devices that typically contain only firmware and are com-  in either their products or support models. Some service
          monly known as IoT or Internet of Things. We consider   providers could not abide by our security and contract
          building technologies as a combination of both the IT and   stipulations. I discussed these issues with our internal
          OT assets. Some malware, for example WannaCry and    control teams, explaining that products and services in
          NotPetya target traditional IT assets, while Mirai targeted   the building technology industry were immature when
          OT devices like security cameras. As we assessed our   compared to traditional Information Technology.
          building technology footprint and diligently addressed
          vulnerabilities, our work was made more difficult because   The building technology industry was not founded on a
          of weaknesses in the overall supply chain.           strong security model. The early products were designed
                                                               to automate mechanical functions for building engineers.
          Many products in the building technology space are not   The products were designed to be easy to use, and security
          cyber secure. Scanning your OT network for vulnera-  wasn’t an early consideration. During these conversations,
          bilities is not an option as many OT devices will “brick”   I found myself emphasizing again and again the fact that
          when scanned. If you are unfamiliar with the term brick, it   this industry needed to change if we wanted to see more
          means that due to a patch or an upgrade the device was   secure products and services in the future. Our goal is to
          essentially made useless, something was corrupted, and   get the disparate motivations in the supply chain better
          the device is no longer functional. Consider this scenario   aligned, as everyone will have a role in improving security.
          occurring as a result of automated patching or vulnerabil-  Symantec measures Supply Chain attacks up 78% in 2019:
          ity scanning on your building systems. What would you do   The need for better collaboration and improved products is
          if your building systems were “bricked?” Would your build-  clearly needed now more than ever.
          ing be inhabitable if the HVAC failed in extreme weather,
          or your elevators were inoperative?                  We knew that we were not alone in seeking supply chain
                                                               improvements. The 2016 Realcomm | IBcon event in
          We began our assessment and our vendor discussions   Silicon Valley gave us a perfect opportunity. We asked
          with a simple premise … as a device on our network, you   Realcomm to help convene a Cybersecurity Roundtable
          are a guest and must abide by our rules. While we thought   after the conference. Representatives from Corporate,
          this was a basic tenet that everyone could support, not   Commercial and Governmental property organizations
          every manufacturer could address security deficiencies   gathered to discuss building cybersecurity challenges.







































                                                                                                                15