Professional Documents
Culture Documents
Externalization and Ownership of Cybersecurity For (Smart) Buildings
Externalization and Ownership of Cybersecurity For (Smart) Buildings
(Smart) Buildings
1 Introduction
We spend more than two-thirds of our lives indoors and the lion’s share of that is
inside office buildings, if we are to discount pandemic times. Yet, we often fail to
notice how even the humblest of all buildings built in the last 40 years is a complex
system with interesting technology. Ambient temperature, door access control, air
quality sensors, lifts, security, etc., are now common – often mandated – across the
built environment. In older builds, these systems tend not to be integrated, although
some level of intelligence and central control always exist. These are commonly
known as Building Management Systems (BMS) or, somewhat interchangeably,
building Automation Systems (BAS).
2
They are not new. BACNet, a common BMS networking protocol, was designed in
the 1990s and had widespread deployment. New builds are increasingly smart, with
embedded technologies such as Artificial Intelligence or the Internet-of-Things. A
modern building for just a few hundred occupants will already have a central room
where most of the building can be monitored and controlled from a single point that
could even be remote or on the Cloud.
Modern buildings rely even more on technology, raising the concept of "Smart
Building". Even though the upfront cost of construction is higher, Smart Buildings
quickly recover the investment given their energy efficiency, cost-effective
maintenance, convenient occupancy, and safety. We now see touch-screen walls,
smart parking systems, zonal climate control, localized tone lighting, robots, etc.
Smart buildings are also much better integrated (and, crucially, connected) with their
surroundings and the Cloud. Especially with BIM (Building Information
Management), with increasingly demanding mandates in the UK and EU, Smart
Buildings also enable a new paradigm in technology called Digital Twins [1.], where
physical objects or processes have a fully digital representation.
Such a bright indoor future has, nevertheless, a looming shadow: cybersecurity. The
vast gains in convenience, efficiency and safety bring technical complexity; with
complexity, cybersecurity risks rise in spectrum and severity. It is not difficult to
imagine the impact of malicious activities, which can lead up to a loss of human life.
A notable early example was compromising the water systems of a large Google
building in Australia in 20131 (fortunately, by security researchers); a more recent
example, in Germany, 2021, showed how malicious actors were able to highjack and
disable most sensors inside a building 2, a phenomenon sometimes called siegeware.
This is nothing more than ransomware for buildings or the wider industrial
automation systems.
Even though the Built Environment is not commonly categorized under Critical
National Infrastructure (CNI), it directly supports CNI. To note that disrupting a
datacenter can impact national computing infrastructure, or the unavailability of a
hospital building can directly lead to loss of life. It can further lead to non-
compliance, including liabilities up to safety negligence. These risks are further
aggravated by the fact that breaches may be difficult to detect quickly. Data
Protection, often not associated with spaces, is also a rising consideration.
More dramatically, due to richer connectivity, the building infrastructure can also be
the entry point or foothold for a wider attack on the core IT. In 2013, Target in the US
was the victim of a large cyberattack 3 where personal data and credit card numbers
were stolen. It is a particular incident as the attack vector was a breach by a third-
1
https://www.wired.com/2013/05/googles-control-system-hacked/
2
https://www.darkreading.com/attacks-breaches/lights-out-cyberattacks-shut-down-building-
automation-systems
3
https://www.zdnet.com/article/anatomy-of-the-target-data-breach-missed-opportunities-and-lessons-
learned/
3
Despite wide recognition of the problem, current approaches mostly focus on siloed
technical or subsystem aspects of security and not on the complex business dynamics
that, we argue, can play an equally important role. To this end, this paper discusses
Cybersecurity for BMSes from a stakeholders angle. We report on an exercise of
identifying stakeholders and then ownership mapping. In Section 2, we review the
concept of BMS and discuss related work, so to draw attention to the fact that a
significant problem is how the market is organized. In Section 3, we develop a
stakeholder analysis and, in particular, run a RACI (“responsible, accountable,
consulted, and informed”) matrix mapping roles to stakeholders and cybersecurity
domains. Section 4 concludes our paper.
BMSes consists of the set of technologies that allow a Building to become more
efficient. Broadly speaking, it is a combination of several subsystems, such as Energy
Management [2.]. BMSes are complex, distributed [3.] and integrated/connected with
the surroundings (e.g., the smart city). BMSes comprise a mix of Industrial Control
Systems (ICS), the Internet-of-Things (IoT) as connected sensors and actuators are
widely used, and more conventional IT technologies, which include the Cloud. This
mix of different technologies and paradigms justifies a unique approach to
cybersecurity. Despite the openness and integration with conventional IT
technologies, notably the Internet, devices typically communicate and integrate with
the wider architecture using specific protocols such as BACNet, KNX, or Modbus
[4.].
