Professional Documents
Culture Documents
Externalization and Ownership of Cybersecurity For (Smart) Buildings
Externalization and Ownership of Cybersecurity For (Smart) Buildings
(Smart) Buildings
1 Introduction
We spend more than two-thirds of our lives indoors and the lion’s share of that is inside
office buildings, if we are to discount pandemic times. Yet, we often fail to notice how
even the humblest of all buildings built in the last 40 years is a complex system with
interesting technology. Ambient temperature, door access control, air quality sensors,
lifts, security, etc., are now common – often mandated – across the built environment.
In older builds, these systems tend not to be integrated, although some level of
intelligence and central control always exist. These are commonly known as Building
Management Systems (BMS) or, somewhat interchangeably, building Automation
Systems (BAS).
2
They are not new. BACNet, a common BMS networking protocol, was designed in the
1990s and had widespread deployment. New builds are increasingly smart, with
embedded technologies such as Artificial Intelligence or the Internet-of-Things. A
modern building for just a few hundred occupants will already have a central room
where most of the building can be monitored and controlled from a single point that
could even be remote or on the Cloud.
Modern buildings rely even more on technology, raising the concept of "Smart
Building". Even though the upfront cost of construction is higher, Smart Buildings
quickly recover the investment given their energy efficiency, cost-effective
maintenance, convenient occupancy, and safety. We now see touch-screen walls, smart
parking systems, zonal climate control, localized tone lighting, robots, etc. Smart
buildings are also much better integrated (and, crucially, connected) with their
surroundings and the Cloud. Especially with BIM (Building Information Management),
with increasingly demanding mandates in the UK and EU, Smart Buildings also enable
a new paradigm in technology called Digital Twins [1], where physical objects or
processes have a fully digital representation.
Such a bright indoor future has, nevertheless, a looming shadow: cybersecurity. The
vast gains in convenience, efficiency and safety bring technical complexity; with
complexity, cybersecurity risks rise in spectrum and severity. It is not difficult to
imagine the impact of malicious activities, which can lead up to a loss of human life. A
notable early example was compromising the water systems of a large Google building
in Australia in 20131 (fortunately, by security researchers); a more recent example, in
Germany, 2021, showed how malicious actors were able to highjack and disable most
sensors inside a building2, a phenomenon sometimes called siegeware. This is nothing
more than ransomware for buildings or the wider industrial automation systems.
Even though the Built Environment is not commonly categorized under Critical
National Infrastructure (CNI), it directly supports CNI. To note that disrupting a
datacenter can impact national computing infrastructure, or the unavailability of a
hospital building can directly lead to loss of life. It can further lead to non-compliance,
including liabilities up to safety negligence. These risks are further aggravated by the
fact that breaches may be difficult to detect quickly. Data Protection, often not
associated with spaces, is also a rising consideration.
More dramatically, due to richer connectivity, the building infrastructure can also be
the entry point or foothold for a wider attack on the core IT. In 2013, Target in the US
was the victim of a large cyberattack3 where personal data and credit card numbers
were stolen. It is a particular incident as the attack vector was a breach by a third-party
supplier/maintainer of HVAC systems. It is unclear how this led to a breach in the
1
https://www.wired.com/2013/05/googles-control-system-hacked/
2
https://www.darkreading.com/attacks-breaches/lights-out-cyberattacks-shut-down-building-
automation-systems
3
https://www.zdnet.com/article/anatomy-of-the-target-data-breach-missed-opportunities-and-lessons-
learned/
3
payments system, but it is possible that the two networks were connected, and criminals
were able to hop between the two subsystems.
Despite wide recognition of the problem, current approaches mostly focus on siloed
technical or subsystem aspects of security and not on the complex business dynamics
that, we argue, can play an equally important role. To this end, this paper discusses
Cybersecurity for BMSes from a stakeholders angle. We report on an exercise of
identifying stakeholders and then ownership mapping. In Section 2, we review the
concept of BMS and discuss related work, so to draw attention to the fact that a
significant problem is how the market is organized. In Section 3, we develop a
stakeholder analysis and, in particular, run a RACI (“responsible, accountable,
consulted, and informed”) matrix mapping roles to stakeholders and cybersecurity
domains. Section 4 concludes our paper.
