Cyber Security: Where IT Expertise, FM Vigilance Is Most Critical
To truly safeguard the network, facility managers need to have more than a passing understanding of cyber security
One area where IT expertise is particularly critical is cyber security. “These networked systems don’t run by themselves, and since most are connected to the Internet for purposes of having outside vendors checking and tuning equipment operation remotely, these networks are susceptible to the same kinds of attacks as other corporate networks,” says Lipka. “If the company put the building systems on the corporate network, they’re already an IT matter, and the security problems have gotten worse.”
Developments in technology are increasing the need for vigilance. “Instead of purpose-built operating systems and networking technology for controllers, newer BAS equipment has a lot in common with a phone or a retail appliance,” Steve Joanis, engineering manager with ENE Systems and a member of the InsideIQ Building Automation Alliance. “The natural result of this adoption of ‘off-the-shelf’ technology is exposure to viruses and hacking. This exposure activates the IT anti-bodies that live within a building and makes that BAS system a source of concern and attention for the building occupants’ IT staff.”
Building systems raise a wide range of cyber risks, including life safety, equipment damage, productivity loss, network hopping, and brand damage, according to Murchison. He asserts that cyber frameworks have “ignored” building controls systems, as have industry trade groups, which have addressed only industrial controls systems.
Murchison and Shircliff’s firm has developed a cyber security assessment methodology specifically for building controls systems.
“This approach is based on the National Institute on Science and Technology cyber security framework that has been widely accepted and includes the categories of identify, detect, protect, respond, and recover,” Shircliff says. Beyond the NIST cyber framework they found that there were no subsequent methods or procedures for building controls systems, only for industrial controls systems. Their approach, which they are calling Building Controls Systems — Cyber Assessment Methods & Procedures (BCS-CAMP), will provide a score on each key NIST category and for building control system sub-categories, Shircliff says.
When considering new Building IoT or BAS technology, facility managers should be engaging the IT department from the beginning. This allows them to discuss options regarding network security and to plan user policies and defined user account roles, privileges, passwords, and account management, not just initially but over the life of the system. “This is extremely important to ensure the ongoing security of building systems,” explains Oswald. “The key here is to realize that building systems should be held to the same policies and procedures for network administration and maintenance as the rest of the business’s systems and applications — it’s not just a technology issue.”
Cyber risks lead some experts to recommend minimizing connections between BAS networks and the IT network. “To avoid needless security risks and costs, BMS infrastructure should be maintained separately from the rest of the IT equipment with as few touch points as possible,” Joanis says. “Touch points should be areas of scrutiny with firewalls and routers that are updated and maintained by the IT staff.”
More gains from cooperation
Cyber security guidance isn’t the only reason facility managers should build closer ties with IT. Wickland cites “guidance from IT on how to manage IoT as a program. It’s very important to design solutions with the end in mind because the technologies are evolving quickly, and there is too much choice out there. IT needs to help distill the practical and sustainable from the possible.”
Another area, says Joanis, is infrastructure. “Facility managers need IP addresses, cabling, and IP routes between equipment and out to the Internet,” he says.
New buildings need to have a set of standards for IT-based control systems, Murchison says: “There are several key concepts that are important, including non-proprietary (open) protocols, converged networks (backbone) for the various systems, and data normalization (to promote interoperability and data analytics). Additionally, cyber security is the wrapper for it all.”
Once the new technology is chosen and the facility manager and IT department have designed the proper architecture for it, “then implementation becomes the next major consideration,” says Oswald. “The industry has not done a good job in standardizing on how to model equipment, devices, and data in building systems,” he contends. There’s a lot more involved than coming up with a naming convention. “It really is about how systems are modeled and tagged so that other systems know where the data is coming from,” Oswald says. “For example, a data point may be named ‘fan,’ but does the ‘fan’ data point belong to an air handling unit or a VAV box? Communities such as Project Haystack are working to solve this issue, and it will definitely help.” He recommends that facility managers raise this issue with their vendors to make sure that the installation “is not left to the habits of the technician performing the programming.”
The scope of the project could play a role in determining the way that issues related to naming are handled. “If the BAS will be providing business metrics or the system is large enough to benefit from analytics and fault detection and diagnostics, then a clear naming convention will make normalizing the data for integration to these systems easier,” says Joanis. “In most cases, a simple naming method suffices. Project Haystack and similar efforts provide a very complex method that I do not think will be widely used by field personnel. This may see more effort if a standardization process between manufacturers is adopted for non-programmable devices.”
Making the right choices
Technology innovation — from start-ups to industry giants — is presenting facility managers with a wide range of opportunities to add value to their organizations. “The new array of IoT devices offers more options to support the productivity-improvement mission,” says Karloff. But the bottom line is that “it should never be ‘technology for technology’s sake,’ nor should it be about applying new technology just because we can.” Smart facility managers should be collaborating with other departments to understand what technology applications can help improve productivity.
Vetting the new generation of Building IoT products promises to be an important role for many facility managers. “The good news is that IP-based devices and applications are fairly easy to bring to market, and new products show up almost weekly,” Oswald says. “The bad news is that many of these are based solely on computer technology with little to no regard or understanding of the requirements for real-time systems that control buildings.”
According to Wickland, facility managers should be trying to figure out what set of technologies can work together to best solve the needs of facility managers without causing problems for IT, HR, legal, or other departments. “From my experience, IoT done well almost always results in a new team or even a new organizational structure within the enterprise to specifically support IoT and continue evolving towards a higher value,” Wickland says.
It’s important to consider new technologies in a broader strategic context, not in isolation. “Knowing what your portfolio strategy is [and] which buildings to keep or vacate, and monitoring your other capital expense needs in addition to your IoT investment plays a role in determining your deployment plan,” says Wickland. “If IoT moves out of purely the [facility management] domain into the living workplace — utilization sensoring, environmental monitoring, etc. — those workplace objectives become heavy factors as well.”
Angela Maas is a freelance writer who covers facility management topics. She is the former managing editor of Building Operating Management.
Email comments to firstname.lastname@example.org.