RECOMMENDATIONS

IFMA recommends the following activities to increase your cyber preparedness and add value within enterprise-wide security teams as responsibilities for physical, IT and OT security converge.

BE AWARE

  • Build your awareness. Cybersecurity threats in connected technologies are constantly evolving. Facility managers must proactively develop their awareness and preparedness to protect their buildings and those who use them.
  • You can start with resources found in IFMA's Knowledge Library (search for content under Facility Information Management & Technology Management), published white papers/research reports and IFMA's FMJ, and benefit from education through IFMA strategic partners and affiliated organizations and events (such as through IFMA strategic partners like the non-profit Building Cyber Security (buildingcybersecurity.org) and RealComm’s CRE Cyber Security Forum).
  • Explore industry cybersecurity standards like Building Cyber Security’s (BCS) Framework based on ISO 27001 and the International Society of Automation 62443.
  • Attend cybersecurity training programs and workshops and read industry publications to stay informed on the latest cyber-physical threats facing the built environment.
  • Understand your organization’s cybersecurity posture and identify opportunities for FM stakeholder roles in engaging with and delivering on these objectives.

ENGAGE

  • The FM team should be part of the organization’s enterprise security team (EST) to ensure that physical security supports and enhances the organization’s cybersecurity posture.
  • The EST should consist of the organization’s IT, OT, physical security and cybersecurity professionals.
  • The EST should meet regularly to learn about emerging threats and share best practices.

ASSESS

  • The EST should review existing cybersecurity policies to best integrate physical security with the organization’s ongoing security practices. See the Enterprise Security Checklist section.
  • The EST should use real estate industry cyber safety and security standards like Building Cyber Security’s BCS Framework based on ISO 27001, NIST and the global technology standard, IEC/ISO 62443, developed by the International Society of Automation (ISA).
  • The EST should engage a certified cybersecurity specialist to assess their integrated security practices and posture.
  • These policies should outline the organization's approach to cybersecurity, including the roles and responsibilities of all staff members, the procedures for reporting and responding to cybersecurity incidents, and the measures in place to protect the organization's digital assets - whether IT or OT based.
  • If you are a tenant or have tenants in your building, tenant leases must be reviewed and cyber clauses added to delineate expected roles and responsibilities for cyber protection among stakeholders.
  • The EST should initiate a review process relating to both cyber and property & casualty insurance policies to understand cyber-related terms and exclusions concerning assets in the building(s).

REVIEW

  • The EST should review the organization’s security posture through regular risk assessments, which should be conducted at least annually or more frequently if significant changes are made to the organization's digital infrastructure.
  • Risk assessments should identify the organization's most valuable digital assets (including OT systems), the potential threats to these assets, and the likelihood and impact of these threats materializing. This information can then be used to prioritize the organization's cybersecurity efforts and ensure that resources are allocated effectively.
  • Review existing and upcoming vendor contracts specifications, configuration instructions, submittal reviews and cyber commissioning requirements.

IMPLEMENT

  • Based on the outcomes of these assessments, implement measures to mitigate risks to your digitizing assets. This could include ensuring that software and hardware are updated and have the latest security patches. It also includes implementing strong access controls to critical assets, ensuring access controls remove former employees from having direct access to the building, encrypting sensitive information, regular backups and implementing network segmentation.
  • Consider either in-house or third-party services to provide continuous patching, monitoring, remediation and protection of OT, including an industry certification for building cyber safety.
  • Update vendor contracts specifications, configuration instructions, submittal reviews and cyber commissioning requirements to include cybersecurity for IT and OT systems.

TRAIN

  • Ensure that relevant staff receives regular Building Cyber Security training as part of the company’s annual compliance training requirements. Training should cover such topics as:

○ Roles and responsibilities

○ How and to whom incidents should be reported

○ What are the most common cyber and physical security threats, and how to mitigate risks

○ How to respond to emerging or late-breaking national cyber threat alerts

PREPARE

  • Even with the most robust security measures in place, it is still possible for a cybersecurity incident to occur. The integrated enterprise risk plan should have an incident response plan specifically to address a cyber threat to OT and building systems, including notification and evacuation procedures.
  • This plan should outline the steps the organization will take in the event of a cybersecurity incident, including the roles and responsibilities of staff members, the procedures for containing and mitigating the threat and the processes for recovering from the incident and restoring normal building operations. The plan should also include plans and procedures for coordinating with law enforcement and first responders, as necessary, and communicating with tenants and the public.

FOSTER

  • FMs must foster a cyber safety and security awareness culture within their organization. This culture can be achieved by:

○ Encouraging open communication on identified issues and providing a safe environment for staff to report potential threats or incidents.

○ Treating cyber hygiene, protection and training as a human safety priority

○ Recognizing and rewarding staff members who demonstrate a strong commitment to cyber safety and security.

○ Regularly sharing information about the latest cybersecurity threats and best practices within the organization and with external partners and stakeholders.

○ Ensuring that cyber safety and security are key considerations in all aspects of the organization’s operations, from procurement and vendor management to designing and implementing new digital systems.

