by Michael Magee, Director of Managed Services, and Rob Goss, Director of Service Development
Cyberattacks on building systems can have severe consequences, including unauthorized access to sensitive data, disruption of critical services, physical damage, and a risk to life safety. Building compliance regulations are in place to ensure that the design and construction maintain physical safety, energy efficiency, and environmental standards. With the increasing digitization of building systems, oversight organizations have created guidelines and standards to address the cybersecurity risks affecting the digital infrastructure.
It is worth noting that compliance remains a business decision, not a regulation enforceable by government organizations overseeing building design and construction. In fact, legal counsel, risk officers, IT officers, and insurance consultants may be the best advocates for authorizing the needed resources.
Selecting the appropriate standard may take some research. It can be confusing to understand how to apply the various standards and guidelines to commercial real estate (CRE). Throughout the years, different standards and guidelines have been created. Many of the earlier standards, such as International Organization for Standardization (ISO)/ IEC (International Electrotechnical Commission) 2700 were very broad. Eventually, the National Institute of Standards and Technology (NIST)cybersecurity framework was developed with a greater focus on operational technology (OT), especially industrial systems and manufacturing controls. This helped, but the application to an office’s building automation system (BAS) was still obscured. The newest standard that is out there is called IEC 62443, which was recognized back in 2021. This standard specifically looks at the safety, integrity, reliability, and security of control systems with the flexibility to be adaptable to many different situations.
Roadmap for Implementing a Cybersecurity Program
Each property will need to review the options to see what standard or guideline best fits the property’s unique conditions. Each standard is unique. However, the implementation roadmap is similar:
Understand the Standards and Guidelines:Review the relevant cybersecurity standards and guidelines or hire a qualified consultant to help identify which standards are applicable. Stay informed about any updates or changes that could be added to the cybersecurity policy.
Risk Assessment:Conduct a thorough assessment to identify potential cybersecurity threats and vulnerabilities within the building’s digital systems, including Internet of Things (IoT) devices, building management system (BMS), and access control systems. This should include both a physical inspection of all critical systems inside the building and a digital scan of the network(s) to document how things are communicating both inside and out to the Internet.
Evaluate and Develop a Cybersecurity Strategy:Evaluate the assessment data to determine the property’s current level of risk and allowable risk tolerance. It may be best to stage the implementation of controls. The allowable risk tolerance will prioritize the security controls you implement. It is worth noting that each level of control or action taken comes at a cost. It is important to determine the best balance between risk tolerance and impact on available resources.
Security Controls:Based on the risk assessment, specific security controls could include network segmentation, firewalls, data encryption, secure authentication, and regular software updates. Policy changes will also need to be communicated to the operations team. It is important that they understand why these actions are taken so they don’t circumvent the work and create additional risk.
Incident Response Planning:Develop and maintain an incident response plan outlining steps to be taken in the event of a cybersecurity breach, including communication protocols, roles and responsibilities, mitigation procedures, and post-incident analysis. Train the operations staff on how to identify and alert potential issues.
Continuous Monitoring and Reporting:Continuous monitoring of building systems for potential cybersecurity threats and policy compliance, with regular reporting of cybersecurity performance to regulatory bodies or stakeholders. The monitoring should be automated as much as possible to avoid errors made through manual reporting.
Compliance Audits and Risk Tolerance Review:Periodic audits to ensure ongoing compliance with cybersecurity regulations, assessing the effectiveness of implemented security measures and identifying areas for improvement. Reviewing the risk tolerance during these audits will help ensure the property is applying the correct level of control based on current business needs and changes to tenants or staff.
Training and Awareness:Emphasis on training and raising awareness among building personnel about cybersecurity best practices, threat recognition, and appropriate response actions. Training and awareness exercises must be scheduled at a frequency that promotes importance and awareness.
The new cybersecurity compliance standards for buildings mark a major step forward in protecting modern infrastructure from the increasing risk of cyberattacks. By understanding and applying these standards, building owners and operators can strengthen the security of their digital systems, safeguard sensitive information, and maintain the safety and functionality of their properties.
While adjusting to these new requirements may initially demand time and resources, the long-term advantages of a secure, compliant building far outweigh the upfront costs. Achieving this won’t happen overnight—change takes time and investment. Developing an implementation roadmap that addresses the topics above can help prioritize actions and align efforts with risk tolerance reduction. With a well-structured plan, organizations can effectively navigate the complexities of building cybersecurity and shield their operations from future threats.
Designing a smart building from the ground up to protect WarnerMedia’s mission-critical, building, operational, and human capital investments at 30 Hudson Yards.
