Smart buildings mean new risk challenges. How prepared are you?

In the property industry, you’re no stranger to risk. Managing assets and managing
risk go hand in hand. It was always complicated staying on top of both technical
services and cyber security. Now they’re much more intimately bound together, and it
takes a different, more comprehensive approach to strategic management. The good
news is that the benefits, both long and short-term, are significant.

How well do you know your building?

The built environment has changed. Maintenance, engineering, construction – all of it is
bound together through systems that are, in turn, connected to the internet. Operational
technical assets are linked with IT assets. All this connectivity brings different kinds of
challenges.

The buildings of not-very-long-ago were entirely solid entities – bricks and mortar, steel and
wood, concrete and glass. You could see and touch most of it. But those are not the
buildings we’re dealing with today, even if they appear so to the naked eye.
Behind, above and below the traditional building structure are a host of assets that are out of
sight, out of mind. Some may even exist without your knowledge. Hard technical assets are
often hidden in out-of-the-way places like plants rooms, alleyways and wall cavities. And
virtual services are even less visible.

But don’t let the word “virtual” fool you into underestimating just how real those assets are.
Your building management systems are linked to your virtual networks. Heating, ventilation,
air-conditioning, point-of-sale systems, fire and access control systems, media screens and
web applications can all be access points to each other and various parts of your building
management systems. Furthermore, they’re often set up, run and maintained by different
contractors, each with their own security protocols (or lack of) and remote access.
Do you really have the appropriate information and insights about the hard technical and
operational technology (OT) assets that occupy your built environment? Who’s responsible
for identifying outstanding maintenance, repairs and proactively identifying critical upgrades?
How are they linked, how do humans interact with them, and where are the possible security
gaps throughout your asset network?

In order to understand your risk profile and plan for future asset management
implementation strategies, you will need a comprehensive audit. This is the first step in the
process, arming you with an inventory and baseline data on all your hard technical and
virtual assets and services within the built environment. It’s the only way to ensure that your
short and long-term capital and operational expenditure forecasts are based on fact, rather
than guesswork. This will allow you to better manage your assets, compliance, safety, risk,
and reliability, given that much of what needs to be managed is not visible.

What you don’t know can hurt you

The only way to make efficient expenditure decisions is to be informed: know what risks you
are carrying, decide what you are prepared to accept, and mitigate against what you’re not.
This is a proactive approach to building management. In the same way that we regularly
update and perform preventative maintenance on visible parts of a building, doing the same
behind the scenes has significant demonstrable benefits, enhancing the value of property
portfolios by making buildings safer, more productive, more energy efficient, more
sustainable, and more comfortable for tenants.

There are very strict codes and standards that must be adhered to when it comes to building
management systems (BMS), HVAC, fire, electrical, plumbing, transportation systems, solar,
safety services, refrigeration and building fabric. The property industry is well versed on
these requirements. We understand the consequences when it’s not done well. And we
cannot afford to be reactive. Ensuring we know exactly what’s going on requires the kind of
expertise and experience that our subject matter experts at Syntric apply to their inspection
of your built environment.

On top of these traditional systems, there are many more that you may not know you have
(for example, surveillance systems, people counters embedded in the ceiling.)
Through a detailed audit of the hard technical and operational technology (OT) assets and
services within the built environment, an asset risk profile can be applied to all assets.
Comprehensively interpreting the information from the completed audit will highlight possible
failure points, identify where opportunities may exist to improve productivity, and decrease
costs such as maintenance, energy and insurance.

Furthermore, this enhanced knowledge will allow for more accurate capital expenditure
replacement forecasting, critical upgrades (outdated/inefficient technology) and
reinstatement costs to allow for more accurate budgeting to increase efficiency and
productivity.

Connectivity and Covid-19

Smart buildings have a lot of connectivity (a word you hear a lot these days). Essentially,
everything (refrigeration, phones, lighting, lifts – everything) is connected to the internet. And
that translates to risk. It means you need to protect your building on a cyber, as well as a
physical level.

This connectivity has increased many times over because of the Covid-19 pandemic.
Sixtyfour per cent of employees are able to work from home, according to the Gartner
2021 CIO Survey1. Connectivity has allowed us to continue to operate. But it also greatly
increases access points to previously invisible assets, and that means more risk.

