Cybersecurity is paramount, but with so many networks and vulnerabilities overlapping each other in an office building, determining who is responsible for securing what can be a challenge. Occupiers dedicated to IT best practices need to know their landlord or property managers are likely just as dedicated to operational technology (OT) best practices. Tenants are responsible for protecting their valuables and locking their own doors, but buildings must ensure hackers never make it into the neighborhood in the first place.
Understanding the difference between IT and OT is the first step in delineating the process of cyber security responsibility. Cybersecurity in buildings is really a lot like physical security in buildings. Most landlords don’t lock tenants’ doors or secure their valuables for them regularly because doing so increases vulnerability for both parties. Data isn’t much different. Most tenants are responsible for their own IT security. They project their own networks and restrict access to only their users, preventing building management from access in most cases.
The deciding factor is often who manages the data. If the data is on a server only the tenant can access, it’s their responsibility. If it’s on a server the building controls, it’s the owner’s responsibility. Operational technology security is about protecting the infrastructure those networks rely on by making sure the building network doesn’t create vulnerabilities hackers can exploit to get on tenant networks, where the data they really want resides.
Most building data isn’t all that valuable to hackers. Data from buildings tends to be mostly boring, showing indoor air temperature, energy usage, efficiency, and the like. It is mostly mechanical information only useful to the building operators and the vendors that service them. In some smart buildings, occupancy sensors, CCTV footage, indoor air quality monitors, and other more advanced systems collect even more data. For this data, privacy is a major concern but security for this type of information is not cataclysmic, threatening to do more reputational harm than any other form. Building level security is usually focused on ensuring building technology infrastructure and the flow of data keeps systems functional. That is exactly why they can sometimes be the conduit into the tenants’ IT networks.
“The prime reason buildings are attacked is not for disruption, they’re looking for pathways to IT networks,” Harsha Vachher, Founder and CEO of K Tech Labs said. Vachher has been working in cyber security solutions architecture for nearly 20 years, founding her own firm in 2019. “IT and OT convergence must be done in a secure way. Building management systems and other smart building systems need firewalls with firm rules. In one instance of testing, we were able to get into an IT network in two minutes through the BMS. Hackers are always looking for a path to IT.”
Hackers want on the tenant networks where payment information, customer profiles, proprietary documents, and other critical data reside. Going back to my physical building security analogy, valuables are in the homes of residents, not the hallways. Thieves don’t want to steal lobby furniture and corporate art, they want what’s locked behind each door. It’s management’s responsibility to make sure criminals never make it into the building.
One of the difficulties in digital security is that you have to keep up with the software updates. “The main challenge is the poor overall cyber hygiene in the OT environment,” Vachher explained. “There are so many systems being used, the systems are not updated, the systems are not checked. There are so many vendors in this space, each coming and doing their own job, so it’s difficult to manage these silos, especially when it comes to security.” Mobile-based tenant apps represent a new risk. If a breach happens because of the app, it can cascade quickly, exposing personal information from the user’s phone like social media, emails, photos, and more.
Building systems generally lack the same type of policy framework strictly adhered to by IT security. The National Institute of Standards and Technology (NIST) has extensive guidelines and best practices for security than any IT is familiar with, but in OT security, those basics are lacking. Passwords and users are never purged, systems are hardly backed up, even if they are, the backup is often more than 90 days old. Most buildings don’t have a cyber security incident response plan, so they have no idea what to do even if they do detect a breach.
Then there are the devices, oh those darn devices. Buildings are being stuffed with sensors, many being put on the network and forgotten. IoT devices are hardly created with a security mindset. More hardware creates new connections between systems, adding more risk. A basic cyber security audit starts with a thorough accounting of every device connected to a network. Most owners and managers are shocked when they see the true number of connections. All these factors combine to create the poor cyber security “hygiene practices” that Ms. Vachher speaks of.
OT and IT cyber security both draw from the same principles. They both start with awareness. You can only protect things you know about, so it’s important to account for and understand the risk of every device and network. Publicly available networks increase exposure so it is important to know what networks are public and what devices are using each network. Critical networks, like the BMS, are often best left private. Network monitoring software can flag suspicious activity, like when two networks that don’t typically work together start sharing data. But you also need to know what version of the software is installed on every device and be diligent to always keep them up to date.
Regularly purge older users and remove passwords. Create an incident response plan that clearly outlines tenant communication protocols when a breach does occur. BMS, BACnet, lighting, and CCTV systems are particularly vulnerable, be sure each is properly firewalled. Digital signage and any other system that gives third-party vendors network access must be closely monitored. Much is written about the technical nature of cyber security but ultimately, the best defense is awareness, which only requires leaders to think about the issues. Basic principles of IT security must be carried over to the building’s digital security to provide the type of holistic systems necessary in the growing threat landscape. Ready or not, building owners have a critical role to play in protecting tenants from the rapidly growing number of cybercrimes.