Last week, the White House issued an open letter to businesses in the United States, urging them to take immediate action to improve cybersecurity measures and protect against ransomware attacks. The letter came in response to several high profile ransomware attacks on US businesses, including the Colonial Pipeline attack that stopped gasoline and jet fuel from flowing up and down the east coast and JBS Foods, one of our country’s largest food suppliers who was forced to close off beef and pork productions.
As part of the discussion on the White House’s letter, President Biden’s Deputy National Security Advisor for Cyber and Emerging Technology, Anne Neuberger, acknowledged that “no company is safe from ransomware attacks” and urged US businesses to follow five best practices for improving cybersecurity:
1. Data backup – ensure data is backed up, tested, and that data backup networks are not connected to the business networks.
2. Update and patch your systems
3. Test your company’s incident response plan (i.e. – run through a potential cyber breach like you would a fire drill)
4. Use outside validation
5. Segment your networks
For building and property owners, all these best practices are important, but the fifth recommendation is critical to pay attention to. Neuberger noted that there has been a recent shift in ransomware attacks from “stealing data to disrupting operations,” like what was seen on the Colonial Pipeline and JBS Foods attacks. Regarding network segmentation, the White House’s letter stated that “it’s critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks.”
The increase in smart building systems and network-connected devices in the built environment, when designed and installed properly, add tremendous value to a real estate asset. However, they also increase the number of entry points for a cyberattack. If hackers can exploit a vulnerability in a building system, they can manipulate the building’s assets, critical infrastructure (HVAC, power, network), or gain access to private business data. For developers and building owners to place a greater emphasis on controlling the potential vulnerabilities presented by their building systems, they need to integrate cybersecurity into the design, construction, and commissioning process.
The current structure of specifications used for building design and construction has several weaknesses associated with cybersecurity, two of which are most prominent. The first is that the specifications were designed to ensure quality control on installed products, not handle cybersecurity. There is a language gap between construction specifications and cybersecurity requirements that makes it difficult to capture the latter in contract documents.
Second, building systems are segregated by discipline in specification documents, meaning that network-connected systems like Building Management Systems, lighting controls, elevators, energy management, digital signage, and EV charging (to name a few) are all in different specification sections. This makes creating common language that addresses cybersecurity a challenge in building system specifications, especially if an owner does not have a consultant responsible for cybersecurity in the design. Most architectural and engineering firms do not have this expertise on staff.
There are several ways to create better cybersecurity through the design process, but the commitment has to start from the owner. Building owners need to establish cybersecurity one of their core project goals, especially with today’s pursuit of smart, connected buildings. When cybersecurity can be designed into the building systems and how they are deployed, real estate assets are more thoroughly protected against malicious cyberattacks than what is common today – attempting to secure disparate, individual systems after they are operational in the field.