Overview
As a media company that provides broadcast and on-demand programming globally, WarnerMedia’s mission-critical services require industry-leading operational infrastructure. With leases on two million square feet of property expiring in 2019, Steve Lefkowitz—WarnerMedia’s longtime Vice President Global Facilities Management—also needed to meet a directive to reduce WarnerMedia’s real estate portfolio. WarnerMedia’s solution was to create a new headquarters at 30 Hudson Yards by purchasing 1.1 million square feet of office condominium space that would allow WarnerMedia to develop and own the infrastructure within its office space. This retained the company control over its building control and informational technology (IT) systems ensuring it could deliver the necessary caliber of performance to support the mission-critical infrastructure to run its media operations.
From the start, Lefkowitz believed that Smart Building technologies would be integral to the long-term success of the building and began exploring products and their benefits. However, neither Leftkowitz nor WarnerMedia had experience in designing smart buildings and turned to Intelligent Buildings, LLC (IB)’s smart building technology experience to assist in achieving their operational goals. IB consultants worked with WarnerMedia from the initial planning phase to the commissioning of smart building systems. WarnerMedia also prioritized bringing its operational technology (OT) security in line with its IT standards. IB worked with WarnerMedia and manufacturers to increase critical building control device’s security to meet the high IT security standards. The resulting smart building solution leverages the capabilities of a master systems integrator (MSI) to integrate the diverse secured building control systems, such as lighting, metering, critical power management system, and building automation system (BAS), into a remotely accessible universal dashboard to optimize the operational cost, occupant experience in the building, while managing operational risk.
Designing a media headquarters for the next 20 years
Consolidating NYC division locations into one building
WarnerMedia, with its CNN, HBO, Turner, and Warner Bros. divisions, occupied seven buildings across New York City (NYC) by the mid-2000s. With two million square feet of property due to expire at the end of 2018, Lefkowitz and the facilities management (FM) team had a directive to reduce WarnerMedia’s NYC real estate portfolio. After conducting an extensive discovery process and employee surveys, WarnerMedia announced its plans to consolidate the offices into one building as the anchor tenant at 30 Hudson Yards—one of the 16 towers in the largest private real estate development in U.S. history—on the west side of NYC. This consolidation into a single headquarters centralized operational resources and reduced WarnerMedia’s real estate footprint by one million square feet.
Identifying building operational and environmental requirements
WarnerMedia’s move to a single office space brought over 5,000 employees from corporate operations and the CNN, HBO, Turner, and Warner Bros. divisions into the same building. As a media company, these entities have unique operational demands for broadcast and on-demand services and rely on the five nines (99.999%) reliability, allowing only 5.26 minutes of downtime per year. To meet these demands, WarnerMedia’s offices developed their own OT and IT systems to ensure performance goals were met.
In addition to infrastructure efficacy and reliability, WarnerMedia aimed to provide a modern office environment that would promote collaboration, comfort, and employee well-being. Previously, WarnerMedia’s offices were split evenly between open and enclosed office layouts, but the new headquarters would feature 83% open office layouts. “We really looked at how we can create spaces where people don’t have to look at their desk or office as their home base,” said Joel Brenner, Vice President and Head of Global Project Management. This shift included over 300 collaboration and meeting spaces, an abundance of whiteboards, and private telephone rooms. The open office layouts would also deliver more light to tenants and provide a comfortable, residential feel.
Incorporating smart building concepts from the start
Lefkowitz felt that smart building technologies should be a fundamental component of modern buildings. Not only do smart buildings help achieve the designed building performance, but they also act as long-term investments that provide an enhanced experience for employees while reducing operating and energy costs for years to come. WarnerMedia’s approach made it possible to design a smart building in NYC from the ground up with the future flexibility to develop an industry-leading solution as space requirements evolve.
While the FM team had an idea of the outcomes they wanted for the new headquarters, they faced multiple challenges. These challenges included identifying the key smart building capabilities necessary for use cases, navigating available technology options, and approaching decision points required for implementing the desired system. To navigate these challenges, WarnerMedia engaged IB based on their experience with smart building use cases, strategies, business cases, design and alignment, and commissioning. IB’s work began with developing the smart building use cases and their
associated business cases. This extended to joining the design team to align the architect, mechanical, electrical, and plumbing (MEP) engineers, and vendors around those use cases and ensure that the other trades included the smart building requirements and configurations for the integrated solution and aligning the smart building systems with WarnerMedia’s stated business objectives.
