and the US State of Cybercrime Survey. The SANS Top 20 Critical Security Controls has a list of Attack Types in the Appendix. The ISACA Risk IT Framework has utility as well.
Attend information security conferences and local chapter meetings. Have reoccurring calls with information security leaders in your industry and from companies of similar sizes.
5.Learn to think like a hacker. Consider their tactics for compromising data. A paper from Lockheed Martin describes the Kill Chain as “a systematic process to target and engage an adversary to create desired effects". Use the kill chain phases to identify controls to prevent or detect compromise in your company.
1.Reconnaissance |
2. Weaponization |
||
3. |
Delivery |
4. |
Exploitation |
5. |
Installation |
6. |
Command and Control (C2) |
7.Actions on Objectives
6.An Application Risk Profile provides context. It gives executives the information they need to assign resources and reduce the risk of an application. Start by considering exposure such as whether the application is Internet facing or supplier hosted. Identify data that is stored, processed or transmitted by the application. Determine business impact if data was stolen, edited to commit fraud or if the application was unavailable. Take into account protective controls such as hardened application code, assessments and scans and Web Application Firewalls. Consider known vulnerabilities within security issue records and risk
64
registry entries. These elements can be used to establish a risk score. The score can be used to prioritize applications by risk and to assign additional controls.
7.People have a tendency to document processes based on business-as-usual. There will be errors and failures in practice. Data may not be adequately protected. Processes must account for that with preventive and detective controls. Establish control points at critical process steps. Use Failure Modes and Effects Analysis to evaluate process issues by Severity, Rate of Occurrence and Detection. The multiple of those three values produces a Risk Priority Number.
8.Conduct verification on your own where possible. Request support from personnel from there. Explain the risk scenario and potential business impact. Be mindful of impact to productivity. Make requests that clearly follow the risk. Be wary of assurances that existing processes or technology mitigate the risk. The expression "Trust, but verify" applies. Obtain evidence that controls are in place.
Each of these methodologies has a cost and a return. Start simple with interviews. Branch out as you establish credibility. Establish a Multi-Generational Plan to chart the path forward. Recognize people for identifying risk. Track the results and value add of your program.
Reliance on frameworks and standards alone will not protect your organization. True due diligence requires risk assessment. Business leaders think in terms of risk. You have that on your side.
http://www.gideonrasmussen.com/article-31.html
As you read
Give the titles to the abstracts (1-8). Some abstracts don’t have a title: Kill Chain
Analysis, Process Risk Analysis, Trust, but Verify, Application Risk Profiles and Scores, Risk Scenarios, Embedded Techniques
Make a list of the steps which must be taken to prevent the risk or to minimize it.
Before you read text 22
Make a list of the cyber-crimes which people can face with.
Text 22. CYBER SECURITY RISK:
THE THREAT LANDSCAPE IS CHANGING
Malicious actors and the techniques they employ have continued to evolve over the past few years. The term Advanced Persistent Threat has been coined to address adversaries with the will and resources to inflict harm. Industry is preoccupied with whether or not cyber war is a credible threat.
I. Business Perspective
Business executives are concerned with the impact information security has on the bottom line. Cost is an obvious issue and productivity impact should be minimal. Executives are focused on risk management, versus security for compliance reasons. When considering a business case for a security initiative, an executive is likely to ask “What is the risk?”.
II. Risk Triangle Business Risk
Risk comes in many forms. At a high-level, risk is the likelihood a threat will take advantage of a vulnerability, resulting in business impact. Risk mitigation consists of minimizing those essential elements through application of countermeasures or controls.
Consider business impact in the event a threat materializes and exploits a vulnerability. Within the banking industry, the Comptroller of the Currency defines risk in categories:
65
Operational Risk: Operational risk is the risk to current or anticipated earnings or capital arising from inadequate or failed internal processes or systems, the misconduct or errors of people, and adverse external events.
Reputation Risk: Reputation risk is the risk to current or anticipated earnings, capital, or franchise/enterprise value arising from negative public opinion.
