IB Cyber Security Featured in Edge Magazine

Written by Tom Shircliff and Rob Murchison, Co-Founders, Intelligent Buildings, LLC

While more than 80% of all building automation systems are connected to the Internet, more than 3/4 of real estate organizations don’t have any type of building cyber security plan. With millions of connected controls systems in every real estate segment including commercial, corporate, campus, government and others it is hard to imagine that this is not the priority for all senior executives. 

 

We live in an age where cyber mischief, crime and even terrorism is in the news everyday. Overall cyber crime damage will hit $6 trillion by 2021 and ransomware alone will cost $6 billion in 2017. Notwithstanding a fair amount of ostrich behavior, real estate is not immune to these trends. However, in years past there were dismissive comments such as “what is the worst that can happen?” as they contemplated the set points being changed or lights flashing on and off. However, that does not consider the life-safety danger from elevators, indoor air, electricity and other critical aspects of safety in a building. While life safety is paramount, there are also other consequential risks including network-hopping from the building systems into the corporate network or other devices, lost occupant productivity, capital equipment damage from undetected viruses and malware and in nearly all cases there will be brand damage for the building owner, manager and occupant organizations. 

 

There is a palpable increase in concern and increased activity and sense of urgency in the boardrooms, committee hearings and manager meetings. When pondering why there is hesitation or timidity for these otherwise accomplished real estate professionals three reasons emerge:  

 

  • Tech is complex - This is not only information technology (IT) but a specialized subset of IT with cyber security. As if that were not enough, this is not even traditional IT cyber security but specifically building controls cyber security which is not what most IT experts are familiar with. It is literally a different type of technology called operational technology (OT) which utilizes different communication protocols, different equipment and different vendor types. So, the facilities staff doesn’t know IT and the IT staff doesn’t know OT so it becomes a hot potato leading to the second reason. 

 

  • Its nobody’s responsibility - Not only is this is not in the strategic or tactical domain of real estate executives. it has never been a subject that was clearly assigned to any department, budget, staff person, executive or vendor. We have seen building systems enter the digital age and nearly all now utilize computer servers, software, protocols, local networking and Internet access. That alone has created confusion about who in an organization is responsible for high tech, connected building systems between facility management and IT. Thus it has been stuck in a “no-mans land”. 

 

  • The ecosystem is fragmented -  Real estate design, construction and management is perhaps one of the most fragmented and siloed of any industry. The Architects may subcontract the controls design to engineers and the engineers may subcontract to IT network designer who all then hand off to a general contractor (GC). The GC has nothing to do with ongoing operation of the building and they then do a hard hand off to the facility managers (FM) and property managers (PM). The PM or FM would sub contract to a controls contractor who again may utilize some IT resource or just make-do themselves. There are many different and often misaligned incentives and levels of liability.  

 

Add to these headwinds the fact that historically speaking building controls technology have been a “bottom up” issue, meaning that the OEM, contractors, engineers and service companies bubble up technology advances and suggestions to owners. However, with the smart buildings movement there has been a shift to more owner driven or “top down” strategy and decision making. “Top down” is the key to addressing the risks associated with building controls cyber security. Building owners must take control of the strategy and management of critical components in building cyber security. This is a change and a new area of execution but can be broken up into 3 steps. 

 

  1. Inventory & Assessment- Because building controls system design, implementation, management and connectivity has historically been the responsibility of anyone other than the building owner (see #3 above) there is relative chaos in the inventory accuracy and current state awareness of most buildings’ cyber facts. Even the largest and most sophisticated real estate organizations are not sure what controls manufacture, version, software revision or type of Internet connection exist. It is also quite common for us as consultants to be told “while we don’t know the inventory details, we are sure that our (insert system type here - such as elevator) is not connected to the Internet - only to find it is along with several other phantom-connected systems. Thus, the first step is a comprehensive inventory and cyber risk assessment. NIST (National Institute of Science and Technology) has developed a cyber assessment framework that has been widely accepted and used across all information technology (IT) infrastructure and hence we have developed and use a NIST-based scoring framework tailored for building controls cyber security dubbed “BCS-CAMP” (Building Control Systems - Cyber Assessment Methods and Procedures). 

 

  1. Priorities & Strategy - The inventory and assessment referenced above will give a much clearer picture of your situation and allow to you develop priorities and a strategy. Priority development should give you your bearings much like a compass and hence an objective “compass exercise” based on the NIST / BCS-CAMP framework can provide direction in the foundational areas of people, buildings and technology. For strategy, you should include: roles and responsibilities, vendor policy and technology architecture. Roles and responsibilities and vendor policies should reflect that the building owner is now driving the process because its the owner that will be around through many contractor and vendor changes and is also the one with the true liabilities of life safety, financial loss and reputation damage. The technology architecture should address the basics of remote access to the building, individual system configurations and in-building networking. Remote access is simply the way that vendors or even staff connect in to the building via the Internet and often includes methods such as virtual private network (VPN), but also requires vendor policy on use of remote access and their internal methods. The system configuration is about what is inside each individual system that creates risk. In other words even if you had Fort Knox from a remote access perspective, the individual systems could have too many users, administrative permissions, old passwords and a host of other problems. Additionally, each system is connected to either a common network or multiple silo networks and hence monitoring traffic patterns inside the building can indicate unauthorized connectivity inside the building. This type of monitoring can spot or prevent unauthorized physical connections on site as well as network-hopping .

 

  1. Implantation & Management  -  After assessing, prioritizing and developing a manageable strategy its time to start fixing the problem. You are now installing an infrastructure that will stay on with the building even as systems and contractors come and go. This is not complex and is mostly “soft” things such as software and services. This will not replace traditional monitor and control systems and vendors but merely monitor equipment and work done by those traditional vendors. This will also be accompanied by a vendor cyber policy for contracts and service agreements. The final aspect of managing the plan will include the last two aspects of the NIST framework which are “respond and recover”. A proper remediation plan not only includes people, assets and action but also the more subtle issue of insurance. This is a nearly completely neglected aspect of insurance in general liability, property and casualty and cyber insurance riders. After nearly two years of research and interviewing the large carriers, aggregators and consultants in the insurance industry it has become clear that building controls cyber incidents are not spelled out and a more thoughtful process is required. Like the overall approach to building cyber security the insurance issue should be driven by and demanded by the building owner.   

This is a very “doable” three step plan that does not have to be expensive because, as mentioned, its generally soft solutions such as consulting services, site services and software that are required. There is generally no need or benefit from "rip and replace" of existing equipment and building cyber security can also become part of new design and construction standards that prevent many of the risks right up front. The hardest part of the process is identifying who in the organization has responsibility and authority to own and carry out a plan for addressing the existing risks. This is a rare topic in real estate development and management that is not a classic return on investment (ROI) financial analysis but a straight risk calculation albeit with clear financial consequences for ignoring it. 

 

While the facts speak for themselves, it has also been illuminating to see the industry chatter increasing each month as new threats, new examples and the broader cyber news stories alert owners and operators to the size and urgency of the situation. Additionally, the growing wave of effective and ever-increasing “big data” solutions such as energy fault analytics, building operations centers, unified user interfaces (UUI) and various smart controls, begs the question of how secure the building connections are and how secure the building data storage is. 

 

We should all advocate at the very least that organizations identify who owns the issue internally (not vendors) and challenge them take the first step of an inventory and assessment of all building controls cyber risks areas.  

 

© Copyright 2017 Intelligent Buildings, LLC