Defining high-value smart building use cases and building technology cybersecurity
Supporting smart building use cases with proven strategies
As the design of the smart building platform (SBP) began, the company looked to IB for end-to-end guidance throughout its journey. IB collaborated with key WarnerMedia stakeholders to develop functional use cases focused on establishing or improving operational and business-based outcomes. The project team proceeded to determine and prioritize the identified capabilities of its SBP, including integration points to ancillary systems such as its conference room scheduling software and cloud-based computerized maintenance management system (CMMS).
With IB’s guidance, WarnerMedia was able to focus on high-value use cases that aligned with its business objectives. Given the scale of the project and the reliability requirements, WarnerMedia preferred a system comprised of proven enterprise technologies and platforms that could extract data into a single, user-friendly dashboard for quick analysis and data-driven decisions.
IB assisted WarnerMedia in working backward from its defined goals to build out each use case and began the process of educational and alignment meetings for key stakeholders. These meetings led to WarnerMedia’s corporate headquarters strategy documents and design guidelines, which incorporated requirements across a diverse stakeholder group to include architects, engineers, and contractors. IB applied its proven methodology for validating the behavior, reliability, and interoperability of smart building technologies to begin identifying potentially beneficial technologies for WarnerMedia’s SBP.
Developing the smart building platform for 30 Hudson Yards
The SBP envisioned by WarnerMedia and developed by IB would have several components working to prioritize building performance, operational efficiency, and healthy tenant experience. To enable precise building controls, the BAS, HVAC, and lighting systems converged by an MSI, running the Niagara platform and using the DGLux building visualization platform to create a universal dashboard. With the unified platform, the FM team can trend and monitor building performance, control the BAS, HVAC lighting, metering, fire alarm, and critical powering, and monitor mission-critical technical equipment. However, these capabilities are not limited to these monitoring and control functions. The MSI approach also connects to a fault detection and diagnostics (FDD) system, CMMS, and business scheduling system to provide the FM team the tools to optimize operations.
With the Smart Building Strategy finalized, WarnerMedia looked to IB to act as the company’s representative and advisor in bringing the system online. This process began with translating the strategy into architectural and engineering specifications, followed by contractor selection, product procurement, equipment installation, and commissioning. IB met with architecture and engineering firms to align and educate team members on the Smart Building Strategy—in particular, the design requirements of the secure converged corporate network.
Smart building use cases focused on high-value solutions
IB provided Use Cases that aligned with WarnerMedia’s business objectives. These solutions included:
When a conference room is reserved, the room is pre-heated or cooled based on the next reservation time to improve occupant comfort.
Automated risk avoidance sequences, such as if a chiller fails in the HVAC system, preprogrammed sequences divert remaining cooling and power resources to mission-critical infrastructure by lowering power and cooling demand in less critical areas throughout the building.
Automatic responses to utility load shedding requests, reducing electricity load to a predefined level and using the buildings gas generators to provide supplemental power.
Enabling the FDD system to automatically generate work orders in the CMMS.
Traditionally, OT and IT have had have had opposing priorities in regards to communication and security requirements. OT systems prioritized data availability throughout the network over its confidentiality to ensure that systems can interact with each other in milliseconds. This ensures a quality occupant experience, such as having lights turn on quickly in response to occupancy sensors. IT traditionally prioritizes information confidentiality over availability, such as ensuring the security of credit card data instead of its ready availability within a network.
As a result, current OT systems are more vulnerable to compromise compared to IT networks. As few OT systems have been designed for security, raising OT device security to meet IT security standards is a monumental effort, a challenge that commercial building owners have rarely taken on. WarnerMedia’s approach acknowledged 30 Hudson Yards as a potential high-profile target for both internal and external security threats and placed the appropriate value on OT security as it did IT security. For more information on the OT Cybersecurity efforts in relation to 30 Hudson Yards, please reference IB’s cybersecurity-specific case study on the project.
Realizing the benefits of smart building automation at WarnerMedia
Aligning network integration processes and commissioning systems
Construction of WarnerMedia’s new headquarters at 30 Hudson Yards began in 2014 and currently holds an occupancy date of March 2019. As the smart building infrastructure began installation, the engagement of IB’s resources provided WarnerMedia the assurance that each problem or question would be quickly and accurately resolved. Communication between IB and WarnerMedia maintained process alignment and project status. As the smart building installation came to completion, IB’s work shifted to validating components of the SBP.
Bottom line, risk avoidance, and environmental health benefits
Enabled by WarnerMedia’s decision to develop an integrated strategy and solution, the smart building systems unified by the MSI platform increase energy efficiency by reducing light levels when sunlight is present and turning off unnecessary lighting and HVAC resources, such as in unoccupied spaces. They also optimize building performance by leveraging the FDD software to automatically create work orders. For WarnerMedia, this means that the FM team no longer reacts to employee complaints of burned-out lights or uncomfortable temperatures, but instead can proactively address building system issues using actionable data. This saves time, avoids energy waste, and keeps equipment running optimally.
