The Built Environment and the FM Industry Face a Gathering Cyber Storm
Shearing Layers of Change
Shearing Layers of Change
1. SCALE
Constant Flux of Change
Surrounding larger-scale system of buildings and infrastructure
A building never stands alone and is embedded in a larger-scale system of buildings and infrastructure. On our way to work, we may drive on highways, streets and alleys; pass bridges, traffic lights and intersections; and observe other buildings along the way. We also envisage an individual building embedded in a broader family of buildings: a building complex, industrial zone, shopping mall, business district, neighborhood, campus, village, district or city. All are imprinted in our minds, establishing a mental map through a built environment to a destination.
2. SITE
100+ Years
Environment in which buildings are situated, which can be altered
A building is grounded on a lot or occasionally could be floating on water. A site may be hidden by the construction or bordered by pavement, garden or fence. Arrival at the building communicates much about the organization to the trained eye. Looking down and around the site serves as a signifier of an organization. Its population, sobriety, neglect or care are often evident at first glance. These immanent visual messages act as a daily dose of "this is how we do things here," immersing people in a meaningful geographical setting from the gate to the entrance.
3. STRUCTURE
~50–100 Years
Primary structural systems of buildings
A building consists of a foundation and loadbearing components, like the roof, walls and floor. A roof may be carried by wall, beam and column, transferring its weight to the floor, transverse a ceiling, then to the wall, beam or column below. They do so repeatedly until the roof's weight hits the foundation. Together, these primary forms define the interior spatial possibilities for organizations from attic to basement. The structure frames the opportunities for organizational resilience and change. When columns and side-bearing walls replaced internal load-bearing partition walls, it created previously unattainable wide spaces with enormous flexibility of use over the building's life expectancy.
4. SKIN
~25–50 Years
Building enclosures, if properly designed, repairs will be minimized
A building's exterior consists of a facade with a door and windows and possibly a balcony, veranda or gallery. This layer is the building's main connector to the surrounding world — from the outside-in and inside-out. The skin shows its shape, size, colors, textures and cladding to the environment. Doors regulate accessibility, allowing people to enter and leave. Windows define connectivity and privacy, enabling users to affect their well-being by providing views of the world and the ability to regulate light, fresh air, temperature and noise levels.
5. SYSTEMS
~15–25 Years Array of technical systems inside a building A building contains a complex array of technical systems. These systems are often invisible, hidden behind or incorporated into ceilings, walls or floors. They significantly impact a building's functionality. Such systems are the building intestines and often constitute the world of engineers with installations, fittings, piping, wiring, sensors and routers. These systems regulate the supply of water, air and electricity. They provide heating and cooling, artificial light and access to the internet. They drain and dispose of waste materials. Systems provide for Maslow's basic human needs — nourishment, hygiene, safety and security — so people can work, learn and socialize no matter the time or place.
6. SPACE PLAN
~5–15 Years
Interior space alterations including walls, flooring and ceilings
The non-supporting walls and partitions constitute the space plan. These walls and partitions provide designers or planners with many possibilities to limit or expand main spaces within a building. A designer or planner can decrease or increase the size of an area, affecting the size of a group that can use a space. The space plan can divide or connect humans. The following elements and their spatial positioning determine a space plan: stair, escalator, elevator, ramp, corridor, fireplace and toilet. These elements create a spatial logic or grammar that denotes how a building should be understood and read. The space plan defines group formation, working routines, social structures and chance encounters.
7. STUFF
~0–5 Years Various furniture, supplies and storage place in buildings
The stuff inside mediates users' experiences within buildings. Stuff includes furniture, furnishings, and the use of materials and colors, including art, plants and signage. It is the most appealing layer for many, as stuff viscerally affects our senses. Its condition can make a space aesthetically, ergonomically and acoustically pleasing. Its state determines how users experience buildings. The interior architect or designer can use these elements to create a targeted atmosphere, absorb or amplify sound, brighten or dim a building, or nudge people in the right direction.
8. SERVICES
~15–25 Years
The work that is done to facilitate people and maintain buildings
Buildings need a wide array of services to maintain a built environment and serve its inhabitants. A building needs reception, catering, hospitality, safety and security services. For example, the site may need gardening services. Surrounding pavements or roads need sweeping, and various machines need repairing or replacing. Security services assure that the right people access the building and ensure occupant safety and security. Windows, floors and furniture need regular cleaning. These services are critical for a building's upkeep. Services fulfill people's physiological needs, including safety, belongingness and comfort.
