Cyber Reality for Today’s Buildings and Facilities
While buildings are smarter and more connected than ever before, when it comes to cybersecurity, they are stuck in the 1980s.Today’s connected business world means there are thousands of entry points in and out of companies. It is impossible to miss the continued headlines on the latest breaches and cyber-attacks. Cyber-attacks today are more sophisticated and targeted than ever before.The truth is that network security and the security of devices and systems do not work as well as we thought.
Cybersecurity protection and defense prevention for the building automation systems and the operational technology that operates and manages our facilities is now a necessity and should not be treated differently than an IT network when it comes to cybersecurity. Just like an IT network, building automation networks should have multiple layers of defense and protection as well as policies and procedures that are continuously addressed. In fact, cybersecurity should be an integral part of the design of intelligent buildings and today’s building automation system and not an afterthought; it has gone from a nice-to-have to a must-have.
Let’s look at some of the latest cyber stats—cyber issues are up 144% compared to four years ago with an average of 138 successful attacks per week, compared to 50 attacks per week in 2010; cyber-attacks cost the average U.S. company $12.7 million; attacks have become increasingly sophisticated in nature; reported incidents of have increased 48% in the past twelve months (this does not include the number of attacks that go unnoticed or are unaware); the average time it takes to detect a malicious cyber-attack is 170 days with some types of attack taking 259 days on average to detect.
When it comes to cybersecurity, there are three types of companies (a) those that have been hacked and admit it, (b) those that have been hacked and don't admit it, and (c) those that will soon be hacked.
Take time to examine the cybersecurity posture of the systems, devices and applications managing and operating your buildings. Ask yourself and the people who manage and operate them:
-Are we secure?
-How do we know we’re not compromised today?
-How would we know?
-What would we do about it if we were?
-Are we prepared to face the threat? - Do we have a cyber security statement? - How about the companies in our supply chain? Do they?
As you do, keep the following in mind:
o Understanding the issues, being informed, knowing what the implications are and engaging in dialogues about cyber security are critical
o Cybersecurity is more than an information and data risk. It’s a bottom line risk
o The average total cost of an incident is now $12.7 million
o Organizations that treat cybersecurity as a strategic issue perform better than those that view it as a tactical one
o There is a direct link between security and the business value of a company
o A negative cyber incident damages a business’s reputation. A businesses reputation is a company’s most valuable asset
o Think about cybersecurity in terms of reducing risk rather than in terms of ROI
o Inventory all your systems, devices and applications and their cyber protection
o Treat every system and every device as critical; protect them
o Build cybersecurity solutions and plan them into the front-end design
o Vet the cybersecurity defenses of those you do business with; do cybersecurity due diligence on vendors
Cybersecurity is a shared responsibility among technology providers, integrators/contractors, building owners and operators. Enlist facility personnel, building owners and IT and get them to understand the business risks associated with insufficient cybersecurity practices and weak postures.
Owners, operators and facility management don’t overlook the security of your supply chain providers. Cyber-attacks can come through third parties and a breach in one partner’s environment can easily propagate across today’s connected systems. When it comes to your supply chain, exercise due diligence before engaging with third party providers; include appropriate cyber protection in contracts with technology service providers; take adequate measures to verify that the third party is protecting your systems and access to them adequately. Contracts with vendors should address cybersecurity by including an obligation to maintain reasonable cybersecurity, and provide notice when the vendor has a breach of their systems.
As part of the value chain, integrators and contractors examine and review your security practices within your organization and how it relates to your customers. Also take the time to review all of your deployments and the security of these installations to ensure the systems and networked devices are properly protected. Integrate a cybersecurity strategy for the systems and secure remote access to them with additional layers of defenses into all new deployments.
Cyber threats against the building environment are real. There's no issue that's become more important that's less understood than cyber security in buildings and facilities. Our building networks and systems are not immune to cyber issues.The best way to approach cyber threats is to realize one simple truth; It is not if an attack will happen; it is only when. It is all of our responsibility to take an active role. Stay ahead of the curve.