COLLABORATE

  • Facility managers should recognize cybersecurity as a shared responsibility and seek to collaborate with external partners and stakeholders to enhance their cybersecurity awareness and preparedness.

BE AWARE

  • Build your awareness. Cybersecurity threats in connected technologies are constantly evolving. Facility managers must proactively develop their awareness and preparedness to protect their buildings and those who use them.
  • You can start with resources found in IFMA's Knowledge Library (search for content under Facility Information Management & Technology Management), published white papers/research reports and IFMA's FMJ, and benefit from education through IFMA strategic partners and affiliated organizations and events (such as through IFMA strategic partners like the non-profit Building Cyber Security (buildingcybersecurity.org) and RealComm’s CRE Cyber Security Forum).
  • Explore industry cybersecurity standards like Building Cyber Security’s (BCS) Framework based on ISO 27001 and the International Society of Automation 62443.
  • Attend cybersecurity training programs and workshops and read industry publications to stay informed on the latest cyber-physical threats facing the built environment.
  • Understand your organization’s cybersecurity posture and identify opportunities for FM stakeholder roles in engaging with and delivering on these objectives.

ENGAGE

  • The FM team should be part of the organization’s enterprise security team (EST) to ensure that physical security supports and enhances the organization’s cybersecurity posture.
  • The EST should consist of the organization’s IT, OT, physical security and cybersecurity professionals.
  • The EST should meet regularly to learn about emerging threats and share best practices.

ASSESS

  • The EST should review existing cybersecurity policies to best integrate physical security with the organization’s ongoing security practices. See the Enterprise Security Checklist section.
  • The EST should use real estate industry cyber safety and security standards like Building Cyber Security’s BCS Framework based on ISO 27001, NIST and the global technology standard, IEC/ISO 62443, developed by the International Society of Automation (ISA).
  • The EST should engage a certified cybersecurity specialist to assess their integrated security practices and posture.
  • These policies should outline the organization's approach to cybersecurity, including the roles and responsibilities of all staff members, the procedures for reporting and responding to cybersecurity incidents, and the measures in place to protect the organization's digital assets - whether IT or OT based.
  • If you are a tenant or have tenants in your building, tenant leases must be reviewed and cyber clauses added to delineate expected roles and responsibilities for cyber protection among stakeholders.
  • The EST should initiate a review process relating to both cyber and property & casualty insurance policies to understand cyber-related terms and exclusions concerning assets in the building(s).

REVIEW

IMPLEMENT

  • The EST should review the organization’s security posture through regular risk assessments, which should be conducted at least annually or more frequently if significant changes are made to the organization's digital infrastructure.
  • Risk assessments should identify the organization's most valuable digital assets (including OT systems), the potential threats to these assets, and the likelihood and impact of these threats materializing. This information can then be used to prioritize the organization's cybersecurity efforts and ensure that resources are allocated effectively.
  • Review existing and upcoming vendor contracts specifications, configuration instructions, submittal reviews and cyber commissioning requirements.
  • Based on the outcomes of these assessments, implement measures to mitigate risks to your digitizing assets. This could include ensuring that software and hardware are updated and have the latest security patches. It also includes implementing strong access controls to critical assets, ensuring access controls remove former employees from having direct access to the building, encrypting sensitive information, regular backups and implementing network segmentation.
  • Consider either in-house or third-party services to provide continuous patching, monitoring, remediation and protection of OT, including an industry certification for building cyber safety.
  • Update vendor contracts specifications, configuration instructions, submittal reviews and cyber commissioning

TRAIN

  • Ensure that relevant staff receives regular Building Cyber Security training as part of the company’s annual compliance training requirements. Training should cover such topics as:
  • Roles and responsibilities
  • How and to whom incidents should be reported
  • What are the most common cyber and physical security threats, and how to mitigate risks
  • How to respond to emerging or late-breaking national cyber threat alerts

PREPARE

FOSTER

  • Even with the most robust security measures in place, it is still possible for a cybersecurity incident to occur. The integrated enterprise risk plan should have an incident response plan specifically to address a cyber threat to OT and building systems, including notification and evacuation procedures.
  • This plan should outline the steps the organization will take in the event of a cybersecurity incident, including the roles and responsibilities of staff members, the procedures for containing and mitigating the threat and the processes for recovering from the incident and restoring normal building operations. The plan should also include plans and procedures for coordinating with law enforcement and first responders, as necessary, and communicating with tenants and the public.
  • FMs must foster a cyber safety and security awareness culture within their organization. This culture can be achieved by:
  • Encouraging open communication on identified issues and providing a safe environment for staff to report potential threats or incidents.
  • Treating cyber hygiene, protection and training as a human safety priority
  • Recognizing and rewarding staff members who demonstrate a strong commitment to cyber safety and security.
  • Regularly sharing information about the latest cybersecurity threats and best practices within the organization and with external partners and stakeholders.
  • Ensuring that cyber safety and security are key considerations in all aspects of the organization's operations, from procurement and vendor management to designing and implementing new digital systems.

COLLABORATE

  • Facility managers should recognize cybersecurity as a shared responsibility and seek to collaborate with external partners and stakeholders to enhance their cybersecurity awareness and preparedness