Building Controls Cybersecurity — How to Eat the Elephant

Tom Shircliff
A New Deal for Buildings
4 min readDec 4, 2018

While more than 80% of all building automation systems are connected to the Internet, more than 3/4 of real estate organizations don’t have any type of building cybersecurity plan. With millions of connected controls systems in every real estate segment including commercial, corporate, campus, government, and others it is hard to imagine that this is not the priority for all senior executives.

We live in an age where cyber mischief, crime, and even terrorism is in the news every day. Overall cyber-crime damage will hit $6 trillion by 2021 and ransomware alone cost $6 billion in 2017. Notwithstanding a fair amount of ostrich behavior, real estate is not immune to these trends. Executives should consider the life-safety danger from elevators, indoor air, electricity and other critical aspects of safety in a building. While life safety is paramount, there are also other consequential risks including network-hopping from the building systems into the corporate network or other devices, lost occupant productivity, capital equipment damage from undetected viruses and malware and in nearly all cases there will be brand damage for the building owner, manager and occupant organizations.

There are three main reasons for the slow pace of change in building cybersecurity.

Tech is complex- This is not only information technology (IT) but a specialized subset of IT with cybersecurity. As if that were not enough, this is not even traditional IT cyber security but specifically building controls cybersecurity which is not what most IT experts are familiar with. It is literally a different type of technology called operational technology (OT) which utilizes different communication protocols, different equipment, and different vendor types. So, the facilities staff doesn’t know IT and the IT staff doesn’t know OT so it becomes a hot potato leading to the second reason.

It’s nobody’s responsibility- Not only is this is not in the strategic or tactical domain of real estate executives. it has never been a subject that was clearly assigned to any department, budget, staff person, executive or vendor. We have seen building systems enter the digital age and nearly all now utilize computer servers, software, protocols, local networking, and Internet access. That alone has created confusion about who in an organization is responsible for high tech, connected building systems between facility management and IT. Thus it has been stuck in a “no-man’s land”.

The ecosystem is fragmented- Real estate design, construction, and management is perhaps one of the most fragmented and siloed of any industry. The Architects may subcontract the controls design to engineers and the engineers may subcontract to IT network designer who all then hand off to a general contractor (GC). The GC has nothing to do with the ongoing operation of the building and they then do a hard handoff to the facility managers (FM) and property managers (PM). The PM or FM would subcontract to a controls contractor who again may utilize some IT resource or just make-do themselves. There are many different and often misaligned incentives and levels of liability.

Add to these headwinds the fact that historically speaking building controls technology have been a “bottom-up” issue. However, with the smart buildings movement, there has been a shift to more owner-driven or “top-down” strategy and decision making. This is a change and a new area of execution but owner-executives can break it up into 3 steps:

1. Inventory & Assessment- Because building controls system design, implementation, management, and connectivity have historically been the responsibility of anyone other than the building owner (see #3 above) there is relative chaos in the inventory accuracy and current state awareness of most buildings’ cyber facts. Even the largest and most sophisticated real estate organizations are not sure what controls manufacturer, version, software revision or type of Internet connection exist in their facility.

2. Priorities & Strategy — The inventory and assessment referenced above will give a much clearer picture of your situation and allow to you develop priorities and a strategy. This should be done in a formalized way to address internal accountability, resources, and roadmap.

3. Implantation & Management — After assessing, prioritizing and developing a manageable strategy its time to start fixing the problem. The initial fixes are mostly “soft” things such as software and services. A proper remediation plan not only includes people, assets and action but also the more subtle issue of insurance.

There is generally no need or benefit from “rip and replace” of existing equipment and building cybersecurity can also become part of new design and construction standards that prevent many of the risks right up front. The hardest part of the process is identifying who in the organization has responsibility and authority to own and carry out a plan for addressing the existing risks. This is a rare topic in real estate development and management that is not a classic return on investment (ROI) financial analysis but a straight risk calculation albeit with clear financial consequences for ignoring it.

We should all advocate at the very least that organizations identify who owns the issue internally (not vendors) and challenge them to take the first step of an inventory and assessment of all building controls cyber risks areas.

Written by Tom Shircliff and Rob Murchison, Co-Founders, Intelligent Buildings, LLC

© Copyright 2018 Intelligent Buildings, LLC

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Published in A New Deal for Buildings

Redefining how we build, manage and maintain facilities in the 21st century

Written by Tom Shircliff

Tom Shircliff is a co-founder and principal of Intelligent Buildings, LLC a nationally recognized smart real estate advisory services company started in 2004.

No responses yet

What are your thoughts?