The increasing use of Internet of Things (IoT) devices and, particularly, systems of IoT devices in our built environment has been driven by a desire for sustainable, high-performing buildings, as well as competitive value-add systems (e.g., energy monitoring, ESG alignment) for users of that space. However, building automation systems (BAS), energy management and monitoring systems, and other IoT systems are increasingly a target for criminal and nation-state malicious groups and the results of these attacks are costly. An increasing number of networked devices means an increase in cybersecurity vulnerabilities for owners that could result in an interruption of building operations, loss of sensitive or valuable data, potential harm to occupants, and liability and reputational risks. These vulnerabilities are due in part to organizational and cultural challenges within large owner organizations as well as with vendor relationships.
Not uncommonly, discussions surrounding how to resolve these types of smart building cybersecurity challenges focus on training facilities’ professionals in IT skills. However, our recent research on higher education institutions has found that cybersecurity challenges are far more complex than a skill sets issue, especially for large building owners. Facilities and IT professionals are often left out of smart building design and procurement decision-making. In addition, historical silos between Facilities and IT departments have resulted in different technical languages, professional cultures, and coordination difficulties.
Despite these complexities, facilities managers and IT personnel have begun to address these challenges. This includes understanding three major pain points that increase smart building risk and we will provide recommendations to help Facilities managers improve cybersecurity and mitigate risk from design and construction (D&C) to operations.
IoT devices and systems of devices can enter the building life cycle at a number of different stages. Three key pain points inhibit IT and Facilities professionals from engaging together in effective and efficient ways during IoT system design, device deployment, and operations. These pain points occur during:
During D&C, there are few standardized processes in place to engage IT and Facilities personnel earlier in the design phase when IoT system design and procurement decision-making occurs. Furthermore, IT and Facilities professionals do not always have the opportunity to provide important technical and cybersecurity input to D&C project teams. Differences in project delivery contracts also determine when and if engagement with facilities and IT personnel can occur during the design phase. In addition, capital projects personnel do not always know that they need IT input on cybersecurity risks earlier in the process. These complexities in D&C have led to poorly chosen systems, poorly deployed systems, and a lack of IoT systems operational oversight,
Second, most large owners lack cybersecurity criteria, standards, and mature vetting processes for procurement for IoT devices and systems, which also increases risk. This includes a lack of criteria regarding data governance and roles and responsibilities pertaining to IoT device repair, security updates, and general systems management. In addition, IT cybersecurity specialists are often not consulted early during the procurement process (or at all).
Finally, operations challenges primarily revolve around differences between IT’s and facilities’ organizational histories and cultures. These differences have led to unclear, unmanaged or undermanaged, and poorly documented, networks of IoT systems. This divide between IT and facilities has led to coordination and scheduling issues when both sets of expertise are needed for a specific task. The divide has also led to a lack of a shared work language that supports mutual understanding of IoT systems, data management and analysis, and security.
Despite these challenges, many large owner organizations have been exploring and implementing new solutions to improve IoT security and operations. Many of these solutions work to improve collaboration and knowledge synthesis between IT and facilities in operations, work practices, and policies.
Based on our research of trends in higher education campuses, we recommend the following framework that other large building owners can adopt to improve their own IoT security and operations.
D&C
Procurement
Operations
For large owner organizations, better understanding the challenges that occur during D&C, procurement, and operations will reduce near and long-term smart building risk—even when factoring in the costs to implement these new steps. While the costs of increased labor and resources for IoT management and security, as well as the costs of developing new work processes and disrupting traditional workflows can be high, it is necessary. In this increasingly malicious networked world, the costs of preparation and due diligence will pale in comparison to the costs of financial and reputational considerations, brand management, operational performance, and physical safety concerns. IoT devices and systems offer considerable potential value — but only if the risks that they bring are thoughtfully planned for and managed.
Laura Osburn is a Senior Research Scientist at the University of Washington. Chuck Benson is the Director of IoT Risk Mitigation Strategy at the University of Washington. Information in the article is based on the industry report, IoT Cybersecurity in the Built Environment, the outcome of a three-year research project on improving IoT cybersecurity through IT and Facilities collaboration, funded by the National Science Foundation.