OT systems converged on the corporate network also allow building control systems to interact with external systems. The mix of use cases that guided the selection and design of WarnerMedia’s SBP provides building system capabilities to react automatically to changing conditions within the building while reducing operational costs and enhancing the occupant experience.
Inspiring an industry by taking smart buildings to a larger scale
By integrating smart building strategies from the beginning and prioritizing OT security, WarnerMedia brought industry-leading smart building technologies and security to a larger scale. Through IB advisory services, the enablement of ongoing organizational alignment, and a vision of data-driven operations in the building and FM team, Lefkowitz was able to bring together, Lefkowit was able to bring together architects, structural engineers, control system vendors, IT teams, and data center engineering teams to provide a robust, cost-saving, and highly transparent smart building solution. The selected use cases provided a guidepost to the combined 50,000 data points merged into the unified MSI platform that can deliver continuous commissioning of building systems at a granular level to keep the WarnerMedia headquarters running optimally for decades to come while enhancing the occupant experience and managing operational risk.
If you have ever walked into a building where nothing is broken but performance is still disappointing, you already understand this. Modern buildings are not single systems; they are systems of systems:
Physical systems
Digital systems
Human systems
Organizational systems
Each can function reasonably well on its own, but performance depends on how well they interact.
Where Value Is Actually Lost
In my experience, most value erosion in buildings does not come from catastrophic failure. It comes from friction at the interfaces.
Property teams control building systems, but IT influences how those systems are connected and secured. Asset management carries the performance mandate, but does not always have direct control over the operational levers required to deliver it. Energy targets conflict with comfort concerns. Security protocols are designed to reduce risk by controlling access to systems and spaces.
But in an emergency, speed matters more than control. If override procedures are unclear, or if authority is not well understood, response can slow at exactly the wrong moment. Operators hesitate, actions are second-guessed, and access that is normally restricted becomes a barrier.
The system is doing what it was designed to do; it’s just not aligned with the conditions of the moment. No one decision is wrong, but collectively, the system slows down. Operators become cautious. Conservative settings become permanent. Optimization is postponed. Drift becomes embedded.
I saw this in a downtown office tower where energy targets were tightly managed. The system was performing efficiently on paper, but tenant comfort complaints were rising. Adjustments required coordination across property management, engineering, and energy teams. No one was clearly accountable for making the trade-off. Over time, settings were left untouched. The building became stable but not optimized.
Markets do not punish complexity. They punish unmanaged complexity.
Technology as Operating Infrastructure
One of the shifts commercial real estate (CRE) organizations are still absorbing is this: Technology is no longer an add-on. It is operating infrastructure.
If your building automation system (BAS), network architecture, remote monitoring platform, or access control system goes down, operations are affected immediately. We would never accept unreliable elevators, but we often tolerate fragile digital architecture.
That gap introduces operational risk. In the same way that mechanical systems require maintenance, redundancy, and clear ownership, digital systems now require the same level of discipline. The difference is that many organizations have not yet fully aligned their operating models to reflect that reality.
The Abandonment Pattern
There is a pattern I have seen repeatedly: A sophisticated platform is deployed, dashboards are built, analytics begin surfacing insights…then something shifts.
Alerts overwhelm operators. Context is missing. Decision rights are unclear. Trust erodes. The system is gradually ignored.
In one office portfolio, advanced fault detection was deployed with strong early engagement. Over time, alert volume increased, ownership was unclear, and governance never fully matured. Operators began filtering alerts rather than acting on them. The system remained in place, but its influence on decisions steadily declined—not because it was wrong, but because it increased cognitive load without increasing confidence.
Good systems get abandoned when organizations are not aligned to absorb them. This is not a technology failure; it’s an integration failure.
Cyber and the Worst Day
This abandonment becomes most visible on the worst day. Cyber incidents in real estate rarely begin as dramatic headlines. They often begin quietly:
Loss of system control
Inability to adjust schedules
Uncertainty about safe intervention
Access control behaving unpredictably
On that day, what matters is not whether you installed the latest tool. What matters is:
Visibility
Control
Tested fallback procedures
Clear accountability
Resilience is a design choice. It is also a governance choice.
The System Above the Systems
In my last article, I wrote that technology does not create risk in buildings. It exposes it.
This article is the companion idea. Buildings do not underperform because systems fail. They underperform because the system above the systems is not defined.
How do decisions get made?
Who owns the outcomes?
