Facility managers and building owners must be prepared and understand how digitization and technology enablement strategies can impact a buildings cybersecurity posture. It has become increasingly important to have an awareness of the potential cybersecurity vulnerabilities and risks associated with implementing new technologies, and the evolution of protection required for facilities and tenants from increased cyber risks.
While Information Technology (IT) and control systems environments, often referred to as Operations Technology (OT), have traditionally run as independent networks, with increased focus on business improvement initiatives and adoption of new technology, this is no longer the case.
As more internet-connected devices are being incorporated into facility operations, facility managers along with professionals from both IT and OT must be prepared to work closely together in creating and managing effective cybersecurity policies and procedures to uplift the overall business cybersecurity posture.
With more complex systems comes more complex associated risks, and unprotected systems become tempting targets. For facility managers, cyber readiness is becoming more important to effectively manage risk.
Understanding the cyber risks
Incorporating IT capabilities such as big data analytics and IoT across OT environments has vastly improved productivity and efficiency for facility managers. With the implementation of new technologies comes the evolution of the protection required for facilities and tenants from increased cyber risks.
Multiple proprietary systems can now easily be centralised through connectivity and automation which helps optimise building performance, but this also expands the possibility of cyber-attacks by notably increasing points of entry for malicious activity. Some of the more common cyber threats are in the area of unauthorised access to controls and security systems. These threats include shutting down cooling or power management functions for a data centre, destroying operational equipment and taking business-critical applications offline. Whilst others include the ability for a third party to gain unauthorised access to internet-connected physical security systems.
The need for awareness
As awareness of the threat landscape grows, companies are now sharpening their focus on cybersecurity. While loss of personal data can have financial consequences, an attack on an OT environment can have consequences beyond just financial loss – including prolonged outages of critical services, environmental damage and life safety.
There have been increasing attacks on manufacturing industry, critical government infrastructure such as dams, public transport and hospital networks. The most recent Notifiable Data Breaches report indicates that breaches have occurred more regularly month-to-month, with the health sector reporting the most cyber-attacks out of any other sector. Worse still, 61% of these attacks were identified as malicious or criminal.
This paints a picture that there are highly skilled and motivated adversaries actively seeking to exploit the security weaknesses in the OT environment targeting networks, control systems and critical infrastructure. Understanding how an attacker can gain access to a system, including the various attack techniques is an important step in mitigating the risks and will help organisations be aware of the threats that exist in their own network.
Have a cyber strategy
Having a cybersecurity strategy in place is important so that when things don’t go to plan, you already have a policy in place that you can implement. This starts with employee training and awareness, also ensuring that facility managers know which assets are important to protect, the threats to those assets and the rules and controls for protecting them.
Developing, reviewing and maintaining your policies and procedures is paramount, including guidelines for password requirements, the handling of sensitive data and the use of removable devices being factored in, just to name a few. Having employees know the clearly defined steps to handle a cyber incident could be the difference between a slight hiccup and a total disaster.
A thorough risk assessment can also be incredibly helpful. Looking at your asset inventory so organisations can identify which assets are connected to networks, establishing a baseline for network traffic to help identify existing gaps and potential security vulnerabilities tied to the OT environment assists in guiding to more effective protection methods. These findings can then be leveraged to create a cybersecurity strategy that is specific and detailed.
As OT and IT systems continue to converge, it is more essential than ever that organisations are aware of the risk across their OT environments and enhance their security posture to reduce cyber risk. The landscape of cybersecurity is changing and evolving as technological advancements continue to grow. Facility managers are key decision makers in how to respond to crises, and it’s important they do so with a strong foundation of knowledge and planning.