THE CONVERGENCE:

Managing Digital Risk and FM’s Role in Protecting Digitized Buildings

Executive Summary

To address these challenges, the International Facility Management Association (IFMA) organized an Executive Summit with cybersecurity and security experts in February 2023, resulting in the following white paper identifying FMs’ role in protecting a digitized built environment.

Digitization and Emerging Technologies Offer FM industry Opportunities and Challenges

Facility/facilities managers (FMs) can improve management and operational efficiency by connecting and digitizing their buildings and operations.
The connected management of operational technologies (OT) in facility systems and building infrastructure can reduce costs, enhance the tenant experience and improve efficiency and sustainability.
FMs, however, are often unaware of the challenges in protecting buildings and operations from cyber threats.
The rapid convergence of information technologies (IT) and OT changes facility managers' operating environments and responsibilities.
Buildings have become complex technology ecosystems, consisting of multiple technology layers and IT and OT systems that change at variable rates to impact occupant experiences, safety, health and comfort.
As organizations and their FM teams rapidly digitize assets and operations, they create new gaps and weaknesses among different building layers and vendor supply chains, which can introduce vulnerabilities.
An emerging challenge is ensuring the safety and security of a building’s digital infrastructure to protect occupants and preserve operations.

IT-OT convergence increases cyber risks to human safety

IT and OT convergence in building technologies have increased vulnerabilities exponentially. FMs face increasing cyberattack vectors and risks to assets they operate and manage, which can lead to threats to human life if compromised.
OT systems are different from IT systems. OT devices interact with the physical world in ways conventional IT devices do not.
OT systems often run on antiquated platforms, whose operating systems are no longer supported, making them vulnerable to breaches by hackers who can manipulate control systems and cause damage (Singh, 2023).
OT systems often lack security monitoring and the ability to install security updates, making them vulnerable to breaches by hackers who can manipulate control systems.
The availability, efficiency and effectiveness of cybersecurity and privacy capabilities are often different for OT devices than conventional IT devices (O’Rouke et al., 2019).
Many OT devices cannot be accessed, managed or monitored like conventional IT devices. Breaches are often overlooked or mistaken for equipment failure, allowing time for hackers to penetrate and exploit other building IT and OT systems.
A cyberattack on building control systems (for example, elevators, HVAC, or fire controls) must be treated as an immediate threat to occupant safety, with responses including building evacuation and closure until safe building operations can be assured.
A bad actor does not need to infiltrate and compromise a building system — just the threat requires immediate consideration and action to assess occupant safety.

Buildings are targets. Cyber and P&C insurance increasingly difficult to obtain.

Buildings have become targets for hackers, who can be motivated by geopolitical tensions, personal animosity or economic gain.
The costs and risks associated with cyber incidents are large and growing. These include threats to life, safety, brand, network, regulatory compliance, productivity and equipment. The average cost of a single data breach is estimated at US$ 4.35 million, and cybercrime and espionage cost global society over US$ 1 trillion in 2020. (Building Cyber Security, 2023).
As cyberattacks become more frequent and costly, cyber insurance providers are raising their premiums and tightening their requirements. For instance, they may ask for more evidence of security measures or conduct more rigorous audits. Many insurance companies are also including carveouts for state-sponsored attacks.
In addition, insurance policies for property and casualty are being rewritten to exclude coverage from a cyber incident resulting in an impact on human health or property.
Building owners and facility managers have both a physical liability risk and an asset valuation risk for a cyber incident that can strike immediately without warning.
Transferring cyber OT risk to insurers does not remove the liability of building owners and managers for the safe operation of a building and the responsibility for any incident that results in a loss of life or property.
Building owners and facility managers are at risk. FM operations can be at the epicenter of an attack affecting customers and the supply chain, as illustrated by the breach that cost Target over US$220 million due to credentials stolen from an HVAC vendor.
The “One wrong click can create a 92-day recovery” case shows how improper FM security measures can take an HVAC system offline for 92 days, rendering a building unusable.

DID YOU KNOW?

FMs awareness is low, and approaches to enterprise security are siloed

FMs play a critical role in protecting occupants, valuation and physical assets from digital threats. Awareness of these risks is low, and organizations often maintain OT, IT and physical security separately, limiting collaboration, impeding coordination and creating gaps.
FMs must be aware of the connected technologies in a building that they are responsible for operating and protecting from a wide range of threats and conditions.
FMs should invest in personnel’s basic IT and OT systems knowledge.
FMs must also be aware of the physical places where devices can be placed that can impact building security.
Organizations must create enterprise security teams consisting of FM, IT and OT experts. FMs should work with IT, OT, network and cybersecurity specialists to secure their devices, subsystems and connections.