Thomas Jackson
OT and IoT cybersecurity leader, Ernst & Young LLP
Innovations and the internet of things are ushering in a new wave of connected smart building systems. These innovative systems are allowing companies to increasingly automate, optimize and manage buildings systems with sensors and digital controllers. While these technologies are working to reduce costs and significantly improve the tenant and occupant experience, at the same time, they also come with a new set of risks and vulnerabilities, as building controllers and IoT devices used in smart buildings typically run on legacy systems that lack basic cyber protections.
According to a recent Ernst & Young LLP survey, 91 percent of real estate leaders today indicate that their security function does not meet their current needs. This is an especially shocking number to think about when you consider that more than 95 percent of today’s building systems have an unsecure internet connection.
• The “forgotten” network. When it comes to cybersecurity, most people are familiar with the term information technology. IT is the more common term, focused on business and corporate environments. This environment is mature, due to years of focus and development on the technologies and tools used.
On the other side, there is the operation technology environment, commonly referred to as OT. OT environments are more process driven, such as those in manufacturing and heavy industry. The OT environment is focused on availability and safety – overseeing the devices provides the basis for all measurement, monitoring and management. OT environments operate using proprietary protocols, which often are as old as the building and are therefore using legacy technology, and are not under the traditional IT function, meaning they often are forgotten in cybersecurity protocols. According to the survey, 76 percent of real estate companies still keep cybersecurity reporting mostly within the IT function.
Under this OT umbrella is the building management system. BMS networks are more open to abuse, because they tend to be managed by facilities managers or security guards, often with little or no background in IT or networking. These systems, which handle everything from air-conditioning to closed-circuit television, access control, lighting and door locks, traditionally worked on serial networks and were segregated from conventional IT networks.
But as these systems have become internet enabled, they are now open to all possible threats that afflict conventional IT systems. BMS operators report that 65 percent have direct remote access to their systems by vendors, and 56 percent report that their BMS network is commingled with the corporate IT enterprise networks. In other words, less obvious and forgotten areas should now be considered threats.
For example, cyber attackers can put elevator systems out of service, heat up a building, disconnect the entire electric system, hack into IP cameras or turn them into a botnet (Mirai IoT botnet). Most smart buildings are an overlay of new IoT devices on legacy systems that lack cybersecurity controls that can enable the smart BMS to be the gateway into the entire corporate IT network and even the tenants’ networks.
Yet today only 29 percent of BMS operators have taken or will take actions to protect these systems, despite a 74 percent increase in cyber incidents involving systems such as a BMS.
While IoT systems bring forward new capabilities that have the potential to transform real estate, they also require leaders to focus in on their OT threats now. Where do you start with securing these forgotten systems? Our firm’s OT/IoT cybersecurity approach implements a security life-cycle methodology based on the core tenets of cybersecurity: assessment, development, implement and management.
1. Assessment to understand your risks. The first thing to understand is the current maturity, risks and vulnerabilities of the BMS systems you have deployed within your buildings. This will set a baseline for the most applicable cybersecurity approach, as well as give you an understanding of your current readiness for adaptation of IoT devices and technology.
2. Develop a plan. Analyze your assessment data to understand your system’s current risks and vulnerabilities and help prioritize them. Take time to truly understand how, where and who can be impacted by a cyber event and the risk to your business. Using a BMS risk assessment can help you identify key security gaps to prioritize and build out a remediation plan.
3. Implement your strategy. Work with the individual property managers or key stakeholders, along with your IT or security department. Put policies and procedures in place to help safeguard and ensure that your plan is carried out and the security risks being addressed are understood.
4. Manage the systems. Manage the security solution in place to ensure ongoing continuity and to prepare for recovery in case of a cyber event. When developing and implementing your plan, you have to prepare to be resilient. Make sure there also is a plan in place to restore any capabilities or services that may be impacted in case a cybersecurity event does occur.
In today’s online world, every organization is digital by default. Moreover, in the connected and convergent world delivered by IoT, the digital landscape is quickly evolving and creating new cyber risks that real estate organizations need to consider.
