Worldwide focus on cybersecurity is not new. Over the last decade, governments and corporations have invested heavily in information technology (IT) security research, resources, training, and defensive initiatives directed at predicting and mitigating the risk of cyber threats.
Cybersecurity funding hit an all-time high in 2020, with nearly $8 billion funneling into firms offering cyber protection, according to Crunchbase. And yet, these investments may leave organizations with critical vulnerabilities in their cyber readiness. With their defensive gaze trained on IT security, organizations often overlook their operational technology (OT) systems, which present another, often simpler, target for potential cyberattacks.
OT systems include the hardware and software that monitor and control physical devices. In buildings, this includes technologies such as HVAC, building management and security systems. From their perspective, IT departments have traditionally viewed OT systems as operating in a closed or controlled environment that doesn’t interact with the Internet or with internal networks which access the Internet. OT systems have therefore not always received the same level of cyber monitoring or maintenance hygiene as IT systems.
However, the advent of the Internet of Things (IoT) and demand for smart technology in an increasingly connected world have radically changed how OT systems function. Smart devices are proliferating rapidly throughout connected buildings, having become essential drivers of productivity, operational efficiency, incident response and sustainability. While these advances have been foundational to the development of safer, smarter, and more sustainable buildings in today’s integrated landscape, they’ve also helped to expand the threat footprint in the OT space.
Some common OT points of vulnerability include a building’s control systems – security or access control, for example – its power management functions, its temperature settings on HVAC systems and its Internet-connected physical security systems. Unfortunately, many corporations continue to operate on outdated software, and employees neglect to update default passwords on embedded accounts or personal devices. To mitigate cyber risk in such systems, there’s a strategic first step organizations should consider taking: integrate all building management systems into a single platform to aggregate data across disparate systems. This enables facility managers to develop better insights, make informed decisions, potentially reduce costs, and improve their cybersecurity management.
Why should organizations make such an investment? To put it in terms of a real-life situation, imagine a ransomware attack on a hospital’s OT systems that locks staff out of their computers. Medical professionals could lose access to patient files causing a plethora of disruptions and backlogs in operations. Appointments, surgeries and even emergency cases would likely need to be rescheduled or routed to another facility until the affected systems could be restored.
At their worst, such attacks can be life-threatening: In 2020, a cyberattack on a hospital in Germany started a chain reaction that led to the death of an arriving patient when emergency room staff could not complete intake because their systems had been shut down. Such a scenario makes it clear why developing and implementing a vigilant OT cybersecurity strategy is critical.
The impact of OT cyber incidents can also extend to major financial loss as well as operational and reputational damage — all of which can be devastating to a business. Moreover, cyberattacks on OT systems may be more prevalent than commonly supposed. A recent survey of facility managers in the United States, Germany and China found more than one in four respondents (27%) had experienced a cyber breach of their OT systems in the last 12 months. Further, the survey revealed combating such breaches has become top-of-mind for today’s facility managers: Respondents cited lockdown monitoring, potential for downtime and closure, OT cybersecurity and maintaining uptime as top concerns.
A building’s OT environment should be monitored and maintained just like that of its IT systems. By understanding OT cybersecurity risks, facility managers and IT personnel can better position themselves to make smarter buys, implement targeted OT security controls and maintain heightened cyber resilience across their OT environments.