Strategic Risk: Strategic risk is the current and prospective risk to earnings or capital arising from adverse business decisions, improper implementation of decisions, or lack of responsiveness to industry changes.
Compliance Risk: Compliance risk is the risk arising from violations of, or nonconformance with, laws, rules, regulations, prescribed practices, internal policies and procedures, client agreements and other contractual arrangements, or ethical standards.
III. Malicious Actors
One of the basic techniques of threat management is estimating who your adversaries are. Consider their capabilities and tactics.
Hostile nation states: China is the leading country in this category. The Chinese are known for compromising intellectual property to keep their economy growing. China has been tied to Operation Aurora where dozens of organizations were targeted. Reuters recently released a report describing the threat posed by China. “Many firms whose business revolves around intellectual property -- tech firms, defense group companies, even Formula One teams -- complain that their systems are now under constant attack to extract proprietary information.” China increased its international patent filings in 2010 by 56.2 percent, triple its 2006 figure. Congress recently banned scientific collaboration with China, citing high espionage risks.
Organized crime: Organized crime is known for compromising payment card numbers to commit fraud and generate profit. Criminal enterprises reinvest in their operations to compromise hardened targets. Card data is becoming a commodity, with a drop in street value accordingly. Theft of intellectual property is a growing trend. Competitors may use cyber mercenaries to steal trade secrets.
Insiders: Insider threat goes beyond disgruntled employees. Authorized personnel may be willing to sell company secrets for profit such as the software developer that stole proprietary code used in Goldman Sach's high-speed trading platform. Insiders can also be tricked into disclosing sensitive information through social engineering.
Whistle-Blowing Sites: WikiLeaks.org and similar websites pose a threat in the event sensitive or embarrassing data is compromised. WikiLeaks is known for publishing submissions of private, secret, and classified media from anonymous sources. They also disclose data without regard related impact such as classified U.S. government documents.
Hactivists: Hactivists are motivated by religious or political beliefs. They are unpredictable and will inflict harm without regard for profit. Anonymous is the most famous activist hactivist group. They are known for supporting WikiLeaks by launching distributed denial-of-service attacks against Amazon, PayPal, MasterCard and Visa. Most recently, they attacked the U.S. Chamber of Commerce for supporting the Protect IP Act. LulzSec is an up and coming group who made headlines this year by hacking into PBS, Sony and InfraGard.
Hostile nation states and organized crime can be categorized as Advanced Persistent Threats. Hactivists and whistle-blowers can be categorized as Idealists. The combed threat of the two categories is sobering.
Layered Program ControlsIV. Layered Program Controls
It is necessary to implement a risk-based information security program to address threats and protect the interests of the company. Start by investing in an experienced information security leader. Provide the resources necessary to protect sensitive data and ensure availability of critical business processes and services. Use layered program controls to address risk and conserve on costs.
66
Implement an Information Security Framework
The goals of information security are to ensure the confidentiality, integrity and availability of information. Frameworks are foundational and address controls at a mid-level. Leverage industry security standards such as ISO 27001 and COBIT. Consider this step one.
Consider Laws, Regulations and Contractual Obligations
Compliance requirements address controls at a more prescriptive level. Their deficiency lies in the bias or best interests of the governing body. For example, PCI is focused on the security of payment card data, with no regard for business continuity. SOX and HIPAA are focused on financial and health data, respectively.
Be mindful of the cost associated with compliance. Consider compliance risk when a given requirement does not make sense from an operational risk perspective. Compensating controls may be a viable alternative.
Establish a Risk Management Program
Adhering to frameworks and biased compliance requirements will not adequately protect against a determined adversary. Use risk management practices to identify, prioritize and mitigate threats that could have negative business impact.
Identify Risk Appetite
Meet with senior leaders to document the company’s risk appetite. Ensure it is communicated to all personnel. NIST SP 800-60 provides a methodology to rate each type of information with impact ratings based on confidentiality, integrity and availability. Once the impact is identified, risk-based controls can be applied wherever that data is present. The ISACA Risk IT Framework provides guidance on how to establish risk appetite. Involving senior management at this early stage of the program gives them a sense of ownership and can be helpful in obtaining their active support and resources.
