Facilities managers, security officers, and executives are tasked with a myriad of responsibilities such as optimizing energy efficiency, ensuring the comfort and safety of occupants, and protecting their assets and investments. In the modern era, where technology underpins nearly every aspect of a business’s operations, the importance of trust and cybersecurity cannot be overstated. This article explores the critical relationship between trust and cybersecurity in operations.
I. The Inextricable Link: Trust and Cybersecurity
Trust is the cornerstone of any successful business. In the realm of operations, trust is the assurance that the systems and equipment will perform reliably, efficiently, and safely. It encompasses the belief that the technology supporting the operation will not fail or pose any risk to the occupants and the environment. There is also a large degree of trust that is built between service and parts providers and the company running the building or facility. This trust is paramount as facilities managers are typically not installing, repairing, or providing support diagnostics for every component or system. They rely on building optimization providers to ensure that chillers are operating within normal parameters, sensors are providing reliable data points, and their building management systems (BMS) are optimizing their building operations.
Cybersecurity, on the other hand, is the foundation upon which this trust is built. It is a set of practices, technologies, and protocols designed to protect digital systems, data, and the entire operation from malicious intent or inadvertent breaches. In today’s world, where building systems have become more sophisticated and interconnected, the relationship between trust and cybersecurity is particularly critical.
II. The Vulnerabilities in Building Operations
HVAC systems and other building management devices are no longer standalone mechanical devices; they are now an integral part of building management systems (BMS). Modern HVAC systems have sensors, controllers, and connected devices that enable remote monitoring, control, and automation. While this advancement provides numerous benefits, it also opens the door to vulnerabilities.
Cyberattacks on Building Automation Systems
With the proliferation of interconnected systems, Building Management Systems have become attractive targets. This has been the case with companies like Target in 2013 when they suffered a massive data breach. Attackers gained access to Target’s computer network and stole financial and personal information. The full report from the US Senate Committee on Commerce, Science, and Transportation can be found here.
IoT Devices and Weaknesses
IoT devices can be known for their inherent weaknesses when it comes to security. Many IoT devices are not adequately protected, making them easy entry points for hackers. These devices often lack firmware updates, have default passwords, and are susceptible to common attack methods. In 2019 Amazon’s Ring cameras were breached and reports of customers being hacked were popping up globally (Read the court hearing here).  Amazon provided a security patch that has since shored up the problem.
With all the security in the world, companies can never forget about the human element. While firewalls and anti-virus software can continually buffet outside attacks with relative success, employees who unknowingly click on a phishing email can open the door wide open to security breaches. There are many examples of this occurring, robust and frequent security training is paramount for today’s companies to stay secure. Moss Adams, an IT and Cybersecurity Consulting Firm, goes into greater depth on the risks of human error in their article “How to Identify Top Cybersecurity Threats and Protect your Organization”.
III. Building a Trustworthy System
While all these vulnerabilities are frightening to think about, operations managers and security officers can take some steps to ensure their operations remain secure.
First, businesses must also develop strong relationships with their service providers to ensure security is a cornerstone of the products and services they provide as these products and services are directly linked to the company’s facilities.
Building Optimization providers like Optimum Energy (OE) are committed to continuing to provide first-in-class security procedures and policies for its clients and stakeholders.
Risk Assessment and Management
Identifying and understanding the risks associated with building systems is the first step. Facilities managers in conjunction with their BMS provider should conduct a comprehensive risk assessment, considering factors such as the type of equipment, its connectivity, and the potential consequences of a breach. With this information, they can develop a risk management plan that outlines security measures and incident response procedures. For providers like Optimum Energy, these policies and procedures are built into OE’s products and services.
Implement Strong Access Controls
Access controls ensure that only authorized personnel can modify building system settings. To enhance access security, use strong authentication methods, like two-factor authentication (2FA). Additionally, regularly review and update user access privileges to limit the potential damage in case of a breach.
Encryption and Data Protection
Operational data, such as temperature and humidity settings, are not required to be encrypted. But any sensitive data such as healthcare, personal identifiable information (PII), and payment information should be encrypted during transmission and storage. This prevents attackers from intercepting or tampering with data as it flows between devices and control systems. Security managers should establish data retention policies to minimize exposure in case of a breach. It is also imperative that facility or security managers understand how their BMS provider is handling their data. Providers like Optimum Energy provide redundancies within their data centers that keep their client’s data secure and untampered.
Continuous Monitoring and Response
Real-time monitoring of operational systems is essential to detect anomalies and potential security breaches. A strong BMS provider typically has an intrusion detection system (IDS) and/ or third-party security services to monitor network traffic and system behavior 24/7. In the event of an incident, having a well-defined incident response plan in place is crucial to minimize damage and downtime.
High Standards for Service Providers
While building optimization providers should be highlighting their cybersecurity prowess and certifications, facilities managers also have a responsibility to ask questions about security and trust. Service and BMS providers should be equipped with various cyber security certifications and have a robust risk management plan to ensure that if an attack does occur, their software or hardware is blocking the malware or attack.
Providers like Optimum Energy’s commitment to security is emphasized by their SOC2 Type 1 certification. This mark of compliance indicates OE’s commitment to strong data transfer controls and security of customer data. This type of certification requires periodic audits, proving that a building optimization provider meets the industry’s highest standards of security and data protection.
Trust and cybersecurity are inextricably linked in the world of operations. A breach in the security of a building’s systems can result in dire consequences, including financial losses and reputational damage. Businesses and service providers must prioritize cybersecurity as an integral part of their operations to maintain the trust of stakeholders, ensuring that building systems and business operations function reliably and securely.
Building Optimization providers like Optimum Energy provide not only cutting-edge solutions, but security infrastructure and protocols designed to protect its systems and, by extension, their client’s interests. In a rapidly evolving technological landscape, where building systems continue to become more interconnected and sophisticated, the onus is on operations managers, security officers, and service providers to stay ahead of potential threats and vulnerabilities. By adopting a proactive approach to cybersecurity, facilities managers can build a foundation of trust in their building systems that not only safeguards the facility and its occupants but also enhances operational efficiency and cost-effectiveness in the long run.