12/5/2023
In today's interconnected world, where technology plays a pivotal role in managing and maintaining facilities, the importance of cybersecurity cannot be overstated. Facility management and building technology have evolved significantly, with HVAC and building automation systems becoming integral components of modern facilities.
These systems offer numerous benefits, from energy efficiency to improved comfort and operational control. However, this increased connectivity also exposes organizations to cyber threats that could disrupt operations, compromise sensitive data, and potentially endanger safety.
As buildings become increasingly reliant on technology and interconnected systems, the importance of cybersecurity training for facility management and building personnel is crucial. The potential consequences of a cyberattack on a building are severe, ranging from compromised building access information to service disruptions, physical damage, and safety risks.
Given facility managers’ crucial role in building technology, they need to understand the vulnerabilities of those systems and take an active role in protecting them. The International Facilities Management Association (IFMA) identifies 11 core competencies for facility managers, including facility information management and technology management.
“Integrating physical and cybersecurity procedures has risen in criticality,” says IFMA President and CEO Don Gilpin in a press release. “Whether leading or supporting these efforts, facility management professionals are integral to ensuring the safety of people and organizational assets.”
IFMA recently developed a partnership with nonprofit organization Building Cyber Security (BCS) to offer IFMA members resources, training, and tools to mitigate cyber risk in facility operations.
Building technology has come a long way from its traditional, mechanical roots. Modern facilities are equipped with an array of interconnected devices, sensors, and controllers that allow for efficient monitoring and control. HVAC systems and building automation play a significant role in this transformation, enabling precise climate control and energy management. This smart building technology is important for energy management and enhancing the indoor environment. However, this technological progress has introduced additional vulnerabilities into our organizations that must be addressed and building personnel needs to play a role.
The integration of IT (information technology) and OT (operational technology) in building technology systems has expanded organizations’ vulnerabilities. Cyber threats can range from simple data breaches to more critical scenarios, including unauthorized access, system manipulation, and physical damage to building infrastructure.
HVAC and building automation systems can be attractive targets for cybercriminals because they can control building elements such as temperature, humidity, lighting, and other essential building functions. They can also be a gateway to access organizational data, including personnel data, financial data, and other critical items. Vulnerabilities may exist in the software, hardware, or communication protocols that enable these systems to function efficiently. Exploiting these vulnerabilities can have far-reaching consequences, from uncomfortable building conditions to data breaches.
To secure HVAC and building automation systems effectively, professionals in this field need to understand the complete ecosystem and its components. This includes:
Maureen Roskoski is vice president for FEA with 28 years of experience in strategic planning, resilience planning, and workforce development consulting. Maureen is an expert in ISO management systems standards, including the ISO 55000 series on asset management and the 41000 series on facilities management, and a member U.S. Technical Advisory Group to ISO/TC 267 Facility Management. She supports clients with continuity of operations planning (COOP), organizational assessments, FM technology process improvement, sustainability, and resilience planning.