How are conflicts resolved?
How do signals translate into action?
When these elements are unclear, even well-designed buildings begin to drift.
At Intelligent Buildings, much of our work sits in that space. Not just whether systems are secure, but whether they are operable under stress. Whether cyber controls align with emergency response. Whether organizations can act with confidence on Day Two, and on the worst day. Because in modern real estate, performance is not determined by any single system. It is determined by how well the entire system works together.
Technology is often blamed for introducing new risks to commercial real estate (CRE), but I have come to believe the opposite. Technology rarely creates new risks in buildings. It mostly exposes risks that were already there.
Many conversations in the CRE industry still begin in the wrong place. They start with tools: platforms, artificial intelligence, dashboards, smart buildings, and the newest digital solutions promising to transform operations. But the real issue is not technology; it is visibility. Anyone who has spent time owning and operating buildings learns something quickly: Technology does not change the basic economics of CRE. What it changes is how clearly and how quickly those economics reveal themselves.
The right starting point for a technology conversation is not software. It is the question of how buildings create value and how organizations manage them once they are delivered. CRE has always created value in consistent ways. Income must be stable and durable. Operating performance must be disciplined. Investors must have confidence in the future of that income. And risk must be understood and managed. Those fundamentals have not changed simply because buildings have become more digital.
How Capital Value Is Really Judged
When investors evaluate CRE, they rarely focus solely on the income an asset produces today. What matters far more is the durability of that income over time. Capital value ultimately reflects confidence in the asset’s future performance.
Buyers, lenders, and investors are constantly evaluating three things:
Quality of the income stream
Potential for that income to grow
Level of risk surrounding the income stream
A building that delivers predictable operating performance, satisfied tenants, and stable cost structures produces income that markets trust. Another asset may generate the same rent on paper but show signs of operational volatility, tenant dissatisfaction, or unexplained cost variation. In that case, the income begins to look fragile.
Growth potential matters as well. Buildings that support tenant retention, operational flexibility, and evolving tenant needs suggest that income may strengthen over time. Buildings that appear rigid or difficult to operate suggest the opposite.
Risk sits over all of this. Uncertainty around building performance, tenant experience, energy costs, or operational reliability can quickly widen cap rates.
Capital markets are not simply pricing income. They are pricing confidence. However, technology did not create these dynamics. It just makes them easier to see.
The Collapse of the Quiet Period
For many years, there was, as operators sometimes describe it, a quiet period after a building opened. A project would be delivered, tenants would move in, and the building would gradually settle into operations. It often took years for deeper operational issues to surface. Energy inefficiencies gradually appeared in utility bills. Comfort complaints accumulated gradually. That quiet period has largely disappeared.
Modern buildings now produce continuous operational feedback. Comfort patterns emerge quickly. Energy anomalies become visible almost immediately. Utilization data can begin challenging leasing assumptions within months rather than years.
None of this makes buildings more fragile. It compresses the feedback loop between how a building performs and how quickly people know about it. Technology did not introduce volatility into buildings. It introduced transparency. Once those signals exist, ignoring them is no longer passive. It becomes a decision.
Where Operational Truth First Appears
Property managers sit closest to the operational reality of the asset. They see friction early and hear about problems first. They recognize when systems begin drifting away from design intent. There are several signals that typically appear first in the everyday world of property management:
Comfort complaints
Service requests
Energy anomalies
Equipment alerts
Tenant behavior
Property managers are doing more than maintaining buildings. They are stewards of the owner’s investment thesis.
Every asset is acquired or developed with a narrative about how it will create value. Property management is where that narrative meets reality every day. If operations support tenant experience, cost discipline, and reliability, the investment thesis holds. If operational friction accumulates, the thesis begins to weaken long before income declines. Technology has amplified this dynamic by making operational signals far more visible. But visibility alone does not create value.
When Visibility Meets Organizational Reality
When systems surface something early—an energy anomaly, a comfort pattern, or a utilization mismatch—the real question quickly becomes organizational rather than technical: Is anyone structured to respond?
In many CRE organizations, the data exists. Dashboards exist. Analytics exist. But clarity about what happens next is often missing. Decision rights may be unclear. Operational teams may hesitate to intervene. Asset managers may see the signal but lack context.
I saw this clearly when my team launched fault detection and diagnostics (FDD) across a portfolio of retail and office assets. We paired the technology with a managed service approach so sites could interpret alerts and identify opportunities. As the program matured, differences across properties became obvious. Some sites quickly embraced the insights, adjusting controls and correcting faults. Others acknowledged the information but struggled to translate it into action.