BMSes consists of the set of technologies that allow a Building to become more
efficient. Broadly speaking, it is a combination of several subsystems, such as Energy
Management [2]. BMSes are complex, distributed [3] and integrated/connected with
the surroundings (e.g., the smart city). BMSes comprise a mix of Industrial Control
Systems (ICS), the Internet-of-Things (IoT) as connected sensors and actuators are
widely used, and more conventional IT technologies, which include the Cloud. This
mix of different technologies and paradigms justifies a unique approach to
cybersecurity. Despite the openness and integration with conventional IT technologies,
notably the Internet, devices typically communicate and integrate with the wider
architecture using specific protocols such as BACNet, KNX, or Modbus [4].
All these systems are localized within the premises but physically distributed with
sensors and actuators across it, along with communication networks normally wired.
The challenges are three-fold. First, we see modern and well-managed devices co-
existing with old, long-life devices and technologies [5], which are difficult and
expensive to upgrade, often requiring replacing in bulk for interoperability reasons.
Second, as BMSes fully leverage IoT in some form, we see embedded technologies,
often resource-constrained (e.g., unable to support strong cryptography) and physically
accessible in spaces with poor physical monitoring, such as basements or car parks.
Finally, we see a lack or inconsistency of mature security standards in the
component/protocol and system development. One simple example is how easy it is to
launch a Denial-of-Service attack on BACNet [7], given the way it was originally
designed. Due to the difficulty of upgrading, we see its insecure versions still
widespread. The problem is not strictly technical, as solutions exist. For example,
protocol-specific firewalls and intrusion detection systems have been proposed [8][9],
and even honeypots [10], but that would imply a modification of the whole system and
installation. This problem leads us back to operational and market forces.
3 Stakeholder Analysis
We now identify the key parties involved in operating a building from the specific angle
of Cybersecurity. Considering there are multiple stakeholders and the lack of structure
in cybersecurity for BMSes, we are interested in identifying ownership of processes.
To this aim, we use RACI matrices, common in Project Management methodologies,
and identify who
• should be Responsible for performing the task, usually one or more parties
• Accountable, which is the single party that will delegate the task to
Responsible parties and ultimately accountable for the quality of the outcome
• Consulted, who provides input into the task, often a subject matter expert
4
https://www.iotsecurityfoundation.org/
7
• and Informed, the parties that they should receive updates on the progress of
the task.
In the first mapping, we offer an overall cybersecurity analysis by laying out the
ownership hypothesis. In the second mapping, we break down the cybersecurity
program into common tasks inspired by NIST's Cybersecurity Framework (CSF) [16]
and run a similar analysis.
3.1 Stakeholders
The Built Environment is rooted in mature, centuries-old business practices that bring
a degree of rigidity and are structured around roles that can be unwelcoming of change
if not in the core business. Cybersecurity needs, thus, to follow existing roles, culture,
and structures. For each building, one can have an interplay of hands-off ownership
roles, local/central governments, Facilities Management (FM, who effectively runs the
building), specialized maintenance contractors and integrators, the original constructor
and dependent sub-contractors, and tenants/occupiers (permanent or visitors), who may
share responsibilities with the FM. Consequently, the ownership and roles of
cybersecurity for Smart Buildings are unclear, making it a daunting supply-chain
security problem. In fact, the biggest pain of cybersecurity for buildings may lie in the
coordination complexity of all parties.
The identification of stakeholders consisted in holding unstructured interviews with
experts in activities surrounding the Built Environment:
• Construction businesses (two)
• Facility Managers (two)
• Academics in Built Environment (one in Construction Management and
another in Facilities Management)
• Vendors of systems and devices for BMS (two)
The stakeholders are as follows. We start with the Owner, who is the proprietor of the
building and, likely, lets out to either a management agency or directly to occupiers. It
often has no role in day-to-day operations and is commonly a financial or real-estate
institution. Facilities Management (FM) companies effectively run and maintain the
building and premises. A derivation of this role is that FM may, themselves, not be
hands-on and further delegate tasks to a FM subcontractor (e.g., gardening). The
Occupiers, or Tenants, are the parties who use the Building. There are two types
identified. One is the tenant letting the whole building with a view to subletting (e.g.,
offices); the other is the actual occupiers of the building, such as businesses renting
office space or residential dwellings. The Builder, and subcontractors, developed the
physical building and beyond contractual maintenance, it ceases to be a party after the
building is handed out to the Owner. The BMS Manager is a further role whose
specificity relies on having the necessary technical skills to operate the BMS, either as
a whole or per subsystem (e.g., HVAC or CCTV). Integrators are those parties who
work with Device/System Vendors in order to build a larger BMS subsystem. For
8
example, the CCTV subsystem and the door access control may be supplied by different
vendors but integrated into a single monitoring system. The final stakeholder, which is
an umbrella and catch-all function, is the wider Supply Chain, ranging from catering
teams to the Internet Service Provider. Fig 2 shows how these parties relate to each
other.