Identify Threats and Vulnerabilities
Compromise can occur through people, process and technology. Adversaries use technical, physical and social engineering techniques to compromise data. Subscribe to numerous security news and alert sources to identify threats and vulnerabilities. At a minimum, review US-CERT advisories, the SANS @RISK Consensus Security Alert, the DHS Daily Cyber Report and vendor security alerts. Join the U.S. Secret Service Electronic Crimes Task Force and FBI InfraGard. ECTF and InfraGard are free and provide threat and vulnerability advisories. Aggregate data into trends, such as a new hacking technique used by organized crime. Consider the impact of emerging technology such as IPv6 and quantum computing. Review lists of lists of vulnerabilities and common exploit techniques such as the SANS Top 20 and OWASP Top 10.
Risk Assessment
Conduct a risk assessment to identify which controls are needed to protect the company as a whole. Take into account known adversaries, their capabilities and compromise trends. Be mindful of the cost of each control, especially when applied throughout the enterprise. Random application of controls wastes resources and does not necessarily mitigate risk.
Have a focus on the data itself; where it is stored, processed and transmitted. Information protection controls are necessary to protect data the company depends upon for revenue. Examples include payment card numbers, customer or client information and intellectual property such as trade secrets.
Risk Assessment Methodologies
The PCI Data Security Standard[xi] describes risk assessment as “an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment. (Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800-30.)”.
Failure Modes and Effects Analysis (FMEA) can be used to conduct a risk assessment based upon a data flow diagram. At each system or component, consider how security controls may fail or are not present. For each failure mode, determine the severity,
67
rate of occurrence and likelihood of detection. Those three criteria form a Risk Priority Number, which can be used to evaluate the need for control implementation. For more information on how to use FMEA to conduct a risk assessment, refer to my Payment Card Security: Risk & Control Assessments article.
Application of Controls
Significant, varied threats to business objectives require a sophisticated response. Layer preventive, corrective and detective controls as the potential for business impact increases. For example, application security techniques include secure coding practices, code reviews, automated code scans, application vulnerability scans and penetration testing. Apply all five techniques to protect high risk applications. NIST SP 800-53 provides baselines broken into high, medium and low control appendixes as an example.
Be sure to include people and process when implementing controls. Configurations must be kept current as the IT environment changes. Alerts must be monitored to be effective.
In the Gravest Extreme
When charged with protecting something extremely valuable like the secret recipe for Coke or pipeline drug formulas, conduct multiple risk assessments and implement controls as necessary. If business impact would be severe, employ extreme countermeasures such as two-person integrity or an air gap between systems and the Internet. Leave virtually no attack surface for adversaries to exploit. Defense-in-depth controls are the best way to defend against an Advanced Persistent Threat.
V. Conclusion
Now more than ever, security is a business imperative. Layered program controls are risk-based and focus expenses where the data is. That meets the needs of business leaders and security professionals. Consider the risk to your organization and take appropriate measures to mitigate it.
After you read
Summarize the article in 5–7 sentences.
68
Before you read text 23
Do we need the fully controlled systems?
What should be controlled and automated?
Text 23. UNDERSTANDING BUILDING AUTOMATION
AND CONTROL SYSTEMS
Building Automation Systems (BAS) are centralized, interlinked, networks of hardware and software, which monitor and control the environment in commercial, industrial, and institutional facilities. While managing various building systems, the automation system ensures the operational performance of the facility as well as the comfort and safety of building occupants.
Typically, such control systems are installed in new buildings or as part of a renovation where they replace an outdated control system.
You may hear any of the following terms to describe the control or automation of buildings:
Building Automation and Control Systems (BACS), Building Control System (BCS), and/or Building Management System (BMS)—same as “Building Automation System” or the subject of this page.
Controls—This term is appropriate in describing discrete devices that control particular pieces of equipment or processes.
Direct Digital Control (DDC)—describes the communication method used in modern devices (hardware and software). Collectively, DDC products control various building systems and form the automation system.