One moment stood out: Nearly six months after launch, an operational manager wrote to say how helpful the system had been in identifying a particular issue. The feedback was genuine, but our managed service lead pointed out that the same recommendation had been raised repeatedly for several months without any action. The technology had been working the entire time and the opportunity had been visible. What differed was the organization’s readiness to respond.
Visibility Only Reduces Risk If Someone Acts
Technology in CRE is less about tools than about operating infrastructure. Its real contribution is feedback. Digital systems shorten the distance between cause and effect. They make it easier to see how a building behaves and why its performance changes.
But earlier visibility only reduces risk if someone is prepared to act on what is being revealed. That requires property managers who understand the signals in front of them, asset managers who can interpret those signals within the broader asset strategy, and owners who recognize that operational capability is just as critical to value creation as capital planning or leasing strategy.
Technology did not make buildings riskier. It simply removed the delay between performance and awareness.
IntelliNet Managed Services
Much of the work we do at Intelligent Buildings sits in the space between visibility and action. Owners and operators increasingly have access to powerful technology and data. The real challenge is turning those signals into operational decisions that improve performance.
Our focus is on helping organizations interpret what their buildings are telling them and translate those signals into practical actions that strengthen operating performance, reduce risk, and support the long-term durability of income.
Technology alone rarely creates value. When paired with operational alignment and clear decision-making, it can help organizations improve asset performance much earlier in the life of a building.
Are you getting the most from your operational technology (OT) vendor service contracts or are your vendors doing the same work year after year? Renewing service contracts can often feel like a routine task, yet they can influence the operational efficiency and security of your properties. Are the tasks and responsibilities in the current renewal being updated to align with current goals and the updated policy, or is the vendor just presenting the previous contract at a higher rate? As your tenants’ expectations grow and operating budgets shrink, it is crucial to maximize every dollar spent. This includes ensuring your service contracts keep pace with current best practices and adapt to meet the unique conditions of your property.
At Intelligent Buildings, we’ve seen checklists prove effective in keeping your property management systems efficient, secure, and tailored to your requirements. These checklists facilitate negotiations by aligning goals across vendors and systems, enabling swift evaluation of their ability to support critical property operations safely and securely. Your property may already have a checklist that includes established key performance indicators (KPIs) and service-level agreements (SLAs).
This existing format can be extended to encompass proactive service measures, operational resilience support, and adherence to the property’s cybersecurity policies.
The outsourcing of OT services requires a vigilant assessment process to ensure that contracted firms align with your property’s operational objectives and security mandates. Every property manager should approach service contracts with a goal-driven mindset, seeking not just to fulfill immediate operational needs but to secure long-term asset value. This article provides examples of key considerations that can be added to any service contract to support operational efficiency.
1. General Topics
From site visits to equipment lists, ensure you have a comprehensive understanding of what is covered, how the service provider handles sensitive data, and the procedures that impact service delivery.
Here are some examples:
A device inventory detailing maintained equipment, noting any exclusions or restricted services.
Schedule for replacing computers, servers, and network equipment, and a clear protocol for the destruction of devices and data.
Requirement to return all property-related information upon request.
Reveal any electronic account-related data stored on servers, cloud, or portable media.
2. Service Delivery
Define clear service-level standards and expectations to avoid confusion and ensure your vendors know exactly what is expected of them.
Examples of these are:
Response times by issue type: Two hours for major issues, four hours for after-hour issues, and the next business day for minor issues, etc.
Rate sheet in the contract detailing costs for weekend, after-hours, and non-contract work.
Requirement for service providers to schedule required maintenance visits to prevent coverage lapses.
List of tasks that are meaningful to property operations. Annual obsolescence reports for devices, controllers, or software that may become obsolete, discontinued, or unsupported.
3. Cybersecurity
With the increasing interconnectivity of building management systems (BMS’s), securing your OT systems is not negotiable. Your checklist should include rigorous cybersecurity standards to safeguard against vulnerabilities.
Some examples are:
Maintain and periodically audit a user list and their access levels.
Securely back up, maintain, patch, and update all software, firmware, and operating systems, clearly noting any exceptions.
Provide annual end-of-life reports for any devices, controllers, or software that may become obsolete or unsupported.
Notify the owner in writing immediately upon discovery of any cybersecurity breach affecting system confidentiality, integrity, or availability.
4. Contracting Workflow
Implement best practices that integrate the vendor’s work into your team’s current operations, ensuring every contracting process supports your strategic objectives.
Some examples include.
List of team members who will be working on the project and escalation paths.
Property Managers, supported by their company’s cybersecurity program or lead IT administrator, should determine the most relevant elements for their needs and discuss these with the service provider.
