Strong and Sustainable Foundations: Develop a security program for smart buildings based on asset visibility

Growing building digitalisation is being driven by sustainability and energy efficiency goals.

Building Management Systems (BMS) have been steadily advancing to improve automation, operational performance, and occupancy experience, partly driven by regulation related to sustainability and energy usage. According to the IEA the operations of buildings account for 30% of global final energy consumption and 26% of energy-related emissions. Whilst direct emissions reduced in 2022, energy usage continues to grow, increasing by around 1% per annum. Growing populations, expanding cities and new infrastructure is likely to lead to growing energy usage unless there is a significant shift in energy efficiency.

To meet global 2030 sustainability goals, the UN Environment Programme reports that renewable energy use in buildings must increase by 1.5% annually to phase out fossil fuels. Key regulations aimed at reducing energy usage and emissions includes the Energy Performance of Buildings Directive (EPBD) in Europe, the Energy Performance Certificate (EPC), the United States Executive Order 14057 and the Federal Sustainability Plan, India's Energy Conservation (Amendment) Act, and Japan's Energy Conservation Act. These mandates require building operators to reduce energy consumption and/or emissions, necessitating upgrades to current building operations including the use of smarter, connected technologies and cloud services.

However, the increasing connectivity and use of smart devices introduce new vulnerabilities and expand the attack surface, requiring asset owners to evolve their cybersecurity programs. Despite the potential risks to building operational technology (OT), there are no specific cybersecurity regulations and standards for buildings. In Europe, NIS2 will be implemented in October 2024, but whilst it covers the cybersecurity of buildings in critical industries, it lacks explicit guidelines and without strong enforcement, it is unlikely that it will result in significant short-term improvements. Additionally, sectors such as commercial, hospitality, and retail are not covered.

In the US, Executive Order 14028 requires Federal Agencies to adopt zero trust security architecture, enhance enterprise identity systems and access control, and establish reliable asset inventories by the end of December 2024, though it is not explicitly targeted at buildings. Standards are also not industry specific – building owners tend to use NIST and IEC 62443 although Building Cyber Security, a not-for-profit organisation, is “developing and administering a proactive and holistic framework and certification process” for the buildings sector.

Industry challenges to reach higher level of cyber resilience.

Even though digitalisation increases cybersecurity risk to building systems - despite a focus on secure-by-design by OEMs and increasing regulatory pressure - significant industry challenges hinder achieving higher cybersecurity maturity levels. The building management sector is complex and involves numerous contractors, necessitating a robust vendor risk management program that includes strong access and privileged management built on zero trust principles. Unfortunately, this is often lacking, exacerbated by low OT cybersecurity awareness and insufficient buy-in at senior management and board levels. According to a KPMG survey, 79% of companies lack a company-wide strategy to protect buildings, and 40% reported infrequent checks or no formal cybersecurity controls.

A key part of the challenge is the shortage of industry professionals with expertise in both building management systems and cybersecurity risk and controls. The gap in expertise and knowledge makes it difficult to change perceptions at the board level, secure funding, and implement necessary changes. This creates a negative feedback loop often resulting in inertia. To break this cycle, the industry must educate building owners on the risks and the critical need for a comprehensive cybersecurity program.

Identify your assets, segment, manage access, and monitor.

As a security leader tasked with designing and operationalising a comprehensive buildings OT cybersecurity program, it is essential to address the unique challenges and complexities of the sector. The SANS 5 critical controls for OT cybersecurity are a good guide to what should be prioritised and has been loosely applied below. The journey begins with understanding and identifying all assets within the building network to ascertain the attack surface, followed by tightening access to systems and devices.

Step 1: Identify Your Assets

In a building management environment, this involves cataloguing all devices and systems, from HVAC and lighting controls to security cameras and access control systems. Many of these devices are often overlooked, yet they are critical to the building’s operations and security. Asset discovery tools can help create a comprehensive digital inventory, providing visibility into the network. This visibility is the foundation for effective cybersecurity because it ensures that all assets, including those at the edge and in the cloud, are accounted for, patched where required, and monitored.

Step 2: Isolation and Segmentation

Once all assets are identified, the next step is isolation and segmentation as part of a ‘defensible architecture.’ Whilst isolation is the creation of a hard boundary between IT and OT, network segmentation involves dividing the OT network into distinct segments or zones, each with its own security controls. This limits the lateral movement of attackers within the network and contains potential breaches.

For Building Management Systems, segmentation is crucial because it ensures that critical systems (e.g., HVAC, lighting, security) are isolated from less critical ones. This not only enhances security but also ensures that operations remain unaffected in the event of a breach. Implementing micro-segmentation within the network can provide even finer-grained control, further enhancing the security posture.

Step 3: Manage Access

With a clear understanding of the assets and zones, security leaders need to manage access. Implementing a robust access and privileged management program is essential. This program should be based on zero trust principles, where access is continuously verified, and permissions are limited to what is necessary for each user. A well-enforced vendor risk management program is also vital. Given the complexity of the building management ecosystem that is comprised of many contractors, ensuring that only authorised personnel have access to sensitive systems is important.

Step 4: Monitor and manage vulnerabilities.

Continuous monitoring is the backbone of a resilient cybersecurity program addressing vulnerabilities across hardware, software, and personnel. This strategy involves the technical controls to prioritise and manage vulnerabilities through an Exposure Management program that builds on the asset discovery (step 1). This includes threat detection, risk scoring, compliance monitoring and reporting. Administrative controls ensure that personnel are aware of their roles and responsibilities, adequately trained, and aligned with the security processes and technology.

Step 5: Incident Response

Finally, ensure that there is a clear incident response plan in place. Whilst incident response is one of the last steps in the NIST security process, it should not be treated as an afterthought or simply bolted onto the cyber risk strategy. The complexity and diversity of building systems in large estates, combined with the high number of contractors, necessitate an incident response plan that considers a wide range of stakeholders. Frequent training and testing are required to ensure the plan remains relevant.

The Future of OT Cybersecurity in Buildings.

Despite the low level of building OT cybersecurity maturity and the small installed base of technical controls—with market penetration for asset discovery, compliance management, and vulnerability management estimated to be below 20%—advanced security programs are gradually replacing older technologies.

For example, while VPNs are expected to be used extensively over the forecast period, advanced users are beginning to switch to Zero Trust Network Access and Software-Defined Perimeters. This shift will be accelerated as SD-WAN grows in popularity and customers increasingly adopt SASE (Secure Access Service Edge) to manage networks and security policies.

However, the journey to building OT cybersecurity maturity takes time, resources, and management commitment and no matter what steps are taken, it should start with understanding your assets and the related risks.