It’s never been more important to exercise due diligence in protecting your assets. This is
both in the context of acquisition of new assets and in the ongoing management of existing
assets and the heightened risks associated with owning smarter buildings. This serves your
interests of course, but the importance of doing so is reflected in upcoming legislation.
1 https://www.gartner.com/smarterwithgartner/gartner-top-security-and-risk-trends-for-2021/
The Federal Government is making changes to the Security of Critical Infrastructure Act
(2018)2, introducing a “positive security obligation” requirement3
for industries in a broad range of sectors (communications; financial services and markets;
data storage and processing; defence industry; higher education and research; energy; food
and grocery; health care and medical; space technology; transport; and water and sewerage).

There are many ways to be vulnerable. One of the most prominent threats out there is
ransomware, where malicious actors gain control of your data, encrypt it, and demand
money to restore your access.

The Government’s Cyber Security Industry Advisory Committee says “ransomware has
become one of the most immediate, highest impact cyber threats to Australia … Given the
stakes are so high, organisations need to understand the risks and prepare accordingly,
know what action to take in the event of a ransomware attack and have a clear
understanding of their legal and regulatory obligations. To put it simply, organisations cannot
afford to be complacent.”4

Whether through phishing emails (“Your parcel is awaiting delivery. Click here to verify your
address and delivery details”), lack of vigilance when it comes to patching, leaving systems
visible to unknown parties, or even left open for remote access by contractors or off-site
staff, your building can be more open than you currently know.

Smart building connectivity means ransomware can affect not only your data, but also
building management servers that control systems like, for example, lighting and HVAC.
So, how do you mitigate against this? By knowing what you have, how it’s connected, who
has responsibility, and who has access

You can protect your assets
if you know your assets

Physical and virtual asset and services auditing is the first step in strategic asset
management.

The largest security gap is around knowledge. Once you’ve addressed that, you can start
asking and answering the questions that will enable you to plug the rest.
For instance, can your lighting be controlled by someone externally? What are the
operational and financial consequences of that happening? What about your lifts? Can a
malicious actor gain control and trap people there? Can someone gain access to your CCTV
cameras?

You may have had various contractors over the years managing different systems. Perhaps
they didn’t leave you with handover details and passwords, or some of what’s been done is
now out of date. Some systems may have disappeared from view altogether.
A thorough scoping audit requires detailed knowledge of cybersecurity and technology as
well as the skills and expertise required to perform a traditional hard technical asset audit.
Buildings are an interconnected web of systems, so it’s not enough to know cybersecurity
intimately, or operational technology like the back of your hand. You must understand both.

The greatest cost is the one associated
with doing nothing

Carrying unknown risk, taking a reactive approach to upkeep, and facing liability for future
failure all come with dollar signs followed by numbers with many zeroes on the end.
However, budgets for cybersecurity in OT are still often much tighter than for IT. According
to Nicholas Lianos, CEO of Syntric and Grosvenor Engineering Group, organisations
allocate up to 30 per cent of their IT budget to cyber security, but rarely anything at all when
it comes to building operating systems. That used to make sense because building systems
were not previously connected to the internet.
Times – and buildings – are different now, but budgets have not caught up.
According to PwC, more than half of the executives they surveyed for their 2021 Global
Digital Trust Insights report are not confident that their cybersecurity spending is in fact
aligned with the risks they face5
. “Cyber budgets could — and should — link to overall
enterprise or business unit budgets in a strategic, risk-aligned, and data-driven way, but 53%
lack confidence that their current process does this,” says PwC.
So, cybersecurity for OT is just as essential as IT. However, given the scarce budgets and
resources for cyber security in OT, efficiency to enable high return on investment is more
critical than ever.
Syntric provides a unique marriage in the property industry – expertise in hard technical
services and cybersecurity and virtual systems. When their teams perform a full audit, they
do it all.
They have the expertise and resources to audit all assets, physical and virtual. And they
ensure you have ownership of and access to all the data (which is, after all, yours) in a
meaningful way.
For more information about our strategic audit and management services, contact 1300 678
324 247 or visit www.syntric.io