All new and renewal OT system service contracts must be reviewed by the company’s IT department or an approved cybersecurity partner to ensure compliance and security.
A structured OT Vendor Checklist not only guides property teams in making informed vendor selections but also empowers them to assertively challenge and negotiate service contracts. This proactive involvement is essential in managing a variety of service contractors, each with its unique delivery methods and service standards, to mitigate operational risks effectively. In conclusion, a well-implemented OT Vendor Checklist is more than just a procedural requirement; it is a strategic asset that enhances operational efficiencies and fortifies the security posture of your properties. By taking control of your service contracts, you’re not just managing properties—you’re enhancing value and securing peace of mind.
The Smart Building Journey
Since 2004, Intelligent Buildings has been supporting commercial building portfolios. Please reach out directly to discuss developing your own OT Vendor Checklist or any other challenges you may be facing with your properties.
We will meet you wherever you are on your smart building journey.
Intelligent Buildings (IB)’s strategic guidance and innovative solutions flipped a mid-construction office tower in a new market into a smart building worthy of showcasing Stiles Corporation’s innovation capabilities.
Overview
In 2022, Stiles Corporation (Stiles) in partnership with Shorenstein Properties (Shorenstein) embarked on an ambitious project: positioning its newest building in Charlotte, 110 East Blvd – Charlotte, as a beacon of smart building innovation. Devon Newton, RPA, LEED GA, VP of Property Management, spearheaded the project with a goal to address operational and tenant needs through future-driven technology. However, technology had changed at an alarming rate over the past few years and Stiles needed a partner to provide the necessary strategic technological oversight to achieve Stiles’ vision for the project.
The combination of IB’s deep advisory background and IntelliNet Managed Services helped Stiles set itself apart from a traditional approach, addressing Stiles’ needs today and well into the future. This case study explores how Intelligent Buildings (IB) acted as a strategic guide, enabling Stiles to achieve its goals for 110 East, streamlining costs, and gaining recognition as the “Most Intelligent Office Building” in 2024 by Realcomm Events | IBCon.
Background
Stiles, founded in 1951, has a rich history of pioneering large-scale developments in the Southeast, notably shaping Fort Lauderdale’s skyline in Florida. The company expanded its footprint into Charlotte in 2012, continuing its legacy of excellence under the leadership of Ken Stiles. Their mission, “Invest. Build. Manage,” underscores their reputation for quality and innovation. Newton, newly relocated from Florida to Charlotte in 2023, was tasked with expanding Stiles’ real estate portfolio in the Southeast.
Her success with 110 East would be pivotal in solidifying Stiles’ reputation in the region.
Their co-owner and partner for the 110 East project, Shorenstein, was founded in 1946 and invests in office and mixed-use properties across the U.S. They approach real estate as a dynamic business, seeking to address ever-changing tenant requirements and technological innovation. 110 East is their fourth property in the Charlotte market.
Challenge
Newton arrived to find the 110 East development project already in motion, but building technology had changed rapidly since the start of the project and was continuing to accelerate. Strategic technological oversight would be necessary to complete this development successfully and to build out Stiles’ reputation in this new market. Newton sought to achieve a technology-driven future while addressing operational and tenant needs post-construction; however, she needed a partner to help interpret her intuition into action. Key challenges included changing outdated approaches, filling knowledge gaps, addressing budget concerns, finding local resources, and balancing goals.
Solution
IB’s structured, expert-driven approach helped Newton make informed decisions and laid the groundwork for effective building management. IB first conducted a design review, which outlined where Stiles could adjust their operational expenses to save over $1,900 per month. Through this early, results-driven engagement, IB’s guidance grew to encompass strategic contract negotiations and operational planning. At IB’s advice, Stiles reexamined contract language and align specifications with long-term operational goals, which ultimately aligned the vision of the building’s functionality with the delivery of the project. IB also helped right-size an ISP contract, reallocating key valuable resources for infrastructure investment, including the network equipment that was previously absent. This allowed for more flexible budget adjustments as Newton shifted funds between operational and construction scopes. Finally, IB worked with Stiles to introduce a structured governance process for technology delivery that clarified roles, responsibilities, and early decision tracking.
Newton’s decision to work with IB was secured through trust, early results, and the fact that IB leans in regularly as a partner, even before broader contract support. “IB’s guidance was pivotal in turning potential setbacks into strategic wins,” said Newton, recognizing that both the key technology issues were being addressed and that IB’s broader approach to engagement focused on the overall success of Stiles’ business, rather than solely on technology services. Based on IB’s performance in this engagement, Stiles trusted IB to launch IntelliNet Managed Services at 110 East. This collaboration offers top-notch cybersecurity and post-construction support, extending beyond the traditional IT services necessary for contemporary commercial buildings. “The amount of technology in the building and its associated integrations are intricate,” Newton said. “Intelligent Buildings was hired to manage our digital infrastructure and operational technology, giving us peace of mind through operational up-time and protection from cyber-attacks.”
