Critical Cybersecurity Considerations for Safer Workplaces

There are many opportunities to improve processes, policies and collaboration when protecting our built environments from cyber threats.   

I recently attended IFMA’s Executive Summit; Cyber Security: Safeguarding FM’s Digital Transformation. I was impressed with the expertise of the presenters that IFMA brought to the table for this critical topic and with the level of engagement from the participants.

It is clear that building owners and industry leaders understand the importance of having critical conversations around how strong cybersecurity policies and practices can create safer environments for everyone who occupies a building.  

Let's take a closer look at how IT, OT, and physical security teams collaborate in order to keep your environment safe from cybersecurity threats. 

Creating Safe Environments 

Cybersecurity is generally thought of from the back-of-house software or from the financial transaction systems perspective. Bad actors gain access and control of software systems to plant malware intended to create disruption or steal your valuable company and customer data.   

In the built environment, we need to also consider the risks associated with bad actors gaining control of our operational technologies to cause major disruption to our facilities and possibly to the safety of our occupants. Systems like BMS solutions, access control systems, video surveillance systems, IoT technologies and visitor access management lay prone to attack through spear phishing, hacking and direct access via environment penetration. The consequences of not protecting those systems could be both dire and costly. 

Break Down Silos 

Breaking down the silos between the teams that support information technology, operational technology and physical security is a great place to start to ensure that your critical building systems remain safe.  

The opportunities start with educating the engineers who support the operational technology in your space about best practices and policies and then verifying their knowledge and preparedness. A good education campaign can go a long way toward protecting your organization against spear phishing attacks. 

Single-purposing the endpoints used to interface with operational technologies and then securing the physical access to those endpoints are critical steps in keeping your buildings safe. Consider having your physical security team patrol those spaces to verify that only authorized employees are accessing it and that there are no Post-It Notes with user IDs and passwords lying around. 

Proper Planning 

A key talking point during the summit was: “taking the time to plan is as good or better than the actual plan itself.” We all know that the best plans don’t survive first contact with the enemy; however, the actual planning process gets you thinking of vulnerabilities, action steps and communication planning in the case of an event. Be sure to have regularly scheduled disaster recovery, incident response and business continuity planning sessions for your OT environment.   

Include operational technology in your cybersecurity preparedness planning by: 

• Implementing appropriate endpoint protection
• Segmenting your networks and applying firewall protection
• Controlling physical access to all endpoints used in supporting your building
• Patrolling the spaces where critical systems are accessed
• Applying software security patches in a timely manner against all known vulnerabilities

• Performing backup and recovery exercises
• Governing corporate policies
• Implementing multi-factor authentication and single sign-on (SSO) to all critical building support systems

Internal Threats 

Consider that bad actors can be internal resources with direct access to the endpoints just as easily as some unknown entity halfway around the world. Don’t assume that your threats are all unknown entities. Limit both physical and virtual access to your building automation and support systems. The fewer people that can access and log in to those systems, the lower your risk.   

When an employee leaves your organization, make it easy to disable their access to your critical building support systems. SSO integration will really help with this. When the former employee is disabled in an active directory, they will also be disabled from those systems. 

As managed service providers, we are thinking beyond merely operating these systems on our client’s behalf.  If you’re using a managed service provider, it’s important that they are committed to partnering with clients to ensure that their buildings remain safe and secure by sharing best practices and recommending solutions where gaps have been discovered. They may not own the critical building support systems, but we can do our part to ensure the safety and security of the buildings we manage.

Editor's note: This blog is in collaboration with our corporate sustaining partner, ESFM. Chris Lilly is ESFM Senior Vice President of Information Technology. Glen McDevitt, Compass Group North America VP and Deputy Chief Information Security Officer, contributed to this piece.