How to make your building cybersmart in 5 steps

  • 03 April, 2017
  • Amsterdam Security

Johnson Controls, recently merged with security giant Tyco, published a white paper on security issues for smart buildings. As connectivity automatically increases the cyber risks, smart buildings need to be Cybersmart also. These are the worst-case scenarios and this the best way to prevent them.

Smart buildings are not an option for the 21st Century – they are a necessity. These agile, responsive environments leverage building data to optimize operations and lower facility costs, while increasing safety and sustainability. Smart buildings adapt to occupancy needs in real time, while optimizing energy usage as much as possible. They often connect internal systems – HVAC controls, data networks, power management, etc. – with external networks to more efficiently monitor and manage building operations. This new age of connectivity and automation creates tremendous opportunity. Without the proper cyber protections, however, smart buildings can be vulnerable to potential cyber incidents.

A new whitepaper published jointly by Johnson Controls and Booz Allen Hamilton provides a roadmap for building managers, building owners, contractors and others to act to protect their information. "It is no longer enough for a building to be smart – it must now be cybersmart."

A new world of risk: cyber attacks on smart buildings

Risk scenarios include

1. Shutting down heating or cooling for sensitive locations, such as pharmaceutical or food processing plants.

2. Manipulating cooling settings on an HVAC system in a corporate building, creating significant business disruption and lost productivity.

3. Shutting down cooling or power management functions for a data center, destroying IT equipment and taking businesscritical applications offline.

4. Gaining unauthorized access to an internet-connected physical security system to enable kinetic attacks.

A call to action
Connectivity and automation create entry points for cyber attacks with potential safety, continuity, quality and privacy impact. But we can’t let this risk cripple innovation. This is your chance to get it right; to secure your investment by tackling this challenge head-on. So we challenge you to reverse old mindsets: cybersecurity isn’t a tax on the business, it’s not simply an IT issue, and it certainly shouldn’t be a scare tactic. It’s a business enabler for smart buildings. When done well, cybersecurity is about insuring your investment and assuring your ability to reap the transformative benefits that connectivity offers.

What to do: five fundamental steps
There is tremendous business value in embracing building automation—including cost savings, efficiency, and convenience. So don’t halt your plans. Instead, protect your investment, and maximize its potential. A smart approach starts with a strategy and framework to guide consistent actions based on your risk landscape. We recommend five foundational steps to frame the challenge, gain quick wins, and start gaining real traction.

1. Observe and orient around your specific challenge
Building operators and managers can learn a lot from military decision-making when it comes to cybersecurity. Out of the gate, when designing infrastructure from scratch or securing legacy building systems, you need to decide which elements of your smart building matter the most. You can’t afford to secure everything with the highest degrees of assurance, but make sure you prioritize what matters to your business.

2. Cybersecurity requires crossfunctional teaming
For cyber risks to be well managed, you need involvement and buy-in from across the business. IT, cybersecurity, and facility teams typically have the expertise and the access to take the lead. Working together as one cohesive unit, they also need to coordinate with a range of internal and external stakeholders.

3. Change the culture – speak up for cybersmart buildings
Make sure this issue is heard loud and clear within your leadership community and with internal and external stakeholders. Roadshows, risk education, and exercises can help build consensus on opportunity and risk.

4. Build the right capabilities to enable – not hinder – smart building adoption
Technical solutions are an important piece of the puzzle, but you need to balance deploying technological tools with investments in people and processes. Incorporate cybersecurity across the smart building lifecycle, being careful not to overburden the process.

5. Finally, get operational
A compliance-focused approach to all of the above can have detrimental effects if you stop there. You’re dealing with an ever-evolving adversary, which means you need a security professional’s mindset to defeat them. Continually monitor internal and external intelligence to understand your ever-changing risk profile. Find allies — like building controls manufacturers and analytics service providers with a demonstrated commitment to product security—to help you stay ahead. Have a plan, but be prepared to continually evolve. This will help you sleep at night, for years to come.

The full 'Cybersmart Buildings. Securing your investments in connectivity and automation' (2017) white paper by Johnson Controls and Booz Allen Hamilton can be read here.

Recent fusion Johnson Controls en Tyco
In 2016 Johnson Controls, the number one provider of building efficiency solutions, merged with Tyco, the number one provider of fire and security solutions. The new company is uniquely positioned as a leader in products, technologies and integrated solutions for the buildings and energy sectors. 

Tyco is Founding Partner at the Amsterdam Security Convention.

Share this article

Latest Video

All videos »