How Facility Managers Can Defend Operational Technology in Commercial Buildings

Recent cyber incidents have starkly highlighted the vulnerabilities in our digital infrastructure, disrupting the lives of Americans and exposing significant weaknesses. As national headlines warn of foreign hackers planting cyber "bombs" in critical infrastructure sectors, it becomes imperative to understand the potential impacts on commercial facilities and the pivotal role facility managers play in mitigating these threats.

The Designation of Commercial Facilities as Critical Infrastructure 

Lucian Niemeyer, CEO of Building Cyber Security, underscores the gravity of the situation. In late 2023, an updated U.S. National Security Memorandum designated commercial facilities as critical infrastructure. Niemeyer explains, “Federal officials determined that a cyber-attack to retail centers, offices, entertainment venues, and housing could significantly impact economic stability, consumer confidence, and public safety.” With the global commercial real estate market valued at $34 trillion, its significant insurance requirements, and often minimal cyber protections, it becomes an attractive target for cybercriminals. 

The Real Threat to Modern Smart Buildings 

Modern buildings rely heavily on automated and smart technologies. Systems such as fire alarms, elevators, boilers, access controls, and HVAC are integral to building operations but also susceptible to cyber-attacks. Niemeyer highlights that a sudden cyber-attack on these systems could pose an immediate and significant public health threat. He notes, “Building owners may not be aware that many of these systems have remote access or exposed internet addresses on the web...

Within minutes, buildings and infrastructure can be rendered unsafe for occupancy or use, forcing evacuations and other protective steps, which may take weeks or months to recover.”

This scenario places facility managers on the front lines, requiring them to manage both the immediate response and the long-term recovery efforts.  

Chris Lilly, Senior Vice President of Technology at ESFM, emphasizes the critical importance of protecting operational technologies (OT) in commercial facilities. Lilly warns, “Systems like BMS solutions, access control systems, video surveillance systems, IoT technologies, and visitor access management lay prone to attack through spear phishing, hacking and direct access via environment penetration. The consequences of not protecting those systems could be both dire and costly.” 

Lilly highlights the importance of safeguarding both company and client systems. He states, “We must protect not only our data and systems as a company but be vigilant to not pose a vulnerability that bad actors can leverage to access our clients’ systems and data. Education around technology best practices and policies, as well as verification and preparedness around this knowledge, go a long way toward protecting our organization, and the systems we manage for clients, against attacks.” 

Are you ready to arm yourself with essential knowledge and protect your facility from cyber threats? Enroll in IFMA's comprehensive course to learn the basics of cybersecurity, how to collaborate effectively with IT experts, and how to safeguard your facility. Click below to secure your spot! 

The Role of Facility Managers in Cybersecurity 

IFMA has developed awareness and training programs in collaboration with the nation’s leading experts in building technology cyber protection. These programs offer facility managers essential resources to mitigate cyber risks. Niemeyer points out, “The designation as critical infrastructure imposes substantial responsibilities on building owners and operators to enhance security measures, incorporating both physical upgrades and robust cybersecurity protections. Facility managers can be part of the solution.” 

Lilly also underscores the need for collaboration within organizations to effectively combat cyber threats. He advises,

“Within our organization it’s important that we break down the silos between departments, bringing together those who support information technology (IT), operational technology (OT), physical security and the Chief Information Security Officer (CISO). It’s also critical that we include our clients in these conversations to share best practices and recommending solutions where gaps have been discovered.”

What can you do? 

As cyber threats continue to evolve, facility managers must remain vigilant and proactive in their approach to cybersecurity. The designation of commercial facilities as critical infrastructure highlights the need for enhanced security measures and robust cybersecurity protections. By leveraging IFMA’s training programs, resources, and fostering collaboration within their organizations and with clients, facility managers can play a pivotal role in safeguarding their buildings and ensuring public safety.