Converging Roles: The Importance of FM in Cyber-Physical Security and Safety
Figure 9 Although building systems are converging, the security of the built environment is maintained separately (Virga, 2023)
FMs are critical to protecting physical assets from digital threats. Cyber threats emerge from connections to wider networks, the internet and from physical penetrations by either people or by autonomous vehicles (e.g., drones). Drones have increasingly become involved in cyberattacks by flying within range of a building’s Wi-Fi networks or by photographing screens and documents on peoples’ desks (Sussman, 2022).
However, in most organizations, responsibilities for enterprise security are divided among physical and IT teams, creating gaps (Virga, 2023). FM roles and responsibilities relating to building security will converge with IT, OT, network and cybersecurity specialists, necessitating the creation of joint cyber-physical security teams — enterprise security teams — that assess how physical security supports cybersecurity and the development of new contractual mechanisms (see figure below).
Unfortunately, most organizations’ security functions operate independently of each other, with limited collaboration on converging enterprise-wide risks. Senior leaders and related teams often fail to understand the interconnectivity between physical and cyber assets, and the resulting liability to address building safety risk. As a result, even when senior stakeholders see the need for collaboration, the lines of communication are unclear and impede coordination and collaboration, rendering the organization unable to quickly identify, prevent and respond to increasingly complex threats (Virga, 2023).
FMs are responsible for physical security and occupant safety, which is critical for protecting digitizing buildings, people, information and infrastructure from potential hackers physically accessing critical systems. Electronic security systems, security personnel and physical interventions like physical barriers, lighting and utility protection are among the measures that FMs can take. Electronic security includes access control, intrusion detection, video surveillance and other measures and services. Security personnel includes security guards, receptionists and other facility staff who ensure that the right people have access to controlled spaces in the building and prevent unauthorized access to critical assets like server rooms, OT hosts and various devices and control panels (Virga, 2023).
These actions are necessary to prevent “tailgating” or disgruntled former employees from entering the building. Tailgating is when an unauthorized person slips into a secure area behind someone who shows proper ID. Once inside, the perpetrator might wait for an employee to leave their badge or computer unattended, enabling an attacker to breach IT or OT systems. Disgruntled former employees can be a source of workplace violence but can also pose a cyber risk. A former South Georgia Medical Center employee who still had access to the building and systems copied nearly 42,000 patient files onto a USB drive (HIPPA Journal, 2022).
In addition to physical security, FMs must address how they develop and negotiate vendor contracts. FMs will be responsible for working with the proper specialists to ensure that the specifications, configuration instructions, submittal reviews and cyber commissioning requirements are included in existing and upcoming contracts with all vendors (Niemeyer, 2023).