In today’s increasingly interconnected world, cybersecurity remains a paramount concern, especially within the building systems sector. The April 2024 Lunch & Learn webinar, hosted by Tim Vogel, VP of Connected Solutions at KMC, featured leaders and experts in the field who shared invaluable insights into cybersecurity challenges, strategies, and frameworks.

The webinar took a deep dive into cybersecurity from three distinct angles: the perspective of asset owners, champions of cyber-physical frameworks, and technology solutions providers.

Industry Challenges and Solutions

Dave Bohlman, Vice President of Technology at KMC Controls, highlighted the importance of awareness and education. He noted that “almost half of successful breaches in an enterprise come from social engineering,” which underscores the need for robust cyber hygiene and training.

Dave said of penetration testing,

“A lot of times, people think about the firewall between the building and the outside, but there’s still a lot of penetration testing that can be done with the tools for the inside, from either a disgruntled employee or people misconfiguring things.”

Bayron Lopez, then Director of Operational Technology for Kilroy Realty and now Manager of Technology Integration at Netflix, postulated that one of the biggest problems in the field is a simple lack of knowledge and awareness.

“Building equipment is decades old, and they don’t realize the broken cybersecurity protocols that lead to security risks. People seem to just be concerned with their own ability to access their systems and forget how important it is to limit that access to outsiders.”

Byron stressed that the “bad guys” behind a security breach could be someone random who stumbles upon it, not be someone with nefarious intentions. On the other hand, some cyber intruders may be aggressive hackers intending harm. It could be someone trying to fix something or solve a problem without the training and awareness of cybersecurity needs, who then creates a bigger problem. Human error is a common element.

He underscored the need for cultural shifts within organizations, emphasizing a collaborative approach. His company established an “innovation council” to understand their challenges across the board, Byron shared, advocating for teamwork between IT, engineering, and physical security departments.

Implementing Effective Frameworks

Lucian Niemeyer, an Air Force and senate veteran and non-profit advocate for operational technology security, is a ground floor expert in the field. He discussed the critical need for robust cybersecurity frameworks. Lucian referenced a hack from a 19-year-old who attacked MGM studios systems for a ransom that cost the company millions in recovery fees.

He stressed the importance of straightforward risk assessments and the need to protect human safety alongside corporate intellectual property. Buildings are getting smarter and that is a benefit for all, but with that inherent connectivity comes new security risks. For instance, in certain set-ups, someone could easily gain access to a building’s elevators, causing annoyance and even safety issues. A cyber attack can have a physical consequence. It is not just stealing data anymore. From the design to the implementation, cyber security and safety needs to be addressed. Lucian’s nonprofit works to make these things accessible to the average building manager/owner.

In the world of corporate espionage, war, and terrorism, these issues are paramount. These threats and their velocity are increasing daily.  Now they’re focused on how they can disrupt, dismantle, or deny critical systems and create a very unsafe activity.

Key Takeaways and Looking Forward

The discussion highlighted several key points for bolstering cybersecurity in building systems. From establishing an innovation council to leveraging AI for threat detection, the importance of a multi-layered strategy was clear.

Lucian also posed a question for future exploration in the industry:

“ You’ve got to start with a risk assessment. You must ask yourself, okay, what’s the most critical impact to my company or to my employers or to my brand or to my business operation?”

Dave agreed,

“You can do an honest risk assessment, starting with life, safety, and health impacts, but going on to business disruption and others. That’s going to drive you. Now I know where I have potential and existential threats to my company. What tools can I use? And it may be penetration testing, constant monitoring, or front-end protection.”

When a building owner or manager realizes they’ve got hundreds of OT devices that potentially have unguarded vectors coming into their network, it is time to do a risk assessment and an inventory so you’re not spending money on things that ultimately may not be important. The panel agreed that the focus should be safety, accessibility, integrity, and confidentiality.

Byron, talking of installing equipment in the past, said,

“You used to install it and forget it. Now you must continuously monitor it, upgrade it. It’s an optics cost versus capital expenditures. [You must] understand what your threat appetite is. Is it your brand recognition? Is your brand going to be hurt if somebody has an issue within your building? Is it an organizational recognition issue or is it a requirement from a government agency that’s giving you an assessment saying we want to be in your building, but we need this, this and this. So, you must understand where your building sits. What pieces are critical? One of the big things that we always prioritize this network infrastructure for the building.”

Nowadays, network infrastructure for the building is becoming part of OT. However, you must make sure that you have a solid foundation that you can then deploy all these security policies and technology implementations.

Lucian summed up the sentiment of the panel with his concluding thoughts:” Every engineer, building operator, and owner understands safety for that building. That is not an optional investment. You’ve got to have occupant safety.”

The April 2024 Lunch & Learn webinar offered valuable insights into the current cybersecurity landscape within building systems. With the thoughtful contributions of Tim Vogel, Dave Bowman, Lucian Niemeyer, and Byron Lopez, the session underscored the need for innovation, collaboration, and proactive measures in combating cybersecurity threats. The discussions and strategies shared at the event have set the stage for ongoing advancements, ensuring a safer and more secure future in building management and technology.

To watch the webinar in its entirety, click here: