There is a very real life-safety danger from elevators, indoor air, electricity and other critical aspects of safety in a building, say Tom Shircliff and Rob Murchison, as they present a case for a strategic approach to addressing cyber-threats on an urgent basis.
While more than 80% of all building automation systems are connected to the Internet, more than three-fourths of real estate organisations don’t have any type of building cyber-security plan. With millions of connected controls systems in every real estate segment, including commercial, corporate, campus and government, it is hard to imagine cyber-security is not a priority for all senior executives.
We live in an age, where cyber mischief, crime and even terrorism are in the news every day. Overall, cyber-crime damage will hit USD 6 trillion by 2021, and ransomware alone will cost in excess of USD 6 billion in 2018. Notwithstanding a fair amount of ostrich behaviour, real estate is not immune to these trends. However, in years past, there were dismissive comments, such as “What is the worst that can happen?” as many contemplated the set points being changed or lights flashing on and off. This perspective does not consider the very real life-safety danger from elevators, indoor air, electricity and other critical aspects of safety in a building. While life safety is paramount, there are also other consequential risks, including network-hopping from the building systems into the corporate network or other devices, lost occupant productivity, and capital equipment damage from undetected viruses and malware; and in nearly all cases, there will be brand damage for the building owner, manager and occupant organisations.
An article posted on www.engineering.com described a recent ransomware incident perpetrated on a hospital facility. The article stressed, “The hospital attack brings to light just how vulnerable buildings and institutions are to hackers.” It further noted, “… building management system (BMS) can potentially launch a cyber-attack and disable a building’s critical services.”
It’s not the fault of smart Building
There have been significant changes to even the most basic building controls systems for the past 30 years. While the Smart Buildings’ movement is arguably 15 years old, at best, the building systems cyber-security problem started when direct digital controls (DDC) came along. Simply put, with the emergence of DDC, appliances, computer servers and local area networks are a part of building controls systems. Whether building automation, lighting controls, parking, elevators, daylight harvesting, water reclamation or dozens of other controls systems, they all work on Internet-connectable computers and networks. To many, this doesn’t sound much like news or even that complicated of a situation. Unfortunately, millions – yes, millions – of them have been designed, installed and maintained by non-IT architects, engineers, contractors and facility managers. In short, the systems changed, but the vendor community did not.
Many technological advancements are dependent on innovation from leading companies, coordination from industry standards bodies, ecosystem development and even regulatory and legal changes. However, building-cyber-protection is not dependent on, or waiting for, any of these things. It’s merely a matter of building owners becoming aware and taking action.
Why is change not happening faster?
There is a palpable increase in concern and increased activity and sense of urgency in boardrooms, committee hearings and manager meetings. Why is there hesitation or timidity on the part of otherwise accomplished real estate professionals, then? Three reasons emerge:
Tech is complex: This is not only information technology (IT) but a specialised subset of IT with cyber-security. Additionally, it is not even traditional IT cyber-security but, specifically, building controls cyber-security – not what most IT experts are familiar with. It is literally a different type of technology, called operational technology (OT), which utilises different communication protocols, different equipment and different vendor types. The facilities team doesn’t know IT, and the IT staff doesn’t know OT, so it becomes a hot potato, leading to the second reason.
It’s nobody’s responsibility: This specific technology is not in the traditional strategic or tactical domain of real estate executives, and it has never been a subject that was clearly assigned to any department, budget, staff person, executive or vendor. We have seen building systems enter the digital age, and nearly all now utilise computer servers, software, protocols, local networking and Internet access; that alone has created confusion about who is responsible for high tech, connected building systems between facility management and IT. Thus, it has been stuck in a ‘no-man’s land’.
The ecosystem is fragmented: Real estate design, construction and management constitute perhaps one of the most fragmented and siloed features of any industry. Architects may subcontract the controls design to engineers, and the engineers sub-contract to an IT network designer, who then hands off to a general contractor (GC). The GC has nothing to do with ongoing operation of the building, and they then do a hard hand off to the facility managers (FM) and property managers (PM). The FM or PM would sub-contract to a controls contractor who, again, may utilise some IT resource or just make do themselves. There are many different and often misaligned incentives and levels of liability.
What should be done?