Energy Management System (EMS)—generally understood to be the same as a “Building Automation System” but may have special emphasis on energy metering/monitoring
Energy Management and Control System—well, you’re getting the idea. Smart (Intelligent) Building—a building equipped with a data-rich BAS.
Generally, building automation begins with control of mechanical, electrical, and plumbing (MEP) systems. For instance, the heating, ventilation, and air-conditioning (HVAC) system is almost always controlled, including control of its various pieces of equipment.
Other systems that are often controlled and/or brought under a complete automation system include: Power monitoring, Security, Close circuit video (CCTV), Card and keypad access, Fire alarm system, Elevators/escalators, Plumbing and water monitoring, Types of Building Automation and Control Systems.
Early control systems were pneumatic or air-based and were generally restricted to controlling various aspects of the HVAC system. Common pneumatic devices include controllers, sensors, actuators, valves, positioners, and regulators. Due to their large base of installation throughout the 1960s and 1970s, pneumatic control systems are still in place in a majority of existing buildings, especially in established metropolitan areas.
Analog electronic control devices became popular throughout the 1980s. They provided faster response and higher precision than pneumatics.
However, it was not until digital control or DDC devices came on the scene in the 1990s that a true automation system was possible. However, as there were no established standards for this digital communication, various manufacturers, created their own (proprietary) communication methods.
The automation system was fully functional but was not “interoperable” or capable of mixing products from various manufacturers. Thus, a given building or portfolio could be “locked” into a specific manufacturer. This is not necessarily a problem unless the relationship with the associated service provider is challenging.
69
By the late 1990s and especially into the 2000s, movements were afoot to standardize on “open” communication systems. The American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) developed the BACnet communication protocol that eventually became the industry open standard.
Most of the automation system is behind the scenes as hardware devices mounted to equipment or hidden underfloor or in the ceiling. Some personalized control can be made available through thermostat-like devices. From a central management perspective, the BAS resides as software on an operator workstation (computer) or is available as a web page.
Various types of “controllers” manage equipment and portions of the network. “Sensors” provide input data to the controllers.
A properly trained in-house staff can manage the operation and, sometimes, the maintenance of the BAS. However, system design and initial installation is almost always accomplished by controls professionals such as dedicated controls contractors or system integrators. In practice, the controls contractor is a sub-contractor to the mechanical contractor. Sometimes, the mechanical contractor will have a dedicated controls division. Electrical contractors with controls teams are also common and multi-functional system integrators are becoming more common for today’s complex facilities.
These controls professionals can provide on-going service or train your in-house staff to self-perform service.
The automation system can also offer you an incredible amount of data related to building performance, and with this data in hand, you can make more intelligent decisions.
And, if you are building green, be aware that an automation system can contribute greatly to your ability to earn such recognition as the EPA ENERGY STAR or the LEED certification associated with the U.S. Green Building Council (USGBC).
When the subject is intelligent buildings, you know that things don’t stand still. Here are a few trends influencing building automation:
Wireless technology is beginning to replace traditionally wired BAS infrastructure. Thus far, however, the wireless technology is limited to sensor-type devices and suffers from issues including a lack of clear wireless standard, short battery life, and communication challenges through various types of building structures and materials.
Enterprise-level initiatives are making the communication protocol of the BAS less important.
While it is quite common to replace a pneumatic control system with a direct digital control (DDC) system, pneumatic-to-DDC bridging strategies also exist.
More controls are coming to the construction site, factory pre-mounted to equipment. Hardware and software continues to be augmented by energy-related visuals.
There has been tremendous consolidation among BAS manufacturers, leaving relatively few independent players (such as KMC Controls).
http://www.kmccontrols.com/products/Understanding_Building_Automation_and_Control_S ystems.aspx
After you read
Make a list of word/words combinations which can be used while describing the BAS
As you read
Answer the questions:
1.What terms are related to the BAS?
2.What type of control system is described as the earliest one?
3.Which years are mentioned and what are they famous for?
4.How does the BAS look like and what is today’s trend of the system?
70