9. SOULS
Constant Flux of Change
Occupants experiencing a building through their senses
The final sheering layer is also the most fleeting. It consists of the human layer and how occupants experience a building through the human senses. We perceive and judge the building and its other eight layers quickly. We attribute meaning to a building, which can make a significant or terrible impression. A building can make us happy or inspire us, and it can also frighten or repulse us. Spaces can be socially engaging and help us with the things we need to do by stimulating human interaction, providing structure to our work, or providing affordances to help us concentrate on a complicated task. Buildings are more than mere spatial containers; they are living spaces where the quality of life can be felt and experienced.
The most fleeting layers consist of occupants, aka “souls” and “stuff.” People are the souls in the building, constantly coming in and out, moving through the built environment. They carry an ever-changing array of IT devices (smartphones, watches, thumb drives, tablets, computers, medical devices, etc.). Most people are well-intentioned, while a few are not. Some who were once well-intentioned can emerge as insider threats when they are fired, passed over for promotion or recruited by a malicious actor, whether wittingly or unwittingly (i.e., social engineering), to facilitate access to internal networks. “Stuff” includes increasingly connected intelligent furnishings like height-adjustable furniture, audiovisual equipment, digital signage and smart coffee makers. These items move around the building and are replaced every few years.
Other layers, like systems, for example, include assets like HVAC, lighting systems, access control, etc. Figure 3 shows ten building-related systems and their subsystems that often run on separate OT platforms. The emergence of grid-interactive buildings — which create buildings that consume and distribute energy to the broader electrical grid — and the Internet of Things (IoT) will only increase the cybersecurity risk at the systems level. These systems are OT-based and are designed to operate for 15 years or more.
Unlike IT systems that typically use a few operating systems like Microsoft Windows, Google Chrome, Apple macOS and iOS, or Linux, OT systems have hundreds of operating systems — some designed and installed decades ago. In addition, OT systems are often set up by vendor(s) in collaboration with real estate or FM teams. This means a vendor installs the network (cables, unmanaged switches and cable modem). IT typically has never been involved in managing these networks, and OT systems are generally not on an IT department’s list of things to monitor (Gordy, 2023).
In buildings, operations technology, commonly used protocols include BACnet, Modbus, LonWorks, and KNX, which enable communication between various building systems. These protocols facilitate data exchange between HVAC, lighting, security, and more devices. Regarding operating systems, buildings often rely on embedded systems that run on real-time operating systems (RTOS), such as FreeRTOS or QNX, due to their stability and responsiveness. Additionally, Linux-based operating systems are becoming more prevalent for building management applications due to their flexibility and open-source nature.
IT and OT Convergence
Figure 4 OT-IT integration (Source: Pärn, 2023)
The various building technology layers should be designed in ways that supplement and reinforce each other so that buildings function safely and optimally. Unfortunately, design and innovation approaches for the built environment do not support this approach (Gartner Research, 2012). Building safety and security suffers as a result.
As assets and processes digitize, new targets, vectors, means, surfaces and mechanisms for an attack are created. As FM organizations acquire and integrate systems, networks, modules and IoT-enabled devices (modular or not), the connected system must be secured, including each device, subsystem and the connections among them.
FMs need to be aware of the areas where devices can be placed that can impact building security. Hackers can target buildings in various ways: “Attackers can target Wi-Fi, Bluetooth, ZigBee, 3G/4G/5G cell networks, NFC and other radio signals using very accessible equipment. Teams should be aware of what areas are physically accessible by attackers: Rooftops, HVAC units, shared spaces, windows, ledges, alleys, vents, parking lots and fire escapes all provide opportunities for attackers to plant devices” (Sussman, 2022).
FM providers are likewise acquiring and integrating devices, modules, networks and systems from various vendors. CRE and FM organizations and some vendors incorporate consumer-grade connected devices within their OT environments & solutions, which often do not integrate sufficient cybersecurity protection features.Due to competition and IP protection, vendors often fail to collaborate and coordinate beyond system installation, creating gaps that hackers exploit. Not surprisingly, the ensuing cybersecurity challenges are profound.
The security of a value network depends upon the cybersecurity prowess of all its networked suppliers and providers. Respondents to a World Economic Forum acknowledged their cybersecurity risk is influenced by the quality of security across their supply chain (World Economic Forum, 2023). All providers are subject to the “weakest link” principle: If the cybersecurity efforts of a single supplier are low, then the risk of a supply chain attack is higher (Spaniol, 2022).
