I love the sound of breaking glass
Deep into the night
I Iove the work on it can do
Oh a change of mind
Oh change of mind, sound of breaking glass
All around, sound of breaking glass
Nothing new, sound of breaking glass

Nick Lowe

Security in the built world is most critical at precisely those times when the demands for performance and interaction are greatest. Buildings may lose their communications with the outside world when partially destroyed. The power grid may require ad hoc reconfiguration when its communication lines are down.

The built world traditionally has found security in isolation. Building Control Systems are isolated in a mechanical room and not plugged to the internet. Fire system annunciators are often limited to one-way communications. Access is often all or nothing, with many systems secured only with the default account and password from the manufacturer.

If a system is all or nothing, then it has little need for nuanced identity management. In traditional building monitoring systems, pretty graphics sell the system, but operators look primarily at tables of values. Without service definitions, the systems rely on operator knowledge to put the pieces together. Without service definitions, monolithic security is the only choice.

Considering the requirements of using building systems for situation awareness during emergency response can lead to the wrong conclusions. The mind leaps to all-out conflagration, wherein all security should be cast aside to allow the fire department unfettered access. Yet emergency response also includes the arrest of the lurker on the third floor, and the minor spill of chemicals in the manufacturing wing, and the ambulance responding to the heart attack in the secured executive suite. In many scenarios, the responder will be granted limited access, for limited times, to only a portion the available sensors and surveillance cameras.

Power systems have different requirements for emergency security. The intelligent grid will both support and require reconfiguration more readily than it does today. Distributed generation raises the real possibility that both sides of a downed power line are hot, increasing safety risks during emergency repairs. Improper interactions with the downstream systems can incur liabilities for equipment damage, equipment not owned by the utility and not professionally monitored.

Infrastructure emergencies often coincide with reduced communications. Reduced communications can disable federated identity management, or even single provider single password checking. Many systems handle this problem with forward caching; user accounts and identity tokens (passwords, biometrics, et al.) at the access point. For example, a campus access control system might forward cache the keys of all residents of a dorm, enabling the door to make mostly correct decisions even when disconnected.

Forward caching fails at precisely those times when the emergency is greatest. During the night with four fires, the fire department from the next county responds to the building. After the great ice storm, line crews from three states away are restoring the substation. During the worst fire, the battery in the incident commander’s PDA fails, and he switches to an unregistered device. The tightest, best security fails when you need it most.

Medical systems define what is called a “Break Glass” incident. Break Glass might rely on a standard account and password, one that might never change. By using the Break Glass password, the system is alerted to log fully every action taken. Break Glass incidents also trigger an audit alert. Post incident audit might require, for example, an explanation of the event, as well as an administrative review of all changes made to the system.

I think both building systems and energy systems, including SCADA for Transmission and Distribution can make use of the practice of Breaking Glass.