Just a few years ago, many of you couldn’t imagine we’d be talking about a cybersecurity strategy for your commercial building. Even the largest players in the consulting space have now realized the challenges in commercial properties. In fact, the Deloitte 2020 commercial real estate outlook included a survey of 750 owners/operators, developers, brokers, and investors to gain a sense of where the industry is headed. To the question of “Which of the following do you perceive to be the biggest data security risk facing your properties?”, the survey participants identified unauthorized access to data through building systems, such as HVAC and WiFi as their top area of concern and yet less than half of those surveyed had developed in-house cyber resilience and response management capabilities. Compounding the challenge, IoT technology for smart buildings is expected to grow from an existing 1.7 billion connected devices at the end of 2020 to over 3 billion by 2025. With ransomware and other cyber-attacks on networks and systems on the rise, it is even more important to specifically address smart building systems, like building management systems (BMS), within the framework of an enterprise cybersecurity strategy.
Smart Building benefits – and the risks they pose
Smart Building IoT technologies and cloud-connected BMSs are becoming a boon for facilities personnel by offering analytics and other services that can push beyond the limits of traditional automation approaches. They can draw on their massive pools of data to create benchmarks and other performance metrics unique to a specific building or campus and provide ongoing analysis of how well those targets are being met. Commercial building owners and managers are adopting these systems in growing numbers, driven by greater interest in sustainability, energy efficiency, resilience, and occupant health and safety.
But, as the adoption of smart building technologies increases, so does the need for a defined approach toward cybersecurity. Without such a strategy, both facilities operations and any connected networks could face significant risks. Consider just a few possibilities:
- A lone actor happens upon an open lighting-control wireless network and decides to launch a distributed denial of service attack against a former employer.
- A cybercriminal group uses email phishing or other social engineering tactics to hack into a digital control system to gain physical access to a facility’s otherwise protected areas.
- A BMS network that is not properly segmented from a company’s business operations allows undetected access to corporate intellectual property, customer data, or other vital trade information.
Any of these instances could lead to lost revenues, health, and safety risks, and potential damage to building equipment and systems.
Five steps to a successful cybersecurity strategy
Comprehensive and active management of operational risks requires a pragmatic, effective strategy for managing cybersecurity risk mitigation in commercial buildings. Risks need to be characterized and quantified. And a governance structure, along with processes and technologies, should be put in place to protect people’s assets and shareholder value. In my new white paper, I outline five essential attributes of a risk management strategy to ensure today’s smart buildings remain cyber-secure. These elements include:
- Organizational governance. Effective cyber-risk management starts with executive-level awareness and commitments. This includes the development of a cyber-security vision that ties into that for the larger organization, along with an outline of goals and metrics to bring that vision into reality.
- Robust cybersecurity frameworks and standards. Existing, documented frameworks and standards have established best practices and principles that can aid the development of a cyber-security strategy. These can act as guides to ensure important security aspects are not overlooked.
- Accurate information gathering. Putting a strategy into place requires a full understanding of potential threats and critical building assets that could be at risk if a BMS is compromised.
- Appropriate implementation of protective technologies. A systematic approach is required to identify and put into place solutions that address specific stages of a cyber threat event, including protection, detection, response, and recovery. A standardized template can help managers identify necessary technologies related specifically to smart building control systems.
- Adaptive incident response plans. Any comprehensive strategy needs to address what happens if elements of the plan fail to prevent a successful security breach.
New cyber threats are arising regularly, and the deployment of growing numbers of internet-of-things devices makes smart building systems increasingly vulnerable to such attacks. However, organizations that take a comprehensive and active approach to manage their risks will be the most capable of meeting potential challenges now and into the future.
Download our white paper, “Five Attributes of an Effective Risk Management Strategy for Smart Building Cybersecurity,” for a deeper exploration of the steps your building’s team can take to mitigate today’s evolving cyber threats, and visit our commercial real estate website for more information on our smart buildings solutions.