Written by Tom Shircliff and Rob Murchison, Co-Founders, Intelligent Buildings, LLC

While more than 80% of all building automation systems are connected to the Internet, more than 3/4 of real estate organizations don’t have any type of building cyber security plan. With millions of connected controls systems in every real estate segment including commercial, corporate, campus, government and others it is hard to imagine that this is not the priority for all senior executives.

We live in an age where cyber mischief, crime and even terrorism is in the news everyday. Overall cyber crime damage will hit $6 trillion by 2021 and ransomware alone will cost $6 billion in 2017. Notwithstanding a fair amount of ostrich behavior, real estate is not immune to these trends. However, in years past there were dismissive comments such as “what is the worst that can happen?” as they contemplated the set points being changed or lights flashing on and off. However, that does not consider the life-safety danger from elevators, indoor air, electricity and other critical aspects of safety in a building. While life safety is paramount, there are also other consequential risks including network-hopping from the building systems into the corporate network or other devices, lost occupant productivity, capital equipment damage from undetected viruses and malware and in nearly all cases there will be brand damage for the building owner, manager and occupant organizations.

Add to these headwinds the fact that historically speaking building controls technology have been a “bottom up” issue, meaning that the OEM, contractors, engineers and service companies bubble up technology advances and suggestions to owners. However, with the smart buildings movement there has been a shift to more owner driven or “top down” strategy and decision making. “Top down” is the key to addressing the risks associated with building controls cyber security. Building owners must take control of the strategy and management of critical components in building cyber security. This is a change and a new area of execution but can be broken up into 3 steps.

 

This is a very “doable” three step plan that does not have to be expensive because, as mentioned, its generally soft solutions such as consulting services, site services and software that are required. There is generally no need or benefit from “rip and replace” of existing equipment and building cyber security can also become part of new design and construction standards that prevent many of the risks right up front. The hardest part of the process is identifying who in the organization has responsibility and authority to own and carry out a plan for addressing the existing risks. This is a rare topic in real estate development and management that is not a classic return on investment (ROI) financial analysis but a straight risk calculation albeit with clear financial consequences for ignoring it.

While the facts speak for themselves, it has also been illuminating to see the industry chatter increasing each month as new threats, new examples and the broader cyber news stories alert owners and operators to the size and urgency of the situation. Additionally, the growing wave of effective and ever-increasing “big data” solutions such as energy fault analytics, building operations centers, unified user interfaces (UUI) and various smart controls, begs the question of how secure the building connections are and how secure the building data storage is.

We should all advocate at the very least that organizations identify who owns the issue internally (not vendors) and challenge them take the first step of an inventory and assessment of all building controls cyber risks areas.

© Copyright 2017 Intelligent Buildings, LLC