THE CONVERGENCE:
Managing Digital Risk and FM’s Role in Protecting Digitized Buildings
Findings from IFMA’s Executive Summit
OT systems often run on antiquated platforms, whose operating systems are no longer supported, making them vulnerable to breaches by hackers who can manipulate control systems and cause damage (Singh, 2023).
OT systems often lack security monitoring and the ability to install security updates, making them vulnerable to breaches by hackers who can manipulate control systems to threaten occupants or cause damage.
Many OT devices cannot be accessed, managed, or monitored like conventional IT devices. Breaches are often overlooked or mistaken for equipment failure, allowing time for hackers to penetrate and exploit other building IT and OT systems.
Cyberattacks on OT systems can trigger facility shutdowns, equipment malfunctions and even cause explosions. OT systems can be weaponized, leading to injury or even death (Moody, 2021).
A bad actor does not need to infiltrate and compromise a building system — just the threat requires immediate consideration and action to assess occupant safety. Physical and digital worlds are converging with new services and evermore granular insights on users, assets and processes. Information technologies (IT) and OT are converging through, for example, building automation and control systems and energy information and building information management systems relating to building safety, connectivity, experience, productivity and intelligence (Dexus, nd). IT is used for data-centric or processing activities, while OT monitors and controls industrial operations, physical processes and equipment. IT-OT convergence is a critical component of Industry 4.0, impacting various industries, including FM (Cognizant, 2023). Due to these multiple convergences, the FM industry has a role in securing digital buildings.
Awareness of the risks facing the built environment is relatively low among professionals in architecture, engineering, construction and facility management, putting buildings and assets within the building at risk (Mantha & Soto, June 29 - July 2, 2019). Within organizations, OT, IT and physical security responsibilities are organized separately, often divided between chief security officers (CSOs) and chief information security officers (CISOs) (Virga, 2023). These functions frequently operate independently with limited collaboration on enterprise-wide risks. Senior leaders and FM teams lack visibility of interconnected physical and cyber assets. As a result, the lines of communication are unclear and impede coordination and collaboration. Organizations cannot quickly identify, prevent and respond to complex threats.
Organizations face unauthorized access to buildings and building control systems, which could lead to unauthorized access to systems with confidential information and manipulation of sensitive data. In addition, IT and OT systems face service interruption and long-term disruption that could lead to physical damage to the building system or loss of life (see, One wrong click can create a 92-day recovery). Building owners and facility managers are less able to transfer these risks to insurers (Figure 1a).
FMs' awareness of cyber risks is low. They are often unsure of their responsibility in securing buildings from digital threats (Figure 1b). FMs are pressured to rapidly digitize their buildings and operations due to changing expectations from clients, regulators and other actors along the supply chain (Pärn, 2023). FMs are, by and large, unaware of the responsibilities they have in protecting rapidly digitizing buildings. The pace of change is so fast that it is hard for the average FM to know where to start. FMs rarely collaborate with IT specialists, network designers, or engineers on the specifications, configuration instructions, submittal reviews and cyber commissioning requirements to create contracting models for securing digitizing buildings and operations. Finally, FM budgets are under pressure.
LEADING CYBER RISKS
Unauthorized access to building control of systems
Data manipulation & unauthorized access to systems with confidential information
System & service disruption & long-term interruption
Physical damage to building systems that could lead to loss of life
Insurers refusing to cover costs (including P&C) of cyber attack
CHALLENGES FACING FACILITY MANAGERS
Unaware of cyber risks & unsure of responsibility
Lack of unified contracting models & commercial relations & obsolete legacy systems
Keeping abreast of rapidly evolving technology & threat picture
Balancing building security with accessibility
Limited Budgets
FMs need practical advice as to how they can play a role in securing rapidly digitizing buildings. In February 2023, the International Facility Management Association (IFMA) organized a 24-hour Executive Summit with cybersecurity and built environment security experts on the built environment and senior leaders from FM and adjacent sectors to provide practical advice to the industry. Subject matter experts included:
The Honorable Lucian Niemeyer, CEO, Building Cyber Security
Quentin Hodson, Senior Researcher, RAND Corporation
Fred Gordy, Director, OT Risk Assessment, Michael Baker International
Dr. Erika Pärn, Senior Research Associate at the Cambridge Service Alliance, Depart of Engineering, Univerity of Cambridge
Robert Renzulli, Executive Strategist and Owner, CyberGeist Security, LLC and Board Member, San Diego Cyber Center of Excellence
Pat Sullivan, CEO, Pat Sullivan Consulting, Co-Chairman of the Board, San Diego Cyber Center of Excellence
Jessie Virga, DBA, CEO, Muller Bellator Security.
Based on their input, IFMA has developed the following white paper that identifies FMs’ role in protecting a digitized built environment.
