Lynxspring Technology Blog


Building Automation Cyber Risks

Building Automation Cyber Risks It’s not about numbers; it is a business issue.

As business people we hate spending money on things that don’t help our businesses operate better and more efficiently, perform at maximum levels or improve the products and services we deliver to the market. And yes, we know there are necessary expenses in business that require funding. The thought of spending money on things that are only used in a worst-case scenario and risk management are not attractive options when it comes to the allocation of our important resources---funds. They are however, a must. So what do we do? We look at things such as what is the payoff going to be. Are there risks? What are the risks and where do they exist? How likely is our business and operations going to be affected? What is the potential impact? These are questions that need to be answered. The bottom line, we want a solid business case as to why the risk or reward to the business warrants the expenditure.

We make purchasing decisions everyday based upon need over want. We recognize that the failure to do so puts our company, our business, our operations, our customers and even our fellow associates in an unacceptable position of risk. We don’t like it, but we understand it.

There are things that we hate spending money on but to do so in order to protect our business. Looking at the rationale for spending money in these areas can help you make the case why cyber security prevention and protection of your building automation systems and network needs to be a priority today. For example, there is insurance – in business and in our personal life, insurance is a check we don’t want to write; but we do. We understand that protecting our critical assets against a catastrophic event is a necessity. Failure do so would be putting our business and our operations at risk of serious harm. And when the day comes around and you need it, you are relieved you have it.

How about attorneys? Yes I said it, that nine letter word. While I respect and appreciate our attorneys and the value they provide us, let’s face it, life would be much simpler without the legal wrangling over contracts and other complicated legal issues. But to try to do it alone would be crazy. Being protected is a must and it’s well worth the expenditure to have these experts on your team.

How about the huge investments and dollars we spend each year on data storage and yet we still get those annoying alerts (it seems like weekly), telling us that our email box is over the size limit and contact your administrator. The reason we hate spending money in this area is because we know that a large percentage of what is being stored does not contain critical data tied to the success of the business. However, we can’t take the chance that this data is not accessible or may be needed some day, so we make the additional investment.

Then there is disaster recovery – again, worst-case scenario expenditure, but one that is absolutely necessary. In today’s market where we depend on data and information so much and for it to be unavailable is something we don’t want to experience.

Hopefully you are noticing a common theme here. We don’t like to spend money on these types of things, but do anyway. We have to and should. In each case, the potential cost to the business of not making the investment far exceeds not making the investment. These are all critical to our business and are necessities not choices.

While cyber security has always been a concern when it comes to protecting traditional systems and devices such as computers, routers, servers and our business operation IT networks, our building automation systems and equipment such as thermostats, HVAC equipment, access control, elevators and lighting controls seemed to escape the right measures for cyber protection even though there is an increasing rise of cyber threats, network compromises, and vulnerabilities that are prevalent today.

Today cyber security protection and risk prevention for building automation systems is a necessity. Building automation networks and IT networks should not be treated differently when it comes to cyber security and threat protection. Just like an IT network (you invest in its cyber protection), building automation networks should have multiple layers of defense and protection as well as policies and procedures that are continuously addressed. A comprehensive cyber security program includes a defense-in-depth strategy and leverages industry standards and best practices to protect systems, devices and the networks they run on and detect potential problems along with processes to understand current threats and enable timely response and recovery. Cyber security should be an integral part of the design of the automation system and the deployment, not an afterthought.

From a business perspective, the negative consequences that BAS-initiated cyber incidents can cause are disruptive and potentially catastrophic. Such events can impact occupant productivity and personal safety, disrupt critical processes, and shut down business operations entirely. Then there is the potential theft and loss of intellectual property. Threats and breaches to building systems can be entry points into the company’s network and become a pivot point that can bypass many existing network defenses. A hacker can use a BAS device as a jumping off point to get onto other devices and systems, introduce malware, viruses and worms or engage in other detrimental activities. The social implications can be as equally devastating with negative publicity and loss of customer confidence while the financial ramifications may be compounded with lawsuits and equipment replacement and repair. And there is more.

While numbers are important, cyber security is a business issue and the cyber protection of building automation systems plays in the operation of our businesses. The operational, financial and reputational impact to a business is tremendous and it's on all of us to make cyber security a business case.


By accepting you will be accessing a service provided by a third-party external to