Unforeseen Issues

Sir Isaac Newton, in his third law of motion, states, “For every action, there is an equal and opposite reaction” – when one object exerts a force on another object, the second object exerts an equal and opposite force on the first object. An analogy could be made that this theory extends beyond physics and is reflected in life: Opposites attract and tend to counteract each other; so, where there is good, naturally, there is bad.

The dichotomy of good and evil has been prevalent throughout history, and timeless in its relevance to everything that is done in life. But while it is recognized that these concepts of good and bad are not always immediately evident, it should never come as a surprise when something that is perceived as positive creates a counterpart whose impact is negative.

Technology

Technology is playing a more essential role in facility management. With the acceleration and wider availability of advanced software, hardware and connectivity options, FMs can streamline operations and maximize efficiency, save money and energy usage, manage work orders, enhance security, track preventive maintenance schedule and outcomes, and improve overall performance.

Technology’s role in FM is significant, and its importance is increasing.

The hardware and software that monitors equipment and fixtures in the facility is called operational technology (OT). Through the direct monitoring and/or control of facility equipment and assets, it can detect or cause a change in the operation. The term separates the technological and functional differences between traditional information technology (IT) systems and the industrial control systems (ICS) environment.

Some aspects of OT would be building management system (BMS), energy management systems (EMS) and building automation systems (BAS). Automated lighting controls would fall into this category, as well as facility access controls, surveillance cameras and vertical transportation systems.

The difference between IT and OT must be understood, as they are often confused. While operational technology controls equipment, IT controls data. Specifically, OT is concentrated on the physical functions of a facility. IT focuses on securing confidentiality, integrity, and availability of systems and data.

OT incorporates the use of industrial control systems (ICS) as its main component. ICS consists of myriad types of devices, systems, controls and networks that manage several processes. The most common types of ICS are supervisory control and data acquisition (SCADA) systems and distributed control systems (DCS).

Strategically placed sensors communicate data to the SCADA system on a central computer, which manages and controls the information. DCS are used to manage localized controllers or devices in the facility.

OT connections

The Internet of Things (IoT) describes the network of physical objects (things) that are embedded with sensors, software and other technologies for the purpose of connecting and exchanging data with other devices and systems over the internet. These devices range from ordinary household objects to sophisticated industrial tools. The sensors that make up industrial Internet of Things (IIoT) are components of operational technology and consist of sensors, monitors, actuators and other technologies that are deployed on or near OT equipment. The amount of equipment that is getting connected is growing exponentially and includes generators, pipelines, fans, programmable logic controllers (PLC) and remote processing units (RPU), to name a few.

With more than 7 billion connected IoT devices today, it is projected that this number will increase to 22 billion by 2025. This represents unlimited opportunities for bad actors to compromise technology in the workplace.

To keep up with digital innovation, operational technology systems need to interact with information technology systems. OT network components like SCADA, DCS and similar networks are now being connected to IT networks. Processors, storage and systems management are being linked with OT. This integration enables the data collected by physical equipment and IIOT devices to identify problems or increase efficiencies. However, such merging of technologies creates more vulnerabilities for attacks.

OT was once isolated networks that nobody in IT was concerned about. OT networks traditionally sat behind air gaps not connected to the outside world and ran on obscure operating systems. Now connecting a previously air-gapped OT network to the internet via an IT network immediately exposes both networks and all connected devices to the threat landscape. OT was not designed with security in mind because it was originally created with the assumption it could not be exposed to threats. Additionally, the rise of remote access to OT networks by third-party vendors further expands the attack surface and creates new unprotected avenues for access. OT stopped being the safe, sequestered system that it was perceived to be.

As FM evolves and becomes more reliant on smart systems and devices, its risk of cyberattack increases. The benefits of using OT to monitor building systems’ efficiency and environmental sustainability are huge. However, the more the systems collect and transmit usage data, the greater the risk of being infected with ransomware.

Safeguards

Implementing and improving cybersecurity for operational technology is another challenge that FMs must face. It presents difficulties in multiple areas. There are the technical aspects. Some of the issues lie with legacy systems, which can be more than 20 years old. These aged systems are rife with exposure issues. Standard OT systems have a long list of cybersecurity concerns: existing equipment with decades long life cycles, the lack of efficient or effective patches to the software, and the fact that there was never a need for user authentication or encryption. There are operational aspects that need to be addressed. Where does the line exist separating facility functions from IT? Proper staff training is paramount, but the question arises: what to teach?

In the harsh reality of the digital world, OT has the double stigma of being the easiest target for intrusion, and an incident would incur more damage to IT. The physical security and the life and safety of employees would be at risk. It is imperative that steps be taken, sooner rather than later. Some best practices suggested by cyber security experts are:

• Have a security program that has the support of senior management
• Maintain a system inventory of all hardware and associated software
  • Include make, model, manufacturer and age of any equipment. If software is being used to track performance, then note the type and date of installation.
• Perform a risk assessment to determine vulnerabilities
• Have a comprehensive back-up process in case the system is compromised
  • This should include a redundant system
• Keep a list of service providers, along with their scopes of work and authorized personnel
• Maintain full control of system and network access
• As-built system documentation reflecting current configuration
• Guidelines for physical access to determine approved users
• A process for adding and removing users
• Management of network infrastructure and the physical components
• Documentation of change management policies and procedures
• Ensure that periodic security reviews have been completed
• Plan and exercise incident response and recovery
• Stay current on cybersecurity trends and threats and train personnel accordingly

An attack by a cybercriminal on an OT system can create unsafe conditions in a facility, threatening the health and safety of employees. Fire detection and alarms, HVAC systems, access control and other technologies are in place for the protection of people. If these systems are compromised, it constitutes a dangerous situation.

IFMA has recently partnered with Building Cyber Security (BCS), a nonprofit consultant group, to assist FMs in learning about the opportunities and threats that connected technologies present. They have developed training for cybersafety amelioration, providing checklists, assessment tools and certifications to augment cyber protections for the built environment.

Balancing act

It has been evidenced over time that bad things have a greater impact on people than good things. This is known as negativity bias. It suggests that negatives have a stronger effect on thoughts, feelings and behavior than positive events. Negativity bias is at the core of the debate on the relative effects of the struggle between good and bad forces over the course of history. It does not mean that bad will triumph over good. It proves that good proactive and preventive measures can override the negative effects of a bad situation. In nature, organisms that have evolved to prevent or overcome bad things are suggested to flourish and thrive.

Innovative technological tools that serve to improve operations come with commensurate threats. Forewarned is forearmed. Bad things can have a stronger effect on people than good things, and a cyberattack could be an ongoing nightmare with unforeseen repercussions. However, it does not mean that the focus should only be on negative possibilities. Understanding and addressing the potential weaknesses and vulnerabilities of a system that could allow a cybersecurity attack can help mitigate the damage of an attack. The probability of when it could happen is much higher than if it could happen. No facility is safe. FMs must rely on the fact that they have done everything possible to safeguard their facilities. In any event, they should absorb and utilize all the information available to them – the tricks of the cyber trade – and strive to create more positive experiences to counterbalance the negativity bias. They would have the capability to ensure that bad things do not happen … or at least that they are minimized. This would be good for them, the employees and their organization.