Cyberattacks on critical building systems like HVAC, lighting and energy have exploded in recent years, putting facilities managers in the unfamiliar position of having to think about network vulnerabilities.
Cybersecurity “shouldn’t be a part of their day-to-day life, but they have all the context to what’s happening on a device,” Sean Tufts, field chief technology officer at cybersecurity firm Claroty, said in an interview.
That contextual knowledge is critical as IT specialists try to devise ways to protect their organization’s infrastructure, said Tufts.
“The people in the IT department … typically have no idea what’s happening … on a badge reader, on a camera system,” he said. “They need that context. So we need to build that cultural bridge.”
In its latest analysis of building management systems, Claroty found that 75% of the 500 organizations studied — each with building systems with cyber components like embedded computers and networked controls — were vulnerable to breaches or cyberattack.
In a survey conducted in the U.K. earlier this year, more than a quarter of facilities managers said their building management system had been targeted in a cyberattack, up from 16% the previous year. The Royal Institution of Chartered Surveyors, which conducted the survey, said cybersecurity now ranks highest among the most significant and fastest-growing threats facing building owners and occupiers.
“Buildings are no longer just bricks and mortar,” Paul Bagust, head of property practice at RICS, said in the survey report. “They have evolved into smart, interconnected digital environments embracing increasingly sophisticated and ever-evolving technologies to enhance occupier experience.”
Risks to building management systems will only grow as companies upgrade legacy systems, Claroty said in its report. “As buildings get ‘smarter,’ building management and automation systems are going to be connected online with greater frequency,” it said. “Many of these systems do not support cybersecurity features.”
IT and facilities management need to come together if organizations are to keep a lid on risks, Tufts said. “No one knows that facility better than the facility manager and their team,” he said. “So, they are the business. We cannot do anything without them.”
To bridge what he called a cultural gap between the two sides, Tufts recommended a five-step action plan for IT and facilities management to work together.
- Scoping: Map out your organization’s operational processes, determine which building systems support them and rank these processes by business impact, like financial loss, operational downtime, reputational harm, regulatory non-compliance, and safety risks.
- Discovery: Create a context-rich asset inventory of building systems that operate alongside network infrastructure, like HVAC, lighting and security, so there’s visibility into how these systems connect.
- Prioritization: Rank which processes, if compromised, would result in meaningful consequences such as financial losses, operational downtime, safety incidents, or compliance failures.
- Validation: Show exposures are real and externally reachable by tracing how building management assets within the network communicate. It’s possible that not all communication points, which create potential attack paths, should be there.
- Mobilization: Work with security vendors that partner with original equipment manufacturers to support onsite remediation, especially when updates or configurations affect legacy systems. Coordinate remediation efforts around maintenance windows and operational schedules to minimize disruptions to critical processes. Establish KPIs and reporting mechanisms to demonstrate risk reduction and validate the ROI of security efforts over time.
“Oftentimes, building management systems and building automation systems are being operationalized on the network without thinking about the cybersecurity implications,” Grant Geyer, chief strategy officer at Claroty, said in the company’s report. “What’s being gained in efficiency and convenience might be coming at a real risk if not effectively secured.”
