White House Issues Open Letter to Businesses on Cybersecurity
By Todd Boucher, Principal

White House Issues Open Letter to Businesses on Cybersecurity

Last week, the White House issued an open letter to businesses in the United States, urging them to take immediate action to improve cybersecurity measures and protect against ransomware attacks.  The letter came in response to several high-profile ransomware attacks on US businesses, including the Colonial Pipeline attack that stopped gasoline and jet fuel from flowing up and down the east coast, and JBS Foods, one of our country’s largest food suppliers, was forced to close off beef and pork productions.  

As part of the discussion on the White House’s letter, President Biden’s Deputy National Security Advisor for Cyber and Emerging Technology, Anne Neuberger, acknowledged that “no company is safe from ransomware attacks” and urged US businesses to follow five best practices for improving cybersecurity:

1. Data backup – ensure data is backed up and tested and that data backup networks are not connected to the business networks.

2. Update and patch your systems

3. Test your company’s incident response plan (i.e., run through a potential cyber breach like you would a fire drill)

4. Use outside validation

5. Segment your networks

For building and property owners, all these best practices are essential, but the fifth recommendation is critical to pay attention to.  Neuberger noted that there had been a recent shift in ransomware attacks from “stealing data to disrupting operations,” as with the Colonial Pipeline and JBS Foods attacks. Regarding network segmentation, the White House’s letter stated that “it’s critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access and design and install the regional networks properly.”

The increase in smart building systems and network-connected devices adds value to a real estate asset.  However, they also increase the number of entry points for a cyberattack.  If hackers can exploit a vulnerability in a building system, they can manipulate the building’s assets and critical infrastructure (HVAC, power, network) or gain access to private business data.  For developers and building owners to place a greater emphasis on controlling the potential vulnerabilities their building systems present, they need to integrate cybersecurity into the design, construction, and commissioning process.

The current structure of specifications used for building design and construction has several weaknesses associated with cybersecurity, two of which are most prominent.  The first is that the specifications were designed to ensure quality control on installed products, not handle cybersecurity.  There is a language gap between construction specifications and cybersecurity requirements that makes it difficult to capture the latter in contract documents.  

Second, building systems are segregated by discipline in specification documents, meaning that network-connected systems like Building Management Systems, lighting controls, elevators, energy management, digital signage, and EV charging (to name a few) are all in different specification sections.  This makes creating a common language that addresses cybersecurity a challenge in building system specifications, especially if an owner does not have a consultant responsible for cybersecurity in the design.  Most architectural and engineering firms do not have this expertise on staff.

There are several ways to create better cybersecurity through the design process, but the commitment has to start from the owner.  Building owners must establish cybersecurity as one of their core project goals, especially with today’s pursuit of smart, connected buildings.  When cybersecurity can be designed into the building systems and how they are deployed, real estate assets are more thoroughly protected against malicious cyberattacks than what is common today – attempting to secure disparate, individual systems after they are operational in the field.