Weekly Briefing

article sponsor image
Partner Content

Buildings Systems Are Your Cybersecurity Alamo

4 min read
listen to article Listen to this article

How your contractors configure and back up (or not) your buildings systems determine if you will have business continuity or the ability to recover from a cybersecurity incident.

In the first article of this series, we suggested that cybersecurity is not enough for protecting building systems such as HVAC, elevators, lighting, access control, and parking. We laid out the three areas that would be a complete approach and better described as vendor risk management (VRM). In our second briefing, we delved into remote access and networks. This installment focuses on building systems backup and configuration, the second of our main topics:

  1. Remote access and networks
  2. Building systems backup and configuration
  3. Technician policy management

Too many organizations focus only on IT networking and remote access defenses for building business continuity. We previously described a better, less expensive way to do this, but emphasized it's only one-third of the problem. Additionally, our research shows most financial impact comes from a lack of backup and poor policy management.


So, what is a configuration? It’s much simpler than you might think. The configuration, also known as the system setup, entails issues like password complexity, user credential management, software updates, and backup status.


System backup is commonplace in enterprise IT and even smartphones, which automatically back up your data, making restoration a snap. When you get a new phone, you simply enter your log-in credentials, and all your apps and settings reappear. Who knew our spouses and kids would be better at “business continuity” than our property service companies?


Back up is often forgotten, even in the most sophisticated organizational environments. We have been fortunate to have done many thousands of site surveys and frequently find no awareness of back up file locations, methods, or custody. Some organizations may have policy stating that contractors should keep backups, but even sophisticated organizations often lack stipulations on proper restoration methods.


Could a typical asset manager, corporate real estate executive or healthcare facilities executive answer if and where a vital building automation system, high-rise elevator system or two thousand space parking control system are backed up? The two main questions you need to answer are “if” and “where.” Most systems are not backed up (the “if”). If they are backed up, can you access them (the “where”)? Often, these backups are stored on hard drives, pen drives, tape drives, adjacent computers, and even the same computer of the building system. This type of storage is not only inconsistent and problematic, but the location and storage types are usually only known to each system’s contractor and, even then, only to a select few individual technicians.


Admittedly, creating reliable backups for building controls systems in a commercial real estate environment is more difficult, but no less critical. Cybersecurity incidents that have impacted millions of square feet show that if there had been proper backups, the duration and costs of the problems could have been significantly reduced or eliminated. This is easier said than done due to the extreme fragmentation in the industry and the number of layers between ownership and the systems in question. However, there are ways to start down the road to orderly backup and restoration procedures.


Consider a hacking or ransomware incident where one or more systems are compromised, and the property manager, landlord, or organization’s executives are lunging at the problem with phone calls and emails. You can imagine the mad scramble to determine what to do in the face of a demand to pay bitcoin to strangers or knowing your systems have already been shut down, with the only other option to restore a system from scratch - all while a building may be unoccupiable or worse. This is all part of the “respond” phase of the widely accepted National Institute of Standards and Technology (NIST) cybersecurity framework:

  1. Identify
  2. Protect
  3. Detect
  4. Respond
  5. Recover

Meanwhile, while responding, those staff and executives realize they have skipped the first three steps of the framework and cannot efficiently perform the fifth (more on that later). If they had centralized, offsite, cloud-based backups independent of the contractor service companies, you would have the confidence of knowing where their backups are and how to work with the service companies to restore the systems immediately. Restoring from a reliable backup saves tremendous system rebuild costs while minimizing downtime, operational interruptions, liability, and brand damage. Other significant business benefits include inoculating the building against property management and contractor turnover risks.


Having backups has obvious benefits, but that is only one step in the basic cybersecurity framework. Since the first step is “Identify,” owners and managers should start with the simple decision of conducting cybersecurity site assessments that include an inventory of systems, servers, connections, and contractors. This should be followed by utilizing zero trust technology to “Protect,” and network monitoring software to “Detect” anomalies, including rogue devices. Combining this with a centralized secure backup allows you to either completely avoid disruption or quickly respond and recover to either malicious intrusions or internal mismanagement.


You can learn more about the nature of the problem and the VRM approach by watching a four-minute video that will pop up automatically at www.buildingcybersecurity.com.

Rob Murchison, Co-Founder, Intelligent Buildings
Rob Murchison has over 20 years experience in strategy consulting, sales and design of technology to real estate developers and commercial businesses with expertise in networking, and software and data base applications. He is currently a Principal and Co-Founder of Intelligent Buildings, LLC, founded in 2004 to help customers manage risk, enhance occupant wellbeing, and improve performance.




Tom Shircliff, Co-Founder, Intelligent Buildings
Tom Shircliff is a co-founder and principal of Intelligent Buildings. Intelligent Buildings was founded in 2004 and provides managed services and advisory services that reduce operational risk and lower cost structure in commercial real estate. Their services support smart building design development, contractor cybersecurity and facility public health solutions.

This Week’s Sponsor

Intelligent Buildings® offers portfolio-wide cybersecurity site assessments and ongoing managed services including secure remote access, system backup and policy audits. We are the only company solely focused on real estate technology advisory, assessment, and managed services. Since 2004, we are the most trusted and experienced name in Smart Buildings. Find out more at www.intelligentbuildings.com.