How to Plan Cybersecurity for Smart Buildings

5/2/2023

The increasing use of Internet of Things (IoT) devices and, particularly, systems of IoT devices in our built environment has been driven by a desire for sustainable, high-performing buildings, as well as competitive value-add systems (e.g., energy monitoring, ESG alignment) for users of that space. However, building automation systems (BAS), energy management and monitoring systems, and other IoT systems are increasingly a target for criminal and nation-state malicious groups and the results of these attacks are costly. An increasing number of networked devices means an increase in cybersecurity vulnerabilities for owners that could result in an interruption of building operations, loss of sensitive or valuable data, potential harm to occupants, and liability and reputational risks. These vulnerabilities are due in part to organizational and cultural challenges within large owner organizations as well as with vendor relationships. 

Not uncommonly, discussions surrounding how to resolve these types of smart building cybersecurity challenges focus on training facilities’ professionals in IT skills. However, our recent research on higher education institutions has found that cybersecurity challenges are far more complex than a skill sets issue, especially for large building owners. Facilities and IT professionals are often left out of smart building design and procurement decision-making. In addition, historical silos between Facilities and IT departments have resulted in different technical languages, professional cultures, and coordination difficulties. 

Despite these complexities, facilities managers and IT personnel have begun to address these challenges. This includes understanding three major pain points that increase smart building risk and we will provide recommendations to help Facilities managers improve cybersecurity and mitigate risk from design and construction (D&C) to operations.  

The challenges 

IoT devices and systems of devices can enter the building life cycle at a number of different stages. Three key pain points inhibit IT and Facilities professionals from engaging together in effective and efficient ways during IoT system design, device deployment, and operations. These pain points occur during:

• Design and Construction (D&C) 
• Equipment and systems procurement 
• Operations  

During D&C, there are few standardized processes in place to engage IT and Facilities personnel earlier in the design phase when IoT system design and procurement decision-making occurs. Furthermore, IT and Facilities professionals do not always have the opportunity to provide important technical and cybersecurity input to D&C project teams. Differences in project delivery contracts also determine when and if engagement with facilities and IT personnel can occur during the design phase. In addition, capital projects personnel do not always know that they need IT input on cybersecurity risks earlier in the process. These complexities in D&C have led to poorly chosen systems, poorly deployed systems, and a lack of IoT systems operational oversight, 

Second, most large owners lack cybersecurity criteria, standards, and mature vetting processes for procurement for IoT devices and systems, which also increases risk. This includes a lack of criteria regarding data governance and roles and responsibilities pertaining to IoT device repair, security updates, and general systems management. In addition, IT cybersecurity specialists are often not consulted early during the procurement process (or at all).  

Finally, operations challenges primarily revolve around differences between IT’s and facilities’ organizational histories and cultures. These differences have led to unclear, unmanaged or undermanaged, and poorly documented, networks of IoT systems. This divide between IT and facilities has led to coordination and scheduling issues when both sets of expertise are needed for a specific task. The divide has also led to a lack of a shared work language that supports mutual understanding of IoT systems, data management and analysis, and security. 

Emerging Solutions & Recommendations 

Despite these challenges, many large owner organizations have been exploring and implementing new solutions to improve IoT security and operations. Many of these solutions work to improve collaboration and knowledge synthesis between IT and facilities in operations, work practices, and policies. 

Based on our research of trends in higher education campuses, we recommend the following framework that other large building owners can adopt to improve their own IoT security and operations.  

D&C 

• Articulate and communicate to your project teams your long-term needs for a building’s IoT systems, networks, data, and data management. 
• Identify facilities and/or IT liaisons to participate in project team meetings to establish long-term owner needs and requirements for IoT systems.  
• Determine where and when IT and facilities personnel should provide input to project teams about IoT devices and systems. Examples include RFP planning, submittal review, and commissioning.  
• Standardize the consultation of cybersecurity and facilities professionals during early design/pre-construction to review IoT systems and formally document all review comments.  

Procurement 

• Articulate, document, and propagate owner cybersecurity criteria for IoT devices and systems in the built environment. Establish governance, roles, and responsibilities with IoT as well as criteria to assess vendor risk. 
• Require cyber liability coverage from the IoT systems provider. Establish who will be responsible when a system or device is compromised by a malicious group.  
• Require a device software update plan (i.e., ‘patch plan’) and establish who will perform it and pay for it. 
• Integrate cybersecurity reviews and IT Subject Matter Experts earlier in the procurement process. 

Operations 

• Establish governance of IoT systems for networks, devices, and data. Strongly consider collaborative forms of IoT systems governance between IT and facilities that includes systems and network expectations and performance. 
• Clarify roles and responsibilities of IT and facilities professionals working together on specific tasks. Know who is responsible for specific systems and equipment and know how to contact that person. Responsible-Accountable-Consult-Inform (RACI) charts are one example of a tool used to establish roles and responsibilities and to set expectations across multiple organizations.   
• Establish and maintain relationships between IT and facilities departments and personnel through cross-departmental planning meetings, interorganizational liaisons, and informal activities such as brown bag lunches. This builds trust and begins to blend and integrate organizational cultures. 
• Consider developing Operational Technology (OT) teams that blend traditional facilities and IT professions and approaches. 

For large owner organizations, better understanding the challenges that occur during D&C, procurement, and operations will reduce near and long-term smart building risk—even when factoring in the costs to implement these new steps. While the costs of increased labor and resources for IoT management and security, as well as the costs of developing new work processes and disrupting traditional workflows can be high, it is necessary. In this increasingly malicious networked world, the costs of preparation and due diligence will pale in comparison to the costs of financial and reputational considerations, brand management, operational performance, and physical safety concerns. IoT devices and systems offer considerable potential value — but only if the risks that they bring are thoughtfully planned for and managed.  

Laura Osburn is a Senior Research Scientist at the University of Washington. Chuck Benson is the Director of IoT Risk Mitigation Strategy at the University of Washington. Information in the article is based on the industry report, IoT Cybersecurity in the Built Environment, the outcome of a three-year research project on improving IoT cybersecurity through IT and Facilities collaboration, funded by the National Science Foundation.