Securing the Internet of Things is a mandate that extends beyond the IT department, according to recent research from Urgent Technology. The organization’s facilities manager must be part of the conversation, according to the UK-based facilities management and asset management software firm. Today’s smart buildings are equipped with a range of IoT devices which automate much of the facility management processes, including lighting, heating, ventilation and air conditioning (HVAC), as well as lifts, escalators and security. As building management systems evolve into Internet-enabled building automation systems, they are much more susceptible to possible cyberthreats. A technology that enables users to control all the elements of a building, which includes security equipment such as CCTV (closed-circuit television) and door locks, is also more vulnerable to a cyberattack.
To address those cybersecurity risks that may affect their organizations, facilities managers first need to acknowledge they have a crucial role to play, according to Paul Djuric, CEO of Urgent Technology. Djuric shared his views and advice on the evolving role of the facilities manager in securing IoT deployments in this Q&A.
Why did you decide to examine the role of the facilities manager in cybersecurity?
Djuric: Hackers are no longer going through an organization’s main IT systems. Instead they’re increasingly targeting property and facilities-related devices, which are connected to the internet, such as the building management system or desk sensors. The trend toward the utilization of the Internet of Things and connected devices in properties means that cyber-hacking is no longer the sole concern of the IT department.
Can you share some advice on how facilities managers can gain a seat at the table for cybersecurity discussions?
Djuric: Facilities managers who are concerned that their systems are vulnerable should begin the cybersecurity process by lobbying those who are responsible for the safeguarding of information to commission a data assessment. This will help an organization identify what critical information is stored, processed or transmitted, establish why the data might be an attractive target, and establish any regulatory compliance it must adhere to.
Once the value of data is understood, facilities managers should encourage the same parties to commission a formal risk assessment to identify the possibilities of reducing any unnecessary storage and processing. They should assess the likelihood and impact of an attack. They should formally identify what an appropriate security baseline should be and establish the extent of any gaps between the existing and target positions. They should conduct an efficient data risk assessment, and carry out both internal and external penetration tests on the network.
From the perspective of securing IoT technologies, what would you say is the main takeaway from your firm’s research?
Djuric: Facilities managers and their organizations face significant challenges in the future in combating the cyberthreats posed by the convergence of physical assets within a building with data. This is why a wide-ranging and proactive approach should be taken to ensure that the facilities manager can reap the undoubted benefits of workplace digitization, while ensuring that facilities are not open to undue risks. In the future, facilities management and IT must always remain alert to the latest cyberthreats, and must work together with their software supply chain to help reduce the likelihood of data breaches.