Building Cybersecurity Risks are not Smart Buildings’ fault  

By Intelligent Buildings

There have been significant changes to even the most basic building controls systems for past 30 years! While the smart building’s movement is arguably 15 years old at best, the building systems cybersecurity problem started when direct digital controls (DDC) came along.

Simply put, with the emergence of DDC:  appliance, computer servers, and local area networks are a part of building controls systems. Whether, building automation, lighting controls, parking, elevators, daylight harvesting, water reclamation or dozens of other controls systems, they all work on Internet-connectable computers and networks.

To many, this doesn’t sound much like news or even that complicated of a situation. Unfortunately, millions (yes millions) of them have been designed, installed and maintained by non-IT architects, engineers, contractors and facility managers. In short, the systems changed, but the vendor community did not.  So what? What does it matter and what are the risks?  It matters because statistically speaking the overwhelming majority of those “Internet-connectable” systems have – NO -  cybersecurity provisions and often NO-ONE is specifically in charge of cybersecurity for building controls systems, contractually or otherwise.

As to the risks, there are several key categories:Life SafetyEquipment failure Brand damageProductivity loss Network hopping Real estate owners must take the “bull by the horns” and not wait or depend on all contractors to self-police themselves. Vendors may come and go, but this is an organizational risk issue that demands a consistent, long-term approach. It starts with an assessment focused specific risk areas, an objective rating, and a clear “score.”

Then the building owner needs to prioritize, remediate and continuously monitor.  Many technological advancements are dependent on innovation from leading companies, coordination from industry standards bodies, ecosystem development and even regulatory and legal changes.  However, building cyber protection is not dependent on or waiting for any of these things. It’s merely a matter of building owners becoming aware and taking action.