Building Operating Management

BackBack

Getting Serious about Facilities Cybersecurity

Four years ago, I attended a conference at which one of the keynote speakers was an expert in cybersecurity. The presentation cued me to think more carefully about the use of mobile apps, VPNs, and security on my home network. I became even more conscious of my digital footprint. 

At the time, we were already used to dealing with email scams – the Nigerian prince scheme, offers of something for free, announcements of suspicious activity on an account, requests to confirm personal or financial information, demands for payment of invoices, threats of extortion on pain of revealing personal information. 

These methods are personal. They hit us as individuals. The scammers cast wide nets to see who they can get, and according to the U.S. Federal Trade Commission, they are often successful. 

For a long time, all things cyber were considered to be in the realm of information technology. Each of us as individuals would educate ourselves on ways to avoid malware and scams. We still do, as we should. But our world has become a lot bigger, a lot more enmeshed. 

Earlier this year, I attended two conferences on the built environment that focused on cyber safety and security. At each conference, we talked about new and old threats to institutional and commercial facilities and how to mitigate them. Where we were once very concerned about email phishing scams that target individuals, now we are concerned about attacks that target our organizations’ systems and infrastructure. We are spending more time thinking through ways to balance the benefits of our connected world with the risks that connectivity brings to our organizations. 

Focus on factors 

When it comes to managers in facilities, what factors are driving the growing focus on cyber safety? A few things: 

Increased sense of risk. Not one day goes by that we don’t see a news story related to cyber attacks or cyber risk. Cyber security is at the top of a trends list issued by the Emerging Trends Real Estate 2022 survey, beating out AI and machine learning, the Internet of Things (IoT), big data and co-working. Similarly, the World Economic Forum ranks cyber attacks as the top global business risk. 

IoT. The facilities world is increasingly connected. There are great benefits of high degrees of connectivity: information and functionality available at our fingertips, better data handling and storage, and seamless software updates. 

Do you want to update the software on major equipment without affecting operations? Definitely. How about adjusting thermostats and lighting levels from a cell phone? No problem. 

But that convenience brings exposure. For an idea of the scale of exposure, a study conducted by Juniper Research estimates that the number of connected vehicles will reach 367 million globally in 2027. This figure is up from the 2023 estimate of 192 million connected vehicles. 

That is just vehicles. There will be at least 55.7 billion connected devices by 2025, according to the International Data Corp., with IoT accounting for 75 percent of all devices. Think about all of the pieces of large and small equipment and devices that are connected in a facility. Some we control, many we do not. 

Policies and insurance requirements. Organizations are increasingly requiring their business partners to have cyber policies and cyber liability insurance. Cyber liability insurance covers costs related to data restoration, IT forensic investigation, legal assistance and communications. With cyber attacks on the rise, having policies and plans in place makes good business sense. 

Challenges mount 

As we address the drivers of cybersecurity in institutional and commercial facilities, we have some distinct challenges ahead of us. 

Siloed organizations. One issue managers need to deal with in facilities is the siloed nature of roles and reporting structures. Does information technology report to facilities? Does facilities report to information technology? Does everyone report to human resources? Or finance? Depending on the organization, the reporting structure could be any of these. Whatever it is, we cannot afford to let that be the reason we do not collaborate. 

The facilities management profession is always evolving, so the idea that we need to adjust to incorporate cyber safety into our thinking comes as no surprise. Many of us are working to break down the silos by educating ourselves on cyber safety and cybersecurity. We need to work on developing relationships with our information technology teams and work on the larger common ground we share — maintaining the safety and security of the organization so people are safe and business can continue. 

IT and OT convergence. Internet technology (IT) is the locked downside of connectivity — the server and networking equipment. It’s the critical infrastructure involved in data processing, management and storage. These are the pieces of equipment and processes the IT department doesn’t want anyone to touch, access, or play with. Most of us interact with it, but we don’t control it. The facility manager is typically tasked with keeping it cool, powered and physically protected. 

Operational technology (OT) includes the physical hardware and machinery of a business. Think of computerized maintenance management systems (CMMS), integrated work management systems (IWMS), building automation systems and fire controls systems. The facilities department typically oversees and manages these applications. These systems keep the entire facility temperature-controlled, ventilated, powered, plumbed and physically protected. 

Not surprisingly, IT and OT are converging. From a facilities perspective, this means that where we once maintained the silos of our respective worlds, the challenges of increased connectivity and cyber risk management are demanding we pool our collective resources to protect people and businesses. 

Facilities need IT expertise to help keep the OT side safe, and IT needs to have reliable, safe OT systems working to keep IT systems operating. Both sides need to collaborate to keep core business functions up and running. 

When cyber meets physical. From a facility management perspective, we have understood that managers have a role to play in cyber safety, but it hasn’t always been clear about exactly what that role is and what the risk is. We tend to think in terms of keeping the organization safe — the people, the physical elements. Those we understand, but what about when the cyber world collides with the physical world? 

A speaker at a recent cybersecurity conference talked through a scenario where a facilities person received an email. The colleague had just returned from vacation, so the email seemed plausible. The facilities person clicked on the attached file. Only the email wasn’t really from a colleague, and the attached file wasn’t legitimate. It was from a hacker. 

Initially, the attack focused on a controls system. The hacker demanded ransom payment. The team decided to deal with the issue internally, and after resetting the system, they thought all was well. But it wasn’t. The next day, the attack moved to the central plant equipment, where the hacker caused physical damage. After significant expense and time, the system was recovered. No ransom was paid. 

Cyber criminals don’t care about reporting authorities, terminology or organizational structures. They are after what they can get, and usually they want money. The move to causing physical damage to facilities raises concerns to another level. 

Managers tend to draw boundaries around their organizations’ physical assets, as well as the people and processes related to managing the physical space. As the facility management profession evolves and technology continues to advance, managers must embrace the critical part they play in the cyber realm. New challenges are emerging every day. Managers are key players in keeping organizations safe and ensuring their organizations meet their missions. 

Laurie Gilmer is president and chief operating officer of Facility Engineering Associates. She is a published author and instructor and the immediate past chair of IFMA’s global board of directors.