Building Management Systems (BMS) Must Now Integrate Cybersecurity

Terry Edwards, our Director of Real Estate, recently wrote the following article, which was originally published on the Facilities Management UK website.

How to effectively monitor and configure Building Management Systems (BMS) continues to emerge as an issue in the management of property.

The threat of cyber-attacks on BMS is increasingly becoming a very real risk issue.

Building and access control systems are computers that monitor and control building operations, such as air-conditioning, electrical power, electronic card reading, lifts, fire alarms and fire suppression systems, heating, lighting, ventilation and surveillance. Advances in building technology means these systems are invariably linked to all manner of other services and the internet.

It's these very advancements in technology and the ever-increasing reliance on automation and remote operations that is exposing these systems to possible cyber-breaches and full on attacks.

Most BMS are typically not designed with cyber security in mind. Although, increasingly experts have started to alert real estate and building owners and managers that such systems are vulnerable to external penetration.

The advent and development of more sophisticated insurance and risk mitigation techniques means that options now exist to help defend against cyber threats to BMS.

Smart(er) buildings and their heightened exposure

Centralised Building Management Systems are now integrated and connected into other building systems, these in turn are connected to a network ring with IT data centers and remote access servers used via open protocols and clear access.

Building owners, managers and FM providers have seen huge advantages in the “usability” of these systems but they are also highly susceptible to cyber risks as they are more complex and interconnected into IP networks which leaves them inevitably more exposed.

Heating, lighting and security in most buildings are generally not being developed with technology designed to be connected into cross-building IT networks. In fact, designers and decision-makers in charge of facilities (heating, lighting, security) or smart building systems can often consider the risks of cyber security to be irrelevant and non-critical.

Equipment failures are not new and these incidents have already been reported hundreds of times and redundancy techniques used by specialists in operational safety are effective methods for managing these risks but they do not cover the risks of cyber-attacks.

Why does cyber security play such an important role in BMS?

In 2013 one of the largest retailers in the United States was hacked and had debit and credit card data corrupted from close to 110 million accounts. How did the criminals gain access to the system? A flaw in the network of an Heating, Ventilation and Air-Conditioning (HVAC) system that had been connected to the building to control their heating and air conditioning installations.

Even a business of this size with a secure BMS should have been able to prevent considerable damage, however the virtual intruders were able to by-pass via the third party attachment to the system any cyber defenses that might have been in place.

Ultimately, everything can be hacked. Outsiders can take control of all connected systems to: turn off lights; trigger a fire alarm and cause panic; add external users to access controls; interfere with the HVAC system to knock staff off their guard; and even disrupt machines; or deactivate the CCTV system to allow an intruder to enter, and the list goes on.

The ability, or inability to control and block these systems can have a direct impact on people’s safety, a company’s performance and reputation. How would a company run if its employees couldn’t enter the building? If a breach can be quickly brought under control, damage and disruption can be mitigated. Although there is still the possibility of damage to systems that depend on constant power such as generators and 24-hour market economies.

These risks can also evolve to any smart systems reliant assets, economies or lifestyles such as: Smart Public Services, Smart Cities, Smart Homes.

The advantages of Incident Command Technology (ICT), Incident Command Systems (ICS) and BMS installations and for future smart systems are undeniable and nobody would think twice about going back on this system. Using new technology from the conventional IT world means we have to come to terms with the constraints that come with it.

Retroactively dealing with these issues can be costly and complex especially if they have not been factored into protocols at design phase. This is also the case for older assets that were built at a time when cyber security awareness and the ability to transfer and manage these risks was limited.

Fortunately, as well as sophisticated mitigation techniques a number of risk management and insurance options now exist. Insurance protection for the risks that owners and managers of real estate face is now readily available through insurance intermediaries, or direct insurance companies.

Typically a cyber insurance policy would provide protection for the following eventualities:

  • Forensics
    After a breach has occurred, expert forensics can determine what has been affected and how it can be contained, repaired or restored.
  • Legal and Public Relations
    Expert legal and PR consultants can formulate a plan to contain reputational damage. The cover provides payment for costs you may incur for a PR consultant to avert or mitigate damage to your brand and business operations.
  • Notification
    Any ‘data subject’ affected by the breach will need to be notified, and credit monitoring put in place to prevent further losses.
  • Fines and investigation
    Professional support to help prepare for any investigations you are subject to. A cyber policy can also cover payment of insurable fines and penalties imposed upon you.
  • Cyber business interruption
    This can cover you for loss of business income resulting from the total or partial interruption, degradation in service, or failure of information and communication assets.
  • Human error
    It’s easy to think that the only risk you face is from hackers. In reality human error, such as losing a laptop or a mobile loaded with client data and passwords, can be just as destructive.

Cyber liability insurance can ensure you’re not just covered for incidents caused by external forces. Your customers, your data, and even your reputation (arguably the most valuable thing to your company) can also be covered for a range of internal as well as external eventualities.