Building automation systems have become a soft target for cyberattacks due to the large numbers of intelligent devices connected over open networks, sophisticated threats designed to attack control systems, as well as dependency on third-party service providers connecting to the systems remotely over the internet. In this article, we will focus on the steps needed to appoint a leader, convene a team and establish a defense in depth designed to protect these important systems. The process may face unusual challenges as buildings and building automation systems are used and supported by many stakeholders including owners, tenants, service providers, occupants and visitors. Within the enterprise, tensions over cybersecurity may exist between information technology (IT) and facilities, as knowledge and priorities confound cooperation.
A paper published by the U.S. Department of Energy in March 2020 identifies that half of all commercial buildings have intelligent building control devices connected to the Internet, and almost 95% have no disaster recovery plan. Out of this, a full 40% report that their building automation systems have been targeted. These numbers are staggering given the important role large buildings play in the world today.
Fortunately, there are a number of excellent cybersecurity frameworks that can be applied to create a defense in depth for building automation systems. Standards bodies, government agencies and quality organizations have all developed these methodologies and made them available at no cost to their constituents. These important frameworks mostly follow a common defense in depth approach covering physical, technical and administrative functions.
Because all the popular frameworks are capable of improving security, selecting one over the other is usually not too critical. The more important question is how to deploy any framework within the context of large and complicated smart buildings. The deployment journey characteristically begins by appointing a leader (or volunteer), who will establish a team of stakeholders to work together to select, tailor and operate the framework. Leaders of these teams often come from the tenant’s facility or IT organization. Either approach will work so long as the leader is capable of managing the team while working cooperatively with a variety of stakeholders with different backgrounds.
In addition to leadership, the makeup of most teams includes IT staff familiar with networks, servers and internet connectivity, as well as facility experts familiar with building automation systems, electrical systems and mechanical systems. Often, there will be a combination of regular active team members and a number of part-time stakeholders. This creates a core team and an extended team led by the tenant, and also encompasses the building owner plus vendors who service the systems.
In addition to IT and facility staff, it is a best practice to recruit a cybersecurity expert to the team. Often, this person has an IT background along with extensive training and experience working in cybersecurity. In most organizations, cybersecurity experts are in short supply. If this is the case, then hiring a local contractor may be the best solution. While some frameworks are now recommending a single leader with a combination of IT, operational technology (OT) and cybersecurity expertise, in reality this combination of skills is extremely rare, and it is unreasonable to expect one individual will be an expert in all of these disciplines. While it would be ideal to find a person like this, it is far more likely there will be a single leader from one discipline aided by team members with complementary skills.
Enlisting vendors to join the team may produce a negative reaction. Lease agreements, service contracts, fear of liability and lack of expertise often create barriers. Concerns over cybersecurity can cause even good vendors to pause or wave off participation. However, if a vendor is essential to implementing the framework and establishing a defense in depth, then it is the responsibility of the team leader to explain and press the supplier for their cooperation. The goal should always be to inform and include. But if this approach does not deliver results, then pressure should be brought, including replacing uncooperative vendors. New construction or a new lease is a special case because it is the time when contracts are open for negotiation and when building owners and systems integrators are most receptive to designing systems with cybersecurity as a central requirement.
The most common category of building is professional office space. Large companies often lease offices across the country, and many do so around the globe. These remote buildings play host to hundreds of employees and frequently lack on-site IT. Facility support is usually provided by third parties. In cases like this, corporate IT or facilities will need to establish the defense in depth framework from afar by establishing a virtual team of local service providers and by using cybersecurity automation. Vigilance and care are necessary because flat wide area network (WAN) networks can join remote offices to corporatewide enterprise networks.
During the time that a framework is being established, it is also essential to deploy cybersecurity automation systems. Automation and modern IT infrastructure will provide the team with the means to detect and prevent, or detect and respond to, threats automatically. Automation also reduces labor, making it possible to improve security even across large, complex and remotely managed systems. The best cyber automation platforms also include reports that follow the structure and terminology of the popular frameworks.
Whether the team is local or engaged remotely, it is a best practice to meet each month to review the status of the defense and any emerging threats. This is done using the defense in depth framework and automated reporting as a guide. A regular meeting cadence will also strengthen the resolve of the team to continuously improve and remain vigilant.
Beyond regular meetings, it is important to have a process at the ready to manage cyberattacks when they occur. Rehearsal and planning are the best ways to minimize damage from an attack. Knowing who to contact and how to react is a well-proven approach that will save time, money and liability. Once an attack has been contained, having a verified recovery procedure will be priceless.
For extreme situations, it is advisable to have an executive escalation process, which may entail contacting senior leadership, public relations, legal representatives, customers and law enforcement. Ideally, these more extreme situations will be avoided through preemptive planning and teamwork.