Smart buildings mean new risk challenges. How prepared are you?

In the property industry, you’re no stranger to risk. Managing assets and managing risk go hand in hand. It was always complicated staying on top of both technical services and cyber security. Now they’re much more intimately bound together, and it takes a different, more comprehensive approach to strategic management. The good news is that the benefits, both long and short-term, are significant.

How well do you know your building

The built environment has changed. Maintenance, engineering, construction – all of it is bound together through systems that are, in turn, connected to the internet. Operational technical assets are linked with IT assets. All this connectivity brings different kinds of challenges.

The buildings of not-very-long-ago were entirely solid entities – bricks and mortar, steel and wood, concrete and glass. You could see and touch most of it. But those are not the buildings we’re dealing with today, even if they appear so to the naked eye.

Behind, above and below the traditional building structure are a host of assets that are out of sight, out of mind. Some may even exist without your knowledge. Hard technical assets are often hidden in out-of-the-way places like plants rooms, alleyways and wall cavities. And virtual services are even less visible. 

But don’t let the word “virtual” fool you into underestimating just how real those assets are.

Your building management systems are linked to your virtual networks. Heating, ventilation, air-conditioning, point-of-sale systems, fire and access control systems, media screens and web applications can all be access points to each other and various parts of your building management systems. Furthermore, they’re often set up, run and maintained by different contractors, each with their own security protocols (or lack of) and remote access.

Do you really have the appropriate information and insights about the hard technical and operational technology (OT) assets that occupy your built environment? Who’s responsible for identifying outstanding maintenance, repairs and proactively identifying critical upgrades? How are they linked, how do humans interact with them, and where are the possible security gaps throughout your asset network?

In order to understand your risk profile and plan for future asset management implementation strategies, you will need a comprehensive audit. This is the first step in the process, arming you with an inventory and baseline data on all your hard technical and virtual assets and services within the built environment. It’s the only way to ensure that your short and long-term capital and operational expenditure forecasts are based on fact, rather than guesswork. This will allow you to better manage your assets, compliance, safety, risk, and reliability, given that much of what needs to be managed is not visible.

What you don't know can hurt you

The only way to make efficient expenditure decisions is to be informed: know what risks you are carrying, decide what you are prepared to accept, and mitigate against what you’re not.

This is a proactive approach to building management. In the same way that we regularly update and perform preventative maintenance on visible parts of a building, doing the same behind the scenes has significant demonstrable benefits, enhancing the value of property portfolios by making buildings safer, more productive, more energy efficient, more sustainable, and more comfortable for tenants.

There are very strict codes and standards that must be adhered to when it comes to building management systems (BMS), HVAC, fire, electrical, plumbing, transportation systems, solar, safety services, refrigeration and building fabric. The property industry is well versed on these requirements. We understand the consequences when it’s not done well. And we cannot afford to be reactive. Ensuring we know exactly what’s going on requires the kind of expertise and experience that our subject matter experts at Grosvenor Engineering Group apply to their inspection of your built environment.

On top of these traditional systems, there are many more that you may not know you have (for example, surveillance systems, people counters embedded in the ceiling.) 

Through a detailed audit of the hard technical and operational technology (OT) assets and services within the built environment, an asset risk profile can be applied to all assets. Comprehensively interpreting the information from the completed audit will highlight possible failure points, identify where opportunities may exist to improve productivity, and decrease costs such as maintenance, energy and insurance.

Furthermore, this enhanced knowledge will allow for more accurate capital expenditure replacement forecasting, critical upgrades (outdated/inefficient technology) and reinstatement costs to allow for more accurate budgeting to increase efficiency and productivity.

Connectivity and Covid-19

Smart buildings have a lot of connectivity (a word you hear a lot these days). Essentially, everything (refrigeration, phones, lighting, lifts – everything) is connected to the internet. And that translates to risk. It means you need to protect your building on a cyber, as well as a physical level.

This connectivity has increased many times over because of the Covid-19 pandemic. Sixty-four per cent of employees are able to work from home, according to the Gartner 2021 CIO Survey[1]. Connectivity has allowed us to continue to operate. But it also greatly increases access points to previously invisible assets, and that means more risk. 

It’s never been more important to exercise due diligence in protecting your assets. This is both in the context of acquisition of new assets and in the ongoing management of existing assets and the heightened risks associated with owning smarter buildings. This serves your interests of course, but the importance of doing so is reflected in upcoming legislation.