On the plant side, we have multiple systems. Heating, Ventilation and Air-
Conditioning (HVAC) and occupant wellbeing (e.g., monitoring CO2 levels) provide
comfort for the human occupiers. We also have lighting control, fire systems and
vertical transportation such as lifts and escalators.
4
All these systems are localized within the premises but physically distributed with
sensors and actuators across it, along with communication networks normally wired.
BMSes can be complex systems and are thus highly vulnerable to a wide range of
cyberattacks, some generic (such as compromising common IT functions such as web
servers) and some specific situations, such as taking advantage of the poor security
design of old automation protocols. This section (1) reviews proposals for BMS
cybersecurity, (2) the security of BMS systems building blocks such as
communication protocols, (3) the challenges arising from the fast convergence of IT
and OT, (4) the lack of suitable standards, and (5) how the cybersecurity market is
structured, particularly when compared to the conventional IT market.
As mentioned, BMSes fall under the wider family of Industrial Control Systems (ICS,
or Industrial IoT, IIoT) or Operational Technologies (OT), combined with IoT and
conventional IT, including the Cloud. OT is particularly infamous for being insecure,
and incidents can scale up to CNI, such as the power grid. Similarly to the wider OT,
buildings use specific technologies that, regardless of convergence with the Internet,
will still be specialized; further, old/new technologies will have to co-exist. An
immediate example is penetration testing (“pentesting"), which will be different from
a web server for e-commerce.
5
The challenges are three-fold. First, we see modern and well-managed devices co-
existing with old, long-life devices and technologies [5.], which are difficult and
expensive to upgrade, often requiring replacing in bulk for interoperability reasons.
Second, as BMSes fully leverage IoT in some form, we see embedded technologies,
often resource-constrained (e.g., unable to support strong cryptography) and
physically accessible in spaces with poor physical monitoring, such as basements or
car parks. Finally, we see a lack or inconsistency of mature security standards in the
component/protocol and system development. One simple example is how easy it is to
launch a Denial-of-Service attack on BACNet [7.], given the way it was originally
designed. Due to the difficulty of upgrading, we see its insecure versions still
widespread. The problem is not strictly technical, as solutions exist. For example,
protocol-specific firewalls and intrusion detection systems have been proposed [8.]
[9.], and even honeypots [10.], but that would imply a modification of the whole
system and installation. This problem leads us back to operational and market forces.
On the one hand, we have the problem of ownership of the cybersecurity function, to
be discussed later. On the other hand, the market structure is not seeing the level of
externalization we see in Enterprise cybersecurity. Externalization greatly benefited
cybersecurity over the last decade by commoditizing and dramatically reducing the
costs of many components of a modern cybersecurity program. One successful
6
An elated problem is the lack of cybersecurity tools and products specifically for
buildings, which are different from common IT/Cloud infrastructure. For example,
there are many alternatives to automate device inventories for common IT. However,
for buildings, such tools barely exist beyond open source, are difficult to maintain, or
are localized initiatives [12.]. The problem is partly due to specialized technologies
(e.g., protocols such as BACNet, KNX, or Modbus); another barrier is that BMS
technologies are not commonly designed to be monitored for security events.
3 Stakeholder Analysis
We now identify the key parties involved in operating a building from the specific
angle of Cybersecurity. Considering there are multiple stakeholders and the lack of
structure in cybersecurity for BMSes, we are interested in identifying ownership of
processes. To this aim, we use RACI matrices, common in Project Management
methodologies, and identify who
should be Responsible for performing the task, usually one or more parties
Accountable, which is the single party that will delegate the task to
Responsible parties and ultimately accountable for the quality of the
outcome
Consulted, who provides input into the task, often a subject matter expert
4
https://www.iotsecurityfoundation.org/
7
and Informed, the parties that they should receive updates on the progress of
the task.
In the first mapping, we offer an overall cybersecurity analysis by laying out the
ownership hypothesis. In the second mapping, we break down the cybersecurity
program into common tasks inspired by NIST's Cybersecurity Framework (CSF) [16.]
and run a similar analysis.
