By Glenda Mayo, Ph.D. and Dallas Snider, Ph.D.
From the July/August 2016 Issue
The traditional view of facility management previously included tasks, which were more physical in nature in terms of the responsibility of the building, but newer job roles now include maintaining critical operations through the use of information technology (IT) and automated controls. Project teams are also becoming aware of the need to secure an organization’s network to mitigate cyber attacks. This has created an additional layer of concern and responsibility. However the dialogue rarely addresses what the specific concerns might be for facility managers regarding potential threats, and rarely has the discussion addressed the role of stakeholders with regards to the mitigation of those concerns.
New construction and renovation projects frequently include networked building automation systems (BAS), which are typically contracted work for the installations. The project team may consist of the designer, an installer, a building commissioning agent (CxA), and the owner or facility manager. To review the perceptions of these industry personnel and their specific roles for cyber attack mitigation, the authors partnered with the National Environmental Balancing Bureau (NEBB) and distributed a survey in early 2016 targeting practitioners of building system installations in the various project roles. The mission of the survey was to address industry concerns regarding the perceptions of cyber threats with regards to the preparation for mitigation, the concerns for exactly what should be protected, and lastly, the concerns for specific types of threats.
Professor David Fisk of the Imperial College in London, explained in a 2012 article1 that the existence of a cyber threat on an intelligent building is imminent, regardless of the purpose of attack. Part of the attraction to attackers is the capability of malicious agents to attack anonymously.
Often an organization’s mission includes providing access to the network for anyone on premises. Although this type of access is counterintuitive to many efforts to stop cyber attacks, there are also benefits for the facility manager. Reduced budgets in facilities and maintenance support are offset by personnel’s ability to monitor and make adjustments via an automated system, which can be crucial to maintaining growing infrastructure. But larger infrastructure does not necessarily mean larger risk, and Fisk explained that, “…the rate of aggression is limited only by the number of aggressors, much as the number of burglaries is limited only by the number of burglars, not the number of burglar alarms.”
For a facility owner, developing a risk management plan often begins with determining the potential hazard, or a specific strategic and measurable goal. Most individuals responsible for these duties are experienced with facility management, but lack the awareness pertaining to security control and risk mitigation. The segmented job roles that often exist during a BAS installation have contributed to lack of identification of roles for cyber security. Partnerships to mitigate risks are necessary, but personnel are typically involved in their own daily work.
Survey Of FMs, Other Stakeholders
To gauge the perceptions of the current state of practice for cyber risk mitigation efforts, the survey set out to view the perceptions from the different project or job roles. The results indicated a reassuring raised level of awareness—and revealed that 63% (42) indicated that they were somewhat knowledgeable about cyber security, and only 15% (10) responding with “not knowledgeable.” A majority (60%) stated that their knowledge was gained from informal on the job training, and an additional 13% have been included in some method of formal training. When asked if the respondents thought their control system may be susceptible to a cyber threat, 43% stated “yes,”; the remainder was divided between “no” and “not sure.” Only 7% stated that to their knowledge their system had experienced, at some point, a cyber breach.
A building owner’s mitigation for risks for a cyber breach may include working through the development of Standard Operating Procedures (SOPs) and contract language, which also assists to ensure quality control and consistency for BAS installations. Developing an SOP or a written form of understanding forces owners to move from the “awareness” stage and begin action toward mitigation (see Figure 1).
Because the BAS installation includes the collaboration of several job roles, the understanding of the security and/or mitigation of cyber attacks may overlap and are not generally addressed in SOPs or contract language. There is still work to be done with regards to standardizing the delineations between job role responsibilities.
The survey requested the respondent’s perception of: what they believed their job role required them to do as a specific duty; what they were required to be aware of; and additionally, whether they felt that together it included both job duty and just awareness, or neither. The commissioning agents (CxA) indicated that in the case of IT related duties, their CxA role required knowledge (but wasn’t a specific job duty) of general IT duties and network administration. The results of the survey indicted a strong relationship for the consultants, facilities personnel, and IT personnel in that they felt IT administration was within their job role, but only 43% of commissioning consultants felt the same.
Many comments from respondents referred to the duties of a CxA, which is to ensure the BAS is installed and functioning as designed and specified. Additionally, comments often stated that cyber security mitigation and network concern did not apply to CxA duties. Although overall responses show that perceptions continue to fall into traditional job roles and duties, it also indicates a lack of delineation in the understanding of cyber security job responsibilities (see Figure 2).
Cyber Threat Concerns
In addition to determining the perception of job roles for cyber security, an additional research question was asked to determine what the respondents perceive to be a concern. For a facility owner, determining a level of risk based on the potential hazard is one way that they are able to quantify the level of attention that each issue should receive.
Understandably, different job roles had different concerns. For example, those job roles with duties pertaining to IT were primarily concerned about organizational level threats such as access to data and physical facilities. Those with perceived duties for building automation and maintenance were concerned more specifically with system level threats, such as a trusted vendor using the BAS to gain access for other purposes. An interesting connection is a 2014 PriceWaterhouseCoopers survey2, which found that 28% of respondents believed their attacks were the result of trusted parties such as current and former employees, or service providers and contractors. It is a valid concern given recent attacks targeting BASs, one of which is the Target Corporation incident where Personally Identifiable Information (PII) was stolen.
The final goal was to determine perceptions of the specific types of threats associated with an attack. Figure 3 shows how respondents in each job role ranked the importance of potential threats; overall rankings are shown there in parenthesis. The top ranked concern being: entrance to the network for access to information.
These concerns are:
- Denial of service attack: A network is flooded with bogus traffic, thereby incapacitating the BAS or making data about the system unavailable.
- Stuxnet-like attack: Outsiders take control of an automation system and cause the system to damage or destroy itself or other systems on the network.
- Malware attack: Typically when malicious software damages a computer system or leads to the loss of data confidentiality or integrity.
- Entrance of network for access to information: Someone internal or external to an organization gains access to a network for the purpose of either snooping around, theft, or damaging the system.
These threats are not mutually exclusive and often times they are in combination.
The purpose of the study was to identify the perceptions of the different roles, and also specific threat concerns for the disciplines. As evident in the various perceptions identified, collaboration is needed for risk mitigation, and initial planning may assist with delineating roles. Although the ISO 27001 provides a resource for planning and installation, facility managers should work to identify gaps in project personnel and each stakeholder’s role to establish their facilities’ cyber security risk management model.
1 Fisk, D. (2012) Cyber security, building automation, and the intelligent building, Intelligent Buildings International, DOI:10.1080/17508975.2012.695277
2 PriceWaterhouseCoopers. [PwC] (2014) US Cybercrime: Rising risks, reduced readiness. Web. 6 May 2016.
Mayo is an assistant professor in the Department of Engineering Technology and Construction Management at the University of North Carolina Charlotte. Prior to academia, she was an assistant director in the architectural and engineering services department at the University of West Florida. After completing her Ph.D. at the University of Florida, her research focus has been in the domains of facilities management.
Snider is an assistant professor in the Computer Science Department at the University of West Florida. He received his Ph.D. in Integrated Computing and M.S. in Instrumental Sciences from the University of Arkansas at Little Rock. He received a B.A. in Physics from Hendrix College. Previously, he worked as a data warehouse developer for Northrop Grumman Information Systems and prior to that as a database application developer for Acxiom and Euronet.
Do you have a comment? Share your thoughts in the Comments below or send an e-mail to the Editor at email@example.com.