Promoting Cyber Security in Buildings, Infrastructure, and Smart Technologies

How secure are we in a smart world? The rapidly-advancing technology to enable smart homes, buildings, and industries is outrunning the security needed to protect our lives, privacy, and resources. While fire and building codes assure us of certain safety measures, we have no way of knowing when we walk into a building what protections are in place to prevent a bad actor from turning off the power, seizing an elevator, locking the doors, disabling a fire alarm, or recording our movements. Our risk is growing at alarming rates, while the corrective remedies are falling woefully behind.

We increasingly depend on integrated, digital control systems to govern and monitor all aspects of building operations. Millions of control systems convert virtual commands into physical activities. These automation systems are vital to the operation of all U.S. critical infrastructures – the dams, power plants, water systems, electricity distribution, and gas lines we need to survive - 90 percent of which are privately owned and operated. While digital technology improves efficiency, the downside is exponentially increased vulnerability to cyber exploitation or attack.

Recent intelligence and government warnings cite control system cybersecurity as a critical national security vulnerability with threats ranging from hostile governments, terrorist groups, and malicious intruders to disgruntled employees. Control systems can be exploited for data monitoring/theft, service manipulation or denial or destruction of property. Unsecured systems offer a path to a company’s financial or customer records. In extremes cases, controls can be manipulated to threaten lives and safety. Adding to the concern, mobile devices connected to publicly available networks afford bad actors millions more entry points.

While the threats have been admired for their growth, the responding policies and programs are disjointed, anemic, and underfunded. Existing standards are parochial with limited incentives for adoption. Facility operators are not able to respond to rapidly changing threats and cannot even guess at potential recovery costs. A growing number of owners are hiring security rating services to evaluate cyber-protections, but the resulting vulnerability assessments and remedies can take years to implement. In addition, business cases analyze acceptable levels of risk against the costs of remedies. As a result, investments to enhance protections for legacy systems must compete with other priorities based on subjective probability assessments. Other companies are paying third-party building system managers to reduce risk exposure for insurance purposes as opposed to investing in engineering solutions to enhance security.

Control system cyber protection is further complicated by knowledge gaps in adequate design, installation, operations, and monitoring. Information Security teams prioritize network protection while building managers prioritize optimal system performance. Neither may be incentivized or trained to collaborate on protections to control systems from malignant actors. The lack of accountability leads to missed opportunities to engineer the suite of sensors and other monitoring devices needed to protect control systems.

To respond to this dilemma, a national program must promote and incentivize investments in unified engineering standards to promote the safety and reliability of control systems. This program would establish a tiered accreditation system for control system security to rate various levels of protection and investment, while allowing for the consideration of the criticality of the facility or risk to a company’s brand. The program must include a formal review and certification process for designs, specifications, and control system installation procedures. The program must include clear requirements for control system vendors to achieve various levels of certification. The program must encourage the replacement of legacy controls, require product registration, and reward the consistent, timely installation of security patches. The program must formalize a nationally accredited training program for engineers, technicians, and network managers. The program must incentivize organizations to maintain comprehensive programs to monitor, update, audit, and test cyber protections for the people, processes, and technology managing building systems. These enhancements can best be incentivized through a market approach.

 As concerns grow about the impact of a cyberattack to a company’s brand, cyber security ratings will eventually be as important as credit ratings when evaluating business to business transactions As public consciousness grows on the expanding vulnerabilities resulting from artificial intelligence, smart vehicles/homes, and communities, consumers will value enhanced security and safety as a smart product feature much the same way as protection is purchased for computers and homes. 

      The idea for a national credit system for buildings has a model. The Leadership in Energy and Environmental Design (LEED) program run by a non-profit organization, the US Green Building Council, successfully incentivized the building industry to aspire to environmentally sustainable facility standards through an independent rating system. More recently, standards have been developed by the International WELL Building Institute for buildings to improve comfort, health, and wellness.

The federal government's National Cyber Strategy aligns national command and coordination centers with the goal of enhancing awareness across all business sectors. In response, this program would need to update standards based on emerging threats publicized by the Department of Homeland Security. The program could incorporate the National Institute of Standards and Technology’s cybersecurity framework with other international standards to encourage a common global accreditation. This should not be another government run regulatory or credit program. With the right market incentive, the private sector can more easily respond at the speed of relevancy to quickly establish a national program that will offer real protection.

The threat is growing more sophisticated every day. A program to reward investments into the cyber security in buildings, our Nation’s critical infrastructure does not require any kind of invention or reengineering. Standards, rating protocols, and proven protective measures already exist and can be integrated and marketed for value. We are at a point where bold action is needed to incentivize proactive cybersecurity protections for physical safety in an increasingly connected world. It’s time to accelerate the engineering needed to protect our buildings and infrastructure before the next major cyberattack threatens our well-being.