Building Controls Cybersecurity — How to Eat the Elephant

While more than 80% of all building automation systems are connectedto the Internet, more than 3/4 of real estate organizations don’t have any building cybersecurity plan. With millions of connected controls systems in every real estate segment—including commercial, corporate, campus, government, and others—it’s hard to imagine that cybersecurity is not the priority for all senior executives.

We live in an age where cyber mischief, crime, and even terrorism is in the news every day. Overall cyber-crime damage will hit $6 trillion by 2021 and ransomware alone cost $6 billion in 2017. Notwithstanding a fair amount of ostrich behavior, real estate is not immune to these trends. Executives should consider the life-safety danger from elevators, indoor air, electricity and other critical aspects of safety in a building. While life safety is paramount, there are also other consequential risks, including network-hopping from the building systems into the corporate network or other devices, lost occupant productivity, and capital equipment damage from undetected viruses and malware. Also, in nearly all cases, there will be brand damage for the building owner, manager, and occupant organizations.

There are three main reasons for the slow pace of change in building cybersecurity:

1. Technology is complex– In this case, information technology (IT) also includes a specialized subset of IT with cybersecurity. Unlike traditional IT cybersecurity,this is specificallybuilding controls focused, and mostIT experts are unfamiliar with it. It is a separate type of technology called operational technology (OT) that utilizes different communication protocols, equipment, and vendor types. So, the facilities staff doesn’t know IT, andthe IT staff doesn’t know OT, soit becomes a hot potato leading to the second reason.
2. It’s nobody’s responsibility– Not only is this is not in the strategic or tactical domain of real estate executives, but it alsohas never been a subject that was clearly assignedto any department, budget, staff person, executive, or vendor. We have seen building systems enter the digital age and nearly all of them now utilize computer servers, software, protocols, local networking, and Internet access. That alone has created confusion about who in an organization is responsible for high tech, connected building systems between facility management and IT. Thus it has been stuck in a “no man’sland.”
3. The ecosystem is fragmented– Real estate design, construction, and management is perhaps one of the most fragmented and siloed of any industry. The Architects may subcontract the controls design to engineers, andthe engineers may subcontractto IT network designer, who then hand off to a general contractor (GC). The GC has nothing to do with the ongoing operation of the building, sothey do a hard handoff to the facility managers (FM) and property managers (PM). The PM or FM would subcontract to a controls contractor who again may utilize some IT resource or just make-do themselves. There are many different and often misaligned incentives and levels of liability.

Add to these headwinds the fact that, historically speaking, building controls technology have been a “bottom-up” issue. However, with the Smart Buildings movement, there has been a shift to more owner-driven, or “top-down” strategy and decision making. Thisis a change and a new area of execution, butowner-executives can break it up into threesteps:

1. Inventory & Assessment– Because building controls system design, implementation, management, and connectivity have historically been the responsibility of anyone other than the building owner (see #3 above), there is relative chaos in the inventory accuracy and current state awareness of most buildings’ cyber facts. Even the largest and most sophisticated real estate organizations are not sure what controls manufacturer, version, software revision, or type of Internet connection exist in their facility.
2. Priorities & Strategy — The inventory and assessment referenced above will give a much clearer picture of your situation and allow to you develop priorities and strategy. Thisshould be done in a formalized way to address internal accountability, resources, and roadmaps.
3. Implantation & Management — After assessing, prioritizing and developing a manageablestrategy, it’s time to start fixing the problem. The initial fixes are mostly “soft” things, such as software and services. A proper remediation plan not only includes people, assets and action, but also the subtler issue of insurance.

There is generally no need or benefit from “rip and replace” existing equipment and building cybersecurity can also become part of new design and construction standards that prevent many of the risks right up front. The hardest part of the process is identifying who in the organization has responsibility and authority to own and carry out a plan for addressing the existing risks. Thisis a rare topic in real estate development and management that is not a classicreturn on investment (ROI) financial analysis, but rather a straight risk calculation, albeit with clear financialconsequences for ignoring it.

We shouldall advocate at the very least that organizations identify who owns the issue internally (not vendors) and challenge them to take the first step of an inventory and assessment of all building controls cyber risks areas.

Written by Tom Shircliff and Rob Murchison, Co-Founders, Intelligent Buildings, LLC

© Copyright 2018 Intelligent Buildings, LLC