The Federal Government is making changes to the Security of Critical Infrastructure Act (2018)[1], introducing a “positive security obligation” requirement[2] for industries in a broad range of sectors (communications; financial services and markets; data storage and processing; defence industry; higher education and research; energy; food and grocery; health care and medical; space technology; transport; and water and sewerage).

There are many ways to be vulnerable. One of the most prominent threats out there is ransomware, where malicious actors gain control of your data, encrypt it, and demand money to restore your access.

The Government’s Cyber Security Industry Advisory Committee says “ransomware has become one of the most immediate, highest impact cyber threats to Australia … Given the stakes are so high, organisations need to understand the risks and prepare accordingly, know what action to take in the event of a ransomware attack and have a clear understanding of their legal and regulatory obligations. To put it simply, organisations cannot afford to be complacent.”[3]

Whether through phishing emails (“Your parcel is awaiting delivery. Click here to verify your address and delivery details”), lack of vigilance when it comes to patching, leaving systems visible to unknown parties, or even left open for remote access by contractors or off-site staff, your building can be more open than you currently know. 

Smart building connectivity means ransomware can affect not only your data, but also building management servers that control systems like, for example, lighting and HVAC.

So, how do you mitigate against this? By knowing what you have, how it’s connected, who has responsibility, and who has access.

You can protect your assets if you know your assets

Physical and virtual asset and services auditing is the first step in strategic asset management.

The largest security gap is around knowledge. Once you’ve addressed that, you can start asking and answering the questions that will enable you to plug the rest.

For instance, can your lighting be controlled by someone externally? What are the operational and financial consequences of that happening? What about your lifts? Can a malicious actor gain control and trap people there? Can someone gain access to your CCTV cameras?

You may have had various contractors over the years managing different systems. Perhaps they didn’t leave you with handover details and passwords, or some of what’s been done is now out of date. Some systems may have disappeared from view altogether.

A thorough scoping audit requires detailed knowledge of cybersecurity and technology as well as the skills and expertise required to perform a traditional hard technical asset audit.

Buildings are an interconnected web of systems, so it’s not enough to know cybersecurity intimately, or operational technology like the back of your hand. You must understand both.

The greatest cost is the one associated with doing nothing

Carrying unknown risk, taking a reactive approach to upkeep, and facing liability for future failure all come with dollar signs followed by numbers with many zeroes on the end.

However, budgets for cybersecurity in OT are still often much tighter than for IT. According to Nicholas Lianos, Managing Director of Grosvenor Engineering Group, organisations allocate up to 30 per cent of their IT budget to cyber security, but rarely anything at all when it comes to building operating systems. That used to make sense because building systems were not previously connected to the internet. 

Times – and buildings – are different now, but budgets have not caught up. 

According to PwC, more than half of the executives they surveyed for their 2021 Global Digital Trust Insights report are not confident that their cybersecurity spending is in fact aligned with the risks they face[1]. “Cyber budgets could — and should — link to overall enterprise or business unit budgets in a strategic, risk-aligned, and data-driven way, but 53% lack confidence that their current process does this,” says PwC.

So, cybersecurity for OT is just as essential as IT. However, given the scarce budgets and resources for cyber security in OT, efficiency to enable high return on investment is more critical than ever.

Grosvenor Engineering Group provides a unique marriage in the property industry – expertise in hard technical services and cybersecurity and virtual systems. When their teams perform a full audit, they do it all. 

They have the expertise and resources to audit all assets, physical and virtual. And they ensure you have ownership of and access to all the data (which is, after all, yours) in a meaningful way.  

For more information about our strategic audit and management services, contact 1300 255 247 or visit www.gegroup.com.au.

Related Resources:

References:

[1] https://www.gartner.com/smarterwithgartner/gartner-top-security-and-risk-trends-for-2021/have 

[2] https://www.legislation.gov.au/Details/C2018A0A0029

[3] https://parlinfo.aph.gov.au/parlInfo/download/legislation/ems/r6657_ems_928e0092-fabb-4c31-a67b-b47ac1123e17/upload_pdf/JC000738.pdf;fileType=application%2Fpdf

[4] https://www.homeaffairs.gov.au/cyber-security-subsite/files/tackling-ransomware-threat.pdf
[5] https://www.pwc.com/us/en/services/consulting/cybersecurity-privacy-forensics/library/global-digital-trust-insights/cyber-budget.htm