3.1 Stakeholders
The Built Environment is rooted in mature, centuries-old business practices that bring
a degree of rigidity and are structured around roles that can be unwelcoming of
change if not in the core business. Cybersecurity needs, thus, to follow existing roles,
culture, and structures. For each building, one can have an interplay of hands-off
ownership roles, local/central governments, Facilities Management (FM, who
effectively runs the building), specialized maintenance contractors and integrators, the
original constructor and dependent sub-contractors, and tenants/occupiers (permanent
or visitors), who may share responsibilities with the FM. Consequently, the ownership
and roles of cybersecurity for Smart Buildings are unclear, making it a daunting
supply-chain security problem. In fact, the biggest pain of cybersecurity for buildings
may lie in the coordination complexity of all parties.
The stakeholders are as follows. We start with the Owner, who is the proprietor of the
building and, likely, lets out to either a management agency or directly to occupiers. It
often has no role in day-to-day operations and is commonly a financial or real-estate
institution. Facilities Management (FM) companies effectively run and maintain the
building and premises. A derivation of this role is that FM may, themselves, not be
hands-on and further delegate tasks to a FM subcontractor (e.g., gardening). The
Occupiers, or Tenants, are the parties who use the Building. There are two types
identified. One is the tenant letting the whole building with a view to subletting (e.g.,
offices); the other is the actual occupiers of the building, such as businesses renting
office space or residential dwellings. The Builder, and subcontractors, developed the
physical building and beyond contractual maintenance, it ceases to be a party after the
building is handed out to the Owner. The BMS Manager is a further role whose
specificity relies on having the necessary technical skills to operate the BMS, either as
a whole or per subsystem (e.g., HVAC or CCTV). Integrators are those parties who
work with Device/System Vendors in order to build a larger BMS subsystem. For
8
example, the CCTV subsystem and the door access control may be supplied by
different vendors but integrated into a single monitoring system. The final
stakeholder, which is an umbrella and catch-all function, is the wider Supply Chain,
ranging from catering teams to the Internet Service Provider. Fig 2 shows how these
parties relate to each other.
Whereas Building Owners may be the ultimate stakeholders and thus could set out
policies and compliance strategies, likely in the form of contractual clauses, FMs
seem to be in a privileged position to run a security program and take on an
operational role. It is, however, unclear to what point FM will openly take on this
modern vocation [17.] which suggests a new role in the Built Environment industry
taking up Cybersecurity. This is connected to the need for externalization, as
discussed in the remainder of this paper.
not expected the need to be consulted (unless it is an expert party) or informed. The
Builder is not expected to have any role in cybersecurity except in the construction
phase and a consulting role.
The first, GRC (“Governance, Risk, Compliance”), concerns the overall strategy and
project management. It includes senior-level policies, alignment with regulations
(e.g., Data Protection) and certifications (e.g., ISO/IEC 27001), and high-level
management of Risk. Risk Management concerns the continuous identification,
mitigation and verification of risks. Secure systems encompass the security of the
technical elements, from networking to Industrial Controls of, for example, lifts and
escalators. People and Training involve policies and procedures, along with training
and awareness. Asset Management keeps track of all assets, from physical objects to
data sets and software, which includes updates and disposal. Access Control goes
beyond doors and access to spaces to include access to systems. Third-Party
Management manages the coordination and verification of third parties, including
measures to protect against supply-chain attacks [19.]. Monitoring and Detection
10
Table 2 shows the result of our exercise. We start by noting that we took the RACI
methodology with great liberty. For example, there should be only one entity
accountable per area. The table should be read, instead, as potential roles and
ownership.
Subcontrac
Integrators
Builders &
tors of FM
Occupier
Manager
Manager
Facilities
Building
Device/
System
Owner
BMS
GRC A R I I C I C C
Risk Management A R I C C I C C
Secure Systems I A A A R I C C
People and Training I A A A A I C C
Asset Management A R C C I I C C
Access Control I R C C I I C C
Third-Party Management R R I R C I R C
Monitoring & Detection I R C C R I C C
IR and Continuity A R C C R I C C
Digital Forensics A R C C R C C C
Communications A R C C C C C C
Once more, of all parties involved, it is clear that, in the absence of something else,
FM is in the best position to take over most tasks in a Responsible role and some as
the Accountable party, such as Secure Systems, by delegating those tasks to a
combination of technical experts, the BMS Manager and Vendors or Integrators. In
this sense, FM naturally takes a coordination role even if it remains to establish
whether FM is open to taking on this vocation.