Add to these headwinds the fact that historically speaking, building controls technology has been a ‘bottom up’ issue, meaning that the OEM, contractors, engineers and service companies bubble up technological advances and suggestions to owners. However, with the Smart Buildings movement, there has been a shift to more owner driven or ‘top down’ strategy and decision making. ‘Top down’ is the key to addressing the risks associated with building controls cyber-security. Building owners must take control of the strategy and management of critical components in building cyber-security. This is a sea change and opens up a new area of execution, which can be designated into three steps:
Discovery & Assessment: Since building controls system design, implementation, management and connectivity have historically been the responsibility of anyone other than the building owner, there is relative chaos in the inventory accuracy and current state of awareness of most buildings’ cyber facts. Even the largest and most sophisticated real estate organisations are not sure what controls manufacture, version, software revision or type of Internet connection exist. It is also quite common for us as consultants to hear, “While we don’t know the inventory details, we are sure that our (system type – for example, elevator) is not connected to the Internet”, only to find it is, along with several other phantom-connected systems. Thus, the first step is a comprehensive discovery and cyber-risk assessment. The National Institute of Science and Technology (NIST), in the United States, has developed a cyber-assessment framework that has been widely accepted and used across all information technology infrastructure, and hence, we should look at building controls cyber-security through the same lens.
Priorities & Strategy: The discovery and assessment, referenced earlier, will give a much clearer picture of cyber status and allow you to develop priorities and a strategy. Priority development should give you your bearings, much like a compass; an objective ‘compass exercise’, based on the NIST framework can provide direction in the foundational areas of people, buildings and technology. Strategy should include roles and responsibilities, vendor policy and technology architecture. Roles and responsibilities – and vendor policies – should reflect that the building owner is now driving the process, because it’s the owner that will be around through many contractor and vendor changes and is also the one with the true liabilities oflife safety, financial loss and reputation damage. The technology architecture should address the basics of remote access to the building, individual system configurations and in-building networking. Remote access is simply the way that vendors or even staff connect into the building through the Internet and often includes methods such as virtual private network (VPN), but also requires vendor policy on use of remote access and their internal methods. The system configuration is about what is inside each individual system that creates risk. In other words, even if you had Fort Knox from a remote access perspective, the individual systems could have too many users, administrative permissions, old passwords and a host of other problems. Additionally, each system is connected to either a common network or multiple silo networks; hence, monitoring traffic patterns inside the building can indicate unauthorised connectivity inside the building. This type of monitoring can spot or prevent unauthorised physical connections on site as well as network-hopping.
Implantation and management: After assessing, prioritising and developing a manageable strategy, it’s time to start fixing the problem. You are now installing an infrastructure that will stay on with the building, even as systems and contractors come and go. The process is not complex and consists mostly of ‘soft’ components, such as software and services. It will not replace traditional monitoring and control systems and vendors but merely monitoring equipment and work done by those traditional vendors. The phase will also be accompanied by a vendor cyber policy for contracts and service agreements. The final element of managing the plan will include the last two aspects of the NIST framework, which are ‘respond and recover’. A proper remediation plan not only includes people, assets and action but also the subtler issue of insurance. This area is a nearly completely neglected aspect of insurance in general liability, property and casualty, and cyber-insurance riders. After nearly two years of research and interviewing the large carriers, aggregators and consultants in the insurance industry, it has become clear that building controls cyber incidents are not spelt out and that a more thoughtful process is required. Like the overall approach to building cyber-security, the insurance issue should be driven by and demanded by the building owner.
This very ‘doable’ three-step plan does not have to be expensive, because all that’s required is the focus on generally soft solutions, such as consulting services, site services and software. There is generally no need or benefit from ‘rip and replace’ of existing equipment – and building cyber- security can also become part of new design and construction standards that prevent many of the risks right up front. The hardest part of the process is identifying who in the organisation has responsibility and authority to own and carry out a plan for addressing the existing risks. This is a rare topic in real estate development and management that is not a classic return on investment (ROI) financial analysis, but a straight risk calculation, albeit with clear financial consequences for ignoring it.
While the facts speak for themselves, it has also been illuminating to see the industry chatter increasing each month as new threats, new examples and the broader cyber news stories alert owners and operators to the size and urgency of the situation. Additionally, the growing wave of effective and ever-increasing ‘big data’ solutions, such as energy-fault analytics, building operations centres, unified user interfaces (UUI) and various smart controls, reinforces raising the question of just how secure the building connections are and how secure the building data storage is.
We should all advocate at the very least, that organisations – and not vendors – identify who owns the issue internally and challenge them to take the first step of discovery and assessment of all building controls cyber risk areas.