The year 2019 produced important game changes that help Facilities Managers wage war against cyber attacks on Building Systems. Prior to 2019, Facilities stood on the sideline, hoping the IT department would protect their systems, which did not happen (and may never happen) for reasons explained below. With cybersecurity increasing the stakes for Facilities, these five game changers enable Facilities Managers to control their own destiny. Here is my list of 2019 game changers for Facilities and Cybersecurity:
1. A Clearer Understanding of Building Systems and Cybersecurity. Approximately 60% of successful cyber attacks on U.S. public companies found their initial point of entry through building systems, as reported by The Harvard Business Review. 1 The top 3 points of entry for successful cyber attacks perpetrated by nation states on 1,400 publiclytraded U.S. companies were: VoIP telephone systems; Video Surveillance Systems; and, Business Machines.
2. NIST Strikes Out Swinging at Building Systems. NIST issued an Internal Report, 8228, stating they could not issue a cybersecurity standard for IoT systems and devices. (This includes Building Systems, sometimes referred to as legacy IoT). Instead of a standard, NIST issued as more than 50 considerations that must be applied to each type of IoT system and device. The reason given, by NIST, is there is a lack of interoperability between the platforms and tools used by substantially all IT departments to monitor and manage network-connected systems, and way too many IoT devices and systems require configurations performed manually or from non-IT platforms.
3. NIST Clarifies Need for a Device-Layer of Security. A NIST 8228-inspired solution for securing Building Systems, at the device level, enables Facilities Managers to provide security, with nominal budgetary impact. A national organization of 100+ nationally prominent CIO’s and CISO’s, has combined NIST’s 55 “considerations," for use by suppliers of each type of Building System, with a program that enables each supplier to deploy device-specific controls as part of installation, service and maintenance work performed by the supplier. The NIST considerations are organized into “sets” of controls determined by the type of Building System (e.g. VoIP telephone, video surveillance, etc. The enablement is delivered directly to suppliers over 4 to 6 months. A dedicated part-time CISO is assigned to each supplier.
4. New Technology Available for a Second Layer of Security. --Several cybersecurity products came of age in 2019 that dramatically enhance the ability of Facilities Management to identify and connect specific building devices and systems as a unique and independent group that allows those systems and devices to be either: Cloaked and made invisible to unauthorized traffic; or, placed within a virtual firewall that has a single, managed port for access. --Another type of cybersecurity product protects the integrity of signals associated with sensors that might be hacked, such as video cameras, measuring devices for water and air temperature, pressure, humidity, etc. Nearly all such sensors are vulnerable to cyber intervention and can be used to falsify data used for operations, leading to life and safety concerns. --These technologies enable a layer of security, when combined with device-level security, create commercially viable security for the Building Systems of all organizations except those with extreme needs such as federal government, banking and finance, advanced research, and perhaps others.
5. FM-CSOs and the Rise of Smart Buildings and Smart Cities. A critical mass of technology professionals now focus their work on smart buildings and smart cities. These professionals create a pool of expertise in Building Systems and cybersecurity, which enables Facilities Managers to have direct and sustained access to technical acumen and technology leadership specific to Building Systems (and in many cases industrial control systems. Facilities Management can readily create a functional role for a Facilities Management-Chief Security Officer (FM-CSO). This role can be full time or part time and can be retained as an employee or a contracted professional service. A post on this role will available shortly.
These five game changers can and should impact how each Facilities Managers view their future. The stakes are higher now than ever before, given pressures from increasing threats and the reality of Cybersecurity attacks. Facilities Managers have this new and empowering opportunity to take responsible steps to secure the systems they own. May 2020 be the Year of the Facilities Manager.
This article was written by Joel Rakow. He helps system integrators and their customers secure, buy, sell and implement solutions, making the IT supply chain stronger and able to conduct business more easily. It all starts with each party embracing its own cybersecurity hygiene.