Most stakeholders take, quite naturally, an "Informed" role. For example, the
Occupier has reasonable expectations of operating in a secure space and thus should
only be kept informed of any issues. At best, there would be a direct engagement with
Digital Forensics and Law Enforcement and Communications if involving the
Building as a whole.
11
Nevertheless, the exercise leaves clear that Cybersecurity in Buildings has no clear
ownership, being difficult to make anyone Accountable beyond the Owner of the
Building who, via contractual means, may waive liability. For example, if the Owner
is a Financial institution, it is intuitive to accept that Cybersecurity is an operational
aspect of running the building and, therefore, has no responsibility.
We have reviewed the current state of cybersecurity for Buildings and ran exercises
on identifying ownership of cybersecurity. The clear outcome is that there is no
obvious stakeholder for this role, except, perhaps, the Facilities Manager, likely with
a specialized third party. Our findings now need to be validated and expanded. The
interviews we conducted merely identified stakeholders. Breaking down
Cybersecurity in a form aligned with the built environment's processes and standards
is now essential. This paper opens a number of research directions, mostly broad,
given that Cybersecurity for the Built Environment is still in its infancy, both in
Research and Industry. From a technical perspective, integrated security architectures
need to be developed that take into account two key aspects: (1) the different
subsystems that a BMS consists of, and (2) the constant evolution and merging
between paradigms such as legacy BMSes, Internet-based technologies, IoT, and the
Cloud. From a practice perspective, existing frameworks need to be adapted, and
perhaps expanded, and aligned with the professional practices in the Built
Environment. For example, if FM is to take up the role of operational cybersecurity, a
framework needs to understand the underlying business models. Furthermore, and
quite challenging, a comprehensive framework needs to understand the different
phases and the dynamics of the lifecycle of a building, from design to demolition.
References
1. M. Dietz and G. Pernul, "Unleashing the Digital Twin's Potential for ICS Security," in
IEEE Security & Privacy, vol. 18, no. 4, pp. 20-27, July-Aug. 2020, doi:
10.1109/MSEC.2019.2961650.
Industrial Electronics Magazine, vol. 10, no. 1, pp. 25-39, March 2016, doi:
10.1109/MIE.2015.2513749.
3. Stluka, P., Parthasarathy, G., Gabel, S., Samad, T. (2018). “Architectures and Algorithms
for Building Automation—An Industry View”. In: Wen, J., Mishra, S. (eds) Intelligent
Building Control Systems. Advances in Industrial Control. Springer, Cham.
https://doi.org/10.1007/978-3-319-68462-8_2
7. Peacock, M., Johnstone, M.N., Valli, C. (2018). An Exploration of Some Security Issues
Within the BACnet Protocol. In: Mori, P., Furnell, S., Camp, O. (eds) Information Systems
Security and Privacy. ICISSP 2017. Communications in Computer and Information
Science, vol 867. Springer, Cham. https://doi.org/10.1007/978-3-319-93354-2_12
10. J. Bauer, J. Goltz, T. Mundt and S. Wiedenmann, "Honeypots for Threat Intelligence in
Building Automation Systems," 2019 Computing, Communications and IoT Applications
(ComComAp), 2019, pp. 242-246, doi: 10.1109/ComComAp46287.2019.9018776.
11. R. Paes, D. C. Mazur, B. K. Venne and J. Ostrzenski, "A Guide to Securing Industrial
Control Networks: Integrating IT and OT Systems," in IEEE Industry Applications
Magazine, vol. 26, no. 2, pp. 47-53, March-April 2020, doi: 10.1109/MIAS.2019.2943630.
13. IEC/ISA 62443, “Industrial communication networks – Network and system security, Part
1-1: Terminology, concepts and models”, 2009
15. Internet of Things Security Foundation, “Can You Trust Your Smart Building?”,
Whitepaper, June 2019
17. Marco Marocco, Ilaria Garofolo, “Integrating disruptive technologies with facilities
management: A literature review and future research directions, Automation in
Construction”, Volume 131, 2021, 103917, ISSN 0926-5805,
https://doi.org/10.1016/j.autcon.2021.103917.
18. NIST, SP 800-82 Rev. 2, “Guide to Industrial Control Systems (ICS) Security”. May 2015
19. N. Kshetri, "Economics of Supply Chain Cyberattacks," in IT Professional, vol. 24, no. 3,
pp. 96-100, 1 May-June 2022, doi: 10.1109/MITP.2022.3172877.