Buildings Systems Are Your Cybersecurity Alamo
Tom Shircliff, Co-Founder, Intelligent Buildings
How your contractors configure and back up (or not) your buildings systems determine if you will have business continuity or the ability to recover from a cybersecurity incident.
In the first article of this series, we suggested that cybersecurity is not enough for protecting building systems such as HVAC, elevators, lighting, access control, and parking. We laid out the three areas that would be a complete approach and better described as vendor risk management (VRM). In our second briefing, we delved into remote access and networks. This installment focuses on building systems backup and configuration, the second of our main topics:
- Remote access and networks
- Building systems backup and configuration
- Technician policy management
Too many organizations focus only on IT networking and remote access defenses for building business continuity. We previously described a better, less expensive way to do this, but emphasized it's only one-third of the problem. Additionally, our research shows most financial impact comes from a lack of backup and poor policy management.
So, what is a configuration? It’s much simpler than you might think. The configuration, also known as the system setup, entails issues like password complexity, user credential management, software updates, and backup status.
System backup is commonplace in enterprise IT and even smartphones, which automatically back up your data, making restoration a snap. When you get a new phone, you simply enter your log-in credentials, and all your apps and settings reappear. Who knew our spouses and kids would be better at “business continuity” than our property service companies?
Back up is often forgotten, even in the most sophisticated organizational environments. We have been fortunate to have done many thousands of site surveys and frequently find no awareness of back up file locations, methods, or custody. Some organizations may have policy stating that contractors should keep backups, but even sophisticated organizations often lack stipulations on proper restoration methods.
Could a typical asset manager, corporate real estate executive or healthcare facilities executive answer if and where a vital building automation system, high-rise elevator system or two thousand space parking control system are backed up? The two main questions you need to answer are “if” and “where.” Most systems are not backed up (the “if”). If they are backed up, can you access them (the “where”)? Often, these backups are stored on hard drives, pen drives, tape drives, adjacent computers, and even the same computer of the building system. This type of storage is not only inconsistent and problematic, but the location and storage types are usually only known to each system’s contractor and, even then, only to a select few individual technicians.
Admittedly, creating reliable backups for building controls systems in a commercial real estate environment is more difficult, but no less critical. Cybersecurity incidents that have impacted millions of square feet show that if there had been proper backups, the duration and costs of the problems could have been significantly reduced or eliminated. This is easier said than done due to the extreme fragmentation in the industry and the number of layers between ownership and the systems in question. However, there are ways to start down the road to orderly backup and restoration procedures.
Consider a hacking or ransomware incident where one or more systems are compromised, and the property manager, landlord, or organization’s executives are lunging at the problem with phone calls and emails. You can imagine the mad scramble to determine what to do in the face of a demand to pay bitcoin to strangers or knowing your systems have already been shut down, with the only other option to restore a system from scratch - all while a building may be unoccupiable or worse. This is all part of the “respond” phase of the widely accepted National Institute of Standards and Technology (NIST) cybersecurity framework:
Meanwhile, while responding, those staff and executives realize they have skipped the first three steps of the framework and cannot efficiently perform the fifth (more on that later). If they had centralized, offsite, cloud-based backups independent of the contractor service companies, you would have the confidence of knowing where their backups are and how to work with the service companies to restore the systems immediately. Restoring from a reliable backup saves tremendous system rebuild costs while minimizing downtime, operational interruptions, liability, and brand damage. Other significant business benefits include inoculating the building against property management and contractor turnover risks.
Having backups has obvious benefits, but that is only one step in the basic cybersecurity framework. Since the first step is “Identify,” owners and managers should start with the simple decision of conducting cybersecurity site assessments that include an inventory of systems, servers, connections, and contractors. This should be followed by utilizing zero trust technology to “Protect,” and network monitoring software to “Detect” anomalies, including rogue devices. Combining this with a centralized secure backup allows you to either completely avoid disruption or quickly respond and recover to either malicious intrusions or internal mismanagement.
You can learn more about the nature of the problem and the VRM approach by watching a four-minute video that will pop up automatically at www.buildingcybersecurity.com.
This Week’s Sponsor
Intelligent Buildings® offers portfolio-wide cybersecurity site assessments and ongoing managed services including secure remote access, system backup and policy audits. We are the only company solely focused on real estate technology advisory, assessment, and managed services. Since 2004, we are the most trusted and experienced name in Smart Buildings. Find out more at www.intelligentbuildings.com.
Top Three ESG Reporting Challenges You Can Solve with Tech Driven by new regulatory requirements, sustainability or ESG reporting is evolving rapidly. ESG exposes important aspects of environmental impact (E), social impact (S) and governance (G).
Smart Buildings, Districts and Portfolios Featured at the Smart Building Showcase An exciting event at the Realcomm | IBcon conference was the Smart Building Best Practice Showcase. This interactive learning experience featured the most innovative commercial and corporate sites in the world.
A Seven-Step Plan for Achieving Your M&A Targets Few events have greater potential to vastly improve the performance and value of a real estate company than mergers and acquisitions (M&As).
Pandemic Pulse Check We’ve been watching as the nation again grapples with getting students back in school due to the ramifications of remote learning, hailed by most as a failure.