Whereas Building Owners may be the ultimate stakeholders and thus could set out
policies and compliance strategies, likely in the form of contractual clauses, FMs seem
to be in a privileged position to run a security program and take on an operational role.
It is, however, unclear to what point FM will openly take on this modern vocation [17]
which suggests a new role in the Built Environment industry taking up Cybersecurity.
This is connected to the need for externalization, as discussed in the remainder of this
paper.
not expected the need to be consulted (unless it is an expert party) or informed. The
Builder is not expected to have any role in cybersecurity except in the construction
phase and a consulting role.
Given the technical element of cybersecurity, the BMS Manager is expected to be key,
particularly in Cybersecurity Operations. Furthermore, it can be the most qualified
party to interface with Integrators and Device Vendors who must always be consulted
– for example, if a device is found to have a vulnerability that needs to be patched.
Finally, the wider Supply Chain is likely to take a generic role in consultation, but this
depends on the specific area.
the infrastructure and people's activity to identify malicious activity. Should an attack
with significant impact, Incident Response (IR) and Continuity cover the actions needed
to maintain an activity or restore normal operations. Should there be criminal activity,
Law Enforcement will be involved with Digital Forensics. Finally, Communications
concern public and stakeholder engagements, such as if a breach happens.
Table 2 shows the result of our exercise. We start by noting that we took the RACI
methodology with great liberty. For example, there should be only one entity
accountable per area. The table should be read, instead, as potential roles and
ownership.
Subcontrac
Subcontrac
Device/Syst
Integrators
Builders &
tors of FM
Occupier
Manager
Manager
Facilities
Building
Vendors
Owner
BMS
tors
em
GRC A R I I C I C C
Risk Management A R I C C I C C
Secure Systems I A A A R I C C
People and Training I A A A A I C C
Asset Management A R C C I I C C
Access Control I R C C I I C C
Third-Party Management R R I R C I R C
Monitoring & Detection I R C C R I C C
IR and Continuity A R C C R I C C
Digital Forensics A R C C R C C C
Communications A R C C C C C C
Once more, of all parties involved, it is clear that, in the absence of something else, FM
is in the best position to take over most tasks in a Responsible role and some as the
Accountable party, such as Secure Systems, by delegating those tasks to a combination
of technical experts, the BMS Manager and Vendors or Integrators. In this sense, FM
naturally takes a coordination role even if it remains to establish whether FM is open
to taking on this vocation.
Most stakeholders take, quite naturally, an "Informed" role. For example, the Occupier
has reasonable expectations of operating in a secure space and thus should only be kept
informed of any issues. At best, there would be a direct engagement with Digital
Forensics and Law Enforcement and Communications if involving the Building as a
whole.
11
Cybersecurity Operations, in the sense of Monitoring & Detection and IR & Continuity,
could be a task for the BMS Manager, if one is reminded that these tasks involve day-
to-day activities, highly specialized people and tools, and continuous execution of
procedures. This is the realm of Security Information and Event Management (SIEM),
a service/tool long established in IT but that, to the best of our knowledge, does not
exist for BMSes. At best, Vendors offer similar services but usually as a bundle with
the installation of their own equipment and part of a maintenance contract. The notion
of outsourcing Security Monitoring (as in Managed Security Services) seems to be
completely absent from BMS.
Nevertheless, the exercise leaves clear that Cybersecurity in Buildings has no clear
ownership, being difficult to make anyone Accountable beyond the Owner of the
Building who, via contractual means, may waive liability. For example, if the Owner is
a Financial institution, it is intuitive to accept that Cybersecurity is an operational aspect
of running the building and, therefore, has no responsibility.
