Cybersecurity for buildings, and more specifically building control systems such as HVAC, elevators, lighting, parking and access control is perhaps the most misunderstood segment in all of cybersecurity. That may be because the root of the problem can’t be fixed by the things we all first think about for traditional cybersecurity – namely firewalls, gateways, VPNs and a host of other IT elements. These traditional IT elements of cybersecurity all accrue to the “outside-in” approach, which is about building a nice, tidy moat around the organization to keep hackers out. But, this requires some homogeny in the overall organization in order to comply with policies that will accompany those traditional IT elements.
The building controls environment is anything but homogenous and there are two words that are not only prevalent but dominant characteristics and describe the root of the problem: fragmentation and turnover. We all know that any given building can have as few as half a dozen systems and as many as a couple of dozen, as well as nearly as many separate contractors. While there are some contractors that act as system integrators and manage multiple systems there are limitations, such as the parking contractor won’t manage the HVAC and the lighting contractor won’t manage the elevator system – hence the fragmentation. If you multiply the number of different contractors times the total number of buildings in your portfolio you can quickly get into dozens and even hundreds of different contractors. There is only one thing that could make this all worse – turnover. With maintenance contract bidding, contractor employee changes, facility staff rotation, and property management handoffs, turnover is a given.
As a result of the fragmentation and turnover, building owners not only would be challenged to implement an umbrella solution on top of this environment, but usually don’t even have accurate records of what systems are actually in their buildings, who is currently managing them and importantly how all of those systems are configured and remotely accessed. This is a very large blind spot and operational risk that can’t be fixed by a “moat.” The reasons are that a moat doesn’t account for rogue networks, site access to systems, technical dysfunction, out-of-date software, ransomware, backups, and many other contractor-related risk areas.
…building owners usually don’t have accurate records of what systems are actually in their buildings…
In addition to the fragmentation and turnover, the conditions for the blind spot started 40 years ago when all controls systems started being manufactured as digital systems that were networked, complex and remotely accessible. But from the beginning these digital systems were designed, installed and maintained by non-IT organizations including architects, engineers, contractors, facility manager, and property managers. So, the industry has millions of these complex, digital, networked systems with no consistency or standards in policy for designing, configuring and maintaining them. A policy that is consistent, required, and monitored is the foundation of the remediation phase outlined below.
So now what? The good news is it’s not yet time for gear, algorithms, Ph.D.s and IT complexities but rather a very understandable 3-phase process.
1. INVENTORY & AUDIT PHASE:
Dealing with the blind spot simply requires an inventory of what systems are in the buildings, who is responsible for them and how they have configured them for operations and remote access. This can be done with both physical and virtual efforts, including site walks and contractors’ audits. This should also be manifested in a baseline assessment of the overall risk environment and viewed in a common and accepted way such as NIST cybersecurity framework. While it is “simple” and understandable, it’s certainly not easy and should be done in a purpose-built tool and process for a few good reasons. First, the aforementioned fragmentation of systems and turnover of contractors is made more tricky by the number of system setup variables such as passwords, users, software revisions, and backup. Second, you want to measure the findings of the inventory and audit against your policy and finally, you want to do this on an ongoing basis in a monitoring mode.
2. REMEDIATION PHASE:
In the remediation phase, you can move quickly on the low-hanging fruit that is mostly policy development and enforcement. After establishing the audit process and tools with your contractors during phase one, you can now finalize policy and regularly measure policy compliance, which will address all risk areas including remote access methods. However, there are more budget-related steps during remediation, including backup (policy, tools, and location) to create a restoration plan that survives contractor turnover. Additionally, a more consistent robust remote access solution or “moat” can be implemented as a remediation step. The remote access solution is largely dependent on the customer profile and IT capabilities or lack thereof. In many cases, real estate environments do not have access to a large IT department and the remote access solution should be somewhat simplified, affordable and in some cases bundled into a managed service. However, it is necessary that the solution is informed by the OT environment and the cultural realities of the building and facilities environment.
…the conditions for the blind spot started 40 years ago when all controls systems started being manufactured as digital systems
3. MONITORING & MANAGEMENT (M&M) PHASE:
This phase requires a programmatic and systematic approach to maintaining policy compliance with either or both a robust internal structure and a multi-faceted managed service approach. The portfolio must have unyielding standards for system configurations, backup and remote access, irrespective of the type of system or contractor. A clear dashboard of issues by region, building, system or contractor is necessary for identifying risks and for continuous improvement. As the portfolio and the industry mature, all building systems and their networks will become part of normal IT process and controls reporting, and audits and the M&M phase should anticipate this for near-future reporting.
Rather than building owners attempting an “outside-in,” IT-only approach on top of the quicksand of all the fragmented systems and contractors, dealing first and directly with the contractors and systems is the most prudent approach. This “inside out” approach allows building owners to quickly take action with inventory and audits in a fairly non-technical, doable way that eliminates the blind spot. This is also the foundation for a new type of recordkeeping, policy management and business continuity that survives contractor, staff and property management turnover.