Building control systems are great tools for making facilities more efficient, but they could also leave them vulnerable to cyberattacks.
There's no question that cyberattacks are becoming a greater threat to building security. In 2022, the United States has the second highest number of cyber-crime victims per million internet users.
These breaches are costly. In 2022, data breaches cost businesses an average of $4.35 million. Facility managers need to ensure their facilities have safeguards in place when adopting new technology.
At NFMT Baltimore next March, Fred Gordy, director, OT Risk Assessment for Michael Baker International, will teach attendees how to perform risk assessments and configure building control systems to meet minimum cybersecurity requirements. His presentation, "6 Steps to Cyber Securing Building Control Systems," takes place March 22.
NFMT: How are building control systems vulnerable to cybersecurity?
Gordy: The primary vulnerability are the unknowns. And the unknowns are not what you think, like who the bad guys are and what they might attack. These are important; however, you can’t protect against the bad guy attacks if you don’t what you have, how is it connected, and who access. Of all the systems I have assessed, over 80 percent could not answer all three questions. The rest might be able to answer one or two, but not all.
NFMT: I'm sure many facility managers think a cyberattack won't happen to them. Why should facility managers be concerned?
Gordy: According to INTECH Automation-Intelligence In 2019, IBM reported a staggering 2,000 percent increase in cybersecurity incidents against OT. They predicted a 30 percent increase every year going forward. These means the gap is closing on the probability that an attack will occur. Facility manager need to know that threat actors, from Nation States to a lone hacker have turned attention to building control systems because they see them as a much easier target to get into. The reasons are varied and the end result to building systems can lead to business disruption, human injury, even death.
NFMT: What are the ISA 62443 series of standards?
Gordy: ISA (International Society of Automation) was established on April 28, 1945, originally as the Instrument Society of America. As the name says, it was aimed at instrumentation to develop standards and uniformity. Recognizing ISA’s international reach and the fact that its technical scope had grown beyond instruments, in the fall of 2000, the ISA Council of Society Delegates approved a legal name change to ISA—The Instrumentation, Systems, and Automation Society. In October 2008, the Council voted to rename the Society to the International Society of Automation, a name that reflects our global nature and inclusive membership base. Today it considered the premier, international standard for operational technology (ICS – Industrial Control Systems & BCS – Building Control Systems).
NFMT: Your presentation is going to cover six steps to cybersecurity for building control systems. Can you give us a taste by telling us about step 1?
Gordy: Step 1 of this session will introduce attendees on how facility managers can effectively and efficiently build and maintain asset management for their systems. The No. 1 priority in any cybersecurity standard, whether it be NIST, ISO, or ISA is to know what you have in order to protect it. The attendees will also learn the importance of maintaining an accurate and up-to-date list of devices.
NFMT Baltimore takes place March 21-23. Visit www.nftm.com to register.
Dan Weltin is the editor-in-chief for the facility market. He has 20 years of experience covering the facility management and commercial cleaning industries.
