Page 18 - REALCOMM EDGE-Fall 2017-FINAL
P. 18

Intelligent BUILDINGS





          Owners Must ‘Know the Score’ on

          Building Cyber Security





          Tom Shircliff and Rob Murchison
          Co-Founders
          Intelligent Buildings, LLC

                  hile more than 80% of all building automation systems   the IT staff doesn’t know OT—so it becomes a hot potato,
                  are connected to the Internet, more than three-   leading to the second reason.
          Wfourths of real estate organizations don’t have any     •  It’s nobody’s responsibility—This specific technology is not
          type of building cyber security plan. With millions of connected   in the traditional strategic or tactical domain of real estate
          controls systems in every real estate segment including com-  executives, and it has never been a subject that was clearly
                        mercial, corporate, campus, government, and   assigned to any department, budget, staff person, executive
                        others, it is hard to imagine that this is not the   or vendor. We have seen building systems enter the digital
                        priority for all senior executives.         age and nearly all now utilize computer servers, software,
                          We live in an age where cyber mischief,   protocols, local networking and Internet access; that alone
                        crime and even terrorism is in the news every   has created confusion about who is responsible for high
                        day. Overall cyber crime damage will hit $6   tech, connected building systems between facility manage-
          Rob Murchison  trillion by 2021 and ransomware alone will   ment and IT. Thus, it has been stuck in a ‘no-man’s land’.
          Intelligent Buildings   cost $6 billion in 2017. Notwithstanding a fair   •  The ecosystem is fragmented—Real estate design, con-
                        amount of ostrich behavior, real estate is not   struction and management is perhaps one of the most
                        immune to these trends. However, in years   fragmented and siloed of any industry. The Architects may
                        past there were dismissive comments such as   subcontract the controls design to engineers and the engi-
                        “What is the worst that can happen?” as many   neers may subcontract to an IT network designer, who then
                        contemplated the set points being changed   hands off to a general contractor (GC). The GC has nothing
                        or lights flashing on and off. This perspective   to do with ongoing operation of the building, and they then
                        does not consider the very real life-safety   do a hard hand off to the facility managers (FM) and prop-
          Tom Shircliff
          Intelligent Buildings   danger from elevators, indoor air, electricity   erty managers (PM). The PM or FM would sub contract to a
          and other critical aspects of safety in a building. While life safety   controls contractor who again may utilize some IT resource
          is paramount, there are also other consequential risks including   or just make do themselves. There are many different and
          network-hopping from the building systems into the corporate   often misaligned incentives and levels of liability.
          network or other devices, lost occupant productivity, capital   Add to these headwinds the fact that historically speaking,
          equipment damage from undetected viruses and malware, and   building controls technology has been a ‘bottom up’ issue,
          in nearly all cases there will be brand damage for the building   meaning that the OEM, contractors, engineers and service com-
          owner, manager and occupant organizations.             panies bubble up technology advances and suggestions to own-
            There is a palpable increase in concern and increased activity   ers. However, with the smart buildings movement there has been
          and sense of urgency in the boardrooms, committee hearings   a shift to more owner driven or ‘top down’ strategy and decision
          and manager meetings. Why is there hesitation or timidity for   making. ‘Top down’ is the key to addressing the risks associated
          these otherwise accomplished real estate professionals? Three   with building controls cyber security. Building owners must take
          reasons emerge:                                        control of the strategy and management of critical components
            •  Tech is complex—This is not only information technolo-  in building cyber security. This is a sea change and opens up a
             gy (IT) but a specialized subset of IT with cyber security.   new area of execution which can be divided into three steps:
             Additionally, it is not even traditional IT cyber security but   1. Inventory & Assessment—Because building controls system
             specifically building controls cyber security—not what most   design, implementation, management and connectivity
             IT experts are familiar with. It is literally a different type of   has historically been the responsibility of anyone other than
             technology called operational technology (OT) which utilizes   the building owner, there is relative chaos in the inventory
             different communication protocols, different equipment and   accuracy and current state of awareness of most buildings’
             different vendor types. The facilities staff doesn’t know IT and   cyber facts. Even the largest and most sophisticated real

       16       Realcomm
   13   14   15   16   17   18   19   20   21   22   23