Is your maintenance a security liability or strategic asset?
Ask someone who has spent time in an R&D facility what security in that environment looks like, and their description will most likely focus on the places where they had the most direct interaction entry and exit points, with uniformed personnel, scanners, and the like. Or perhaps they knew the staff who monitored their working area. What they probably won’t mention is anything about the site’s technicians, energy engineers, and countless others who ensure the smooth performance of the R&D center.
What if we were to think outside of these familiar boundaries, expanding the scope of “security” to include maintenance teams and technicians as well as electrical and utility rooms and all the other technical assets and equipment that make a site function? What are the implications for a security strategy from this wider perspective?
This is precisely the viewpoint that security planners in R&D should adopt because the work of maintenance departments has a tremendous impact on core security concerns. In any R&D facility, the maintenance plan and standardized protocols (or lack thereof) will directly impact access control, site functionality and the overall reliability of systems.
Managing maintenance operations in a methodological, secure and digitalized way can cement your compound’s security. Conversely, sites with misaligned maintenance and security planning will be exposed to an unnecessarily high risk of IP theft and cyberattacks. Therefore, maintenance planning and execution must be considered a vital aspect of security strategy, and it demands a high degree of coordination and alignment.
Three principles for the alignment of security and maintenance
Through our extensive experience managing high-security and high-risk facilities in Asia and worldwide (R&D centers, several embassies and diplomatic compounds), we have identified three core principles for aligning security and maintenance that have guided our strategy, while also informing the development of Aden Group’s digital twin platform for the built environment, Akila.
1. Be asset-centric and proactive – reactivity is a risk multiplier.
The fundamental goal of maintenance is to make assets perform as well as possible, for as long as possible. In ordinary environments, failure to achieve this brings primarily financial pain. Where the R&D activities where the work undertaken is highly strategic and desirable to other parties, the consequences of breakdowns and extended downtime are even worse, because every technical issue becomes a potential security issue.
For this reason, maintenance of complex, high-security sites should be as scheduled and forward-looking as possible, while also leveraging sensors and AIoT to enable predictive maintenance of critical assets such as HVAC, electricity rooms and water systems.
This asset-centric approach means that maintenance teams can organize their work responsively, in relationship to the real condition and performance of your R&D center’s equipment. As a data-driven approach, it also opens opportunities to apply AI and simulation technologies to performance history, creating much more precise forecasts about optimal levels of maintenance and the best type and timing of service to each asset.
Corrective maintenance (responding to unforeseen problems) may never be entirely avoidable, but every effort should be made to ensure that it is the exception rather than the rule. The risks that come from a heavily reactive approach can manifest themselves at many levels:
- The physical integrity of the structure: defects such as faulty gates, leaks, etc.
- Disruption to systems: for example, if a backup diesel generator fails to start in the event of a power outage, continued operations may be negatively affected, and the site’s CCTV and smart cam systems may be compromised.
- More outside access with less comprehensive vetting: Unforeseen problems can necessitate support vendors accessing the premises at relatively short notice. At a minimum, this will increase the administrative burden, but it can also open the door to targeting by bad actors.
So, how do sites achieve the necessary level of asset-centricity? It is not something that can be improvised. A comprehensive maintenance plan is needed, as well as the technical infrastructure to support it.
2. Don’t let your maintenance plan become a vulnerability – control your information ecosystem.
So, you have set up your maintenance plan – congratulations! But this is not the end of your security needs. The maintenance plan must be made secure, as must all communications between technicians, facility management and outside support. This is because – if intercepted – the maintenance plan and operational communications are a major liability. In the wrong hands, your site’s maintenance plan can:
- Be exploited by people with the intention of trespassing.
- Signal when critical systems are weakened, giving critical intelligence to bad actors.
The more unstructured your maintenance team’s operational communications are, the more points of access are vulnerable to interception by bad actors.
One thing is sure: technicians will record and share information. Have they been given the infrastructure to carry out this important communication in a secure manner? Without a secure and centralized platform, technical staff will use the free tools readily available on their phones: SMS, photos, email, attachments, voice messages and video.
To mitigate this, a number of steps can be taken. The core principle, however, must be to establish a secure single source of truth for all relevant information, with careful controls over who can access which information, and when they can access it. This is our core criteria, as built into the Akila platform:
- All technical maintenance must be secured in a cyber-secure system. This includes not only strong centralized elements but also the ability to manage cybersecurity on mobile phones.
- The system should be comprehensive enough that you can reasonably ask technical staff to exclusively use that system to manage their operational work while forbidding the use of other (unsecured) communication channels.
A final point to note is that centralizing this information also makes it far easier to share with security staff, allowing more opportunities to prevent incursions by people intent on IP theft.
3. Build your system for execution control and compliance – beware of “weak digitalization”
Our last principle is about ensuring that what is written into the maintenance plan is executed. If a discrepancy is detected, notifications are swift and the center can investigate as needed.
On this point, it is worth stepping back and asking why we digitalize in the first place, rather than continuing with paper-based reporting. Fundamentally, digitalization is about taking large volumes of operational information and making it:
- Permanent – not subject to physical decay or misplacement.
- Transparent – easily accessed by those with the appropriate clearance, and not hidden in a file cabinet.
- Systemic and responsive – Continuously updating, with the collection of data integrated into the process of daily operational work.
But, beware – digitalization can either be deep and transformative or it can be superficial (“weak digitalization”).
What does weak digitalization look like? The main characteristic is that some digital infrastructure has been put in place, but it has quickly become a “junk box” of unstructured information. The most common problem in weak digitalization is that technicians and stakeholders can report information, but the feedback is left too open, with no direct matchup between tasks in the maintenance plan and the resulting operational notes, photos, and screenshots. This results in a lack of execution control for team leaders and site managers – no easy way to validate to what extent or how well the plan is being carried out. And, therefore, little improvement over traditional paper-based systems.
By contrast, where digitalization is highly structured and has direct links from planning to execution, the benefits to asset performance are enormous, enabling far stronger alignment between maintenance and security. For site managers, information can be viewed at either the granular level (task by task and unit by unit) or holistically (compiled into high-level and dashboard views). From the perspective of operational efficiency, the following three metrics are vital:
- Planned duration vs. actual duration: e.g. “This task was scheduled to take 30 minutes, but it took 60. Why?”
- Planned date vs. actual date: e.g. “This inspection was supposed to happen on Thursday, but it took place on Friday. Why?”
- Planned resource vs. actual resource: e.g. “We assigned Jeremy to this task, but it was completed by Luke. Why?”
Note that the examples above are framed negatively, but a system may also provide positive surprises and opportunities to reward high performers and proactive staff. Whether by carrot or stick, digitalization must provide your site with a systematic and clear view of what is really happening from planning to execution.
A cycle of improvement
Every plan, even the best, needs space for adaptation based on real-time developments and new insights. You will need to adjust your risk register and operational routines periodically to ensure optimum performance. While “sticking to the plan” is important, so is learning from the process of operations, the data you have collected, and proposals from your technicians on the ground.
This is not a one-time project, but an ongoing process built on transparency, collaboration and silo-breaking. As the maintenance plan evolves, it will be necessary to coordinate closely with the security team. The success of this process will depend on transparency, cross-team alignment and a focus on the best outcomes for all parties managing your center. Thus, we need to reframe our thinking regarding operational teams and their role in maintaining security. Next time you see technicians at work, think of them as not only the people who make the machinery work but also as strategic allies and partners ensuring the security and performance of your R&D center.