We have reviewed the current state of cybersecurity for Buildings and ran exercises on
identifying ownership of cybersecurity. The clear outcome is that there is no obvious
stakeholder for this role, except, perhaps, the Facilities Manager, likely with a
specialized third party. Our findings now need to be validated and expanded. The
interviews we conducted merely identified stakeholders. Breaking down Cybersecurity
in a form aligned with the built environment's processes and standards is now essential.
This paper opens a number of research directions, mostly broad, given that
Cybersecurity for the Built Environment is still in its infancy, both in Research and
Industry. From a technical perspective, integrated security architectures need to be
developed that take into account two key aspects: (1) the different subsystems that a
BMS consists of, and (2) the constant evolution and merging between paradigms such
as legacy BMSes, Internet-based technologies, IoT, and the Cloud. From a practice
perspective, existing frameworks need to be adapted, and perhaps expanded, and
aligned with the professional practices in the Built Environment. For example, if FM is
to take up the role of operational cybersecurity, a framework needs to understand the
underlying business models. Furthermore, and quite challenging, a comprehensive
framework needs to understand the different phases and the dynamics of the lifecycle
of a building, from design to demolition.
References
1. M. Dietz and G. Pernul, "Unleashing the Digital Twin's Potential for ICS Security," in IEEE
Security & Privacy, vol. 18, no. 4, pp. 20-27, July-Aug. 2020, doi:
10.1109/MSEC.2019.2961650.
Electronics Magazine, vol. 10, no. 1, pp. 25-39, March 2016, doi:
10.1109/MIE.2015.2513749.
3. Stluka, P., Parthasarathy, G., Gabel, S., Samad, T. (2018). “Architectures and Algorithms
for Building Automation—An Industry View”. In: Wen, J., Mishra, S. (eds) Intelligent
Building Control Systems. Advances in Industrial Control. Springer, Cham.
https://doi.org/10.1007/978-3-319-68462-8_2
4. Pedro Domingues, Paulo Carreira, Renato Vieira, Wolfgang Kastner, “Building automation
systems: Concepts and technology review”, Computer Standards & Interfaces, Volume 45,
2016, Pages 1-12, ISSN 0920-5489, https://doi.org/10.1016/j.csi.2015.11.005
7. Peacock, M., Johnstone, M.N., Valli, C. (2018). An Exploration of Some Security Issues
Within the BACnet Protocol. In: Mori, P., Furnell, S., Camp, O. (eds) Information Systems
Security and Privacy. ICISSP 2017. Communications in Computer and Information Science,
vol 867. Springer, Cham. https://doi.org/10.1007/978-3-319-93354-2_12
10. J. Bauer, J. Goltz, T. Mundt and S. Wiedenmann, "Honeypots for Threat Intelligence in
Building Automation Systems," 2019 Computing, Communications and IoT Applications
(ComComAp), 2019, pp. 242-246, doi: 10.1109/ComComAp46287.2019.9018776.
11. R. Paes, D. C. Mazur, B. K. Venne and J. Ostrzenski, "A Guide to Securing Industrial
Control Networks: Integrating IT and OT Systems," in IEEE Industry Applications
Magazine, vol. 26, no. 2, pp. 47-53, March-April 2020, doi: 10.1109/MIAS.2019.2943630.
13. IEC/ISA 62443, “Industrial communication networks – Network and system security, Part
1-1: Terminology, concepts and models”, 2009
14. BSI, PAS 1192-5:2015. “Specification for security-minded building information modelling,
digital built environments and smart asset management”, 2015
13
15. Internet of Things Security Foundation, “Can You Trust Your Smart Building?”,
Whitepaper, June 2019
17. Marco Marocco, Ilaria Garofolo, “Integrating disruptive technologies with facilities
management: A literature review and future research directions, Automation in
Construction”, Volume 131, 2021, 103917, ISSN 0926-5805,
https://doi.org/10.1016/j.autcon.2021.103917.
18. NIST, SP 800-82 Rev. 2, “Guide to Industrial Control Systems (ICS) Security”. May 2015
19. N. Kshetri, "Economics of Supply Chain Cyberattacks," in IT Professional, vol. 24, no. 3,
pp. 96-100, 1 May-June 2022, doi: 10.1109/MITP.2022.3172877.