Results
The 110 East project is showcased in media articles, building tours, and industry engagements, bolstering Stiles’ brand as an innovator in the market and positioning Stiles to grow its business as planned. With IB’s guidance, Newton’s and Stiles’ sophisticated and timely expertise contributed significantly to these milestones for 110 East:
Accolades: At the 2024 RealComm | IBCon conference, the building received the title of “Most Intelligent Office Building,” an award that recognizes performance capability rather than just design.
Cost Savings: Stiles improved operational efficiency, saving $24,000 annually by adjusting the bandwidth, which provided more funding to effectively deliver the riser and network infrastructure and services necessary to meet the building’s commitments to tenants and co-owners.
IntelliNet Launch: Newton and Stiles trusted IB’s performance, making it an easy choice to embrace IB’s IntelliNet Managed Services.
Lessons Learned
Early Expert Involvement: Strategic early involvement of technology experts can transform commercial real estate (CRE) projects into industry-leading showcases, positioning your building for long-term success and recognition and preventing costly changes later.
Structured Governance: Defining clear roles and processes at the start of the project facilitates smoother project management and execution.
Comprehensive Planning: Looking at the entire project and its goals up front ensures a robust outcome, This includes defining use cases, integrating cybersecurity plans, etc.
Internal Goal Focus: IB’s guidance and partnership-driven strategy look beyond the obvious technology problems that its services deliver and focus on understanding the nuances and maturity of real estate organizations that are embracing technology in complex environments.
Future Outlook
With 110 East now a flagship example of smart building success, Stiles is well-positioned to leverage this achievement for future projects. Recognition at RealComm | IBCon was just the beginning of its smart building journey. The true impact was seen in enhanced operational efficiency, and positioning Stiles as an innovative leader. Ultimately, the market will decide on how to embrace the new opportunities that smart buildings like 110 East provides.
As the industry evolves, IntelliNet’s potential as The Fourth Utility®—essential for seamless building management—continues to grow, reinforcing the importance of intelligent infrastructure for modern CRE portfolio.
by Chad Andre, Practice Lead of Technical Consulting
In commercial real estate (CRE), effective vendor selection and management are crucial for keeping projects on track and aligned with organizational goals. While technology plays a significant role in modernizing these processes, the true value comes from how well this technology is configured and utilized to simplify and streamline operations. By focusing on efficiency and simplicity, technology helps make vendor management more straightforward and ensures it aligns seamlessly with your strategic objectives.
Why Simplification Matters in Vendor Management
Ease of Decision-Making: The right configuration of technology can cut through the complexity of vendor selection. By automating evaluations and offering clear, data-driven insights, it simplifies decision-making, allowing you to identify the best vendors quickly and confidently, reducing the burden on your team.
Reducing Administrative Overhead: Managing vendors often involves repetitive tasks and significant paperwork. Properly configured platforms automate much of this—tracking compliance, managing contracts, and more. This not only saves time but also minimizes errors, making the entire process more efficient and less cumbersome.
Centralized Information Management: One of the biggest challenges in vendor management is dealing with fragmented data across different systems. Technology, when properly configured, centralizes this information, providing a single, up-to-date source of truth that’s easily accessible. This centralization simplifies operations and ensures that all relevant data is at your fingertips when needed.
Key Strategies for Streamlining Vendor Management with CRE Technology
Focus on Core Criteria: Effective use of digital tools helps filter and rank vendors based on essential criteria like compliance, financial stability, and performance history. By concentrating on these key factors, you can streamline the selection process and make decisions more efficiently.
Automate Routine Tasks: Automation is essential for streamlining vendor management, but it’s the specific configuration of these tools that determines their effectiveness. By automating routine tasks such as compliance checks, contract renewals, and performance tracking, technology reduces the workload on your team, allowing them to focus on more strategic activities.
Standardize Processes: Developing standardized digital templates for Requests for Proposals (RFPs), contracts, and evaluations within your technology platform ensures consistency across projects. These templates can be easily adapted for specific needs, reducing time spent on administrative tasks and enhancing the overall efficiency of your processes.
Pilot and Scale: Before fully committing to a vendor, test their capabilities through pilot programs. Using project management tools to monitor these pilots in real-time provides insights that help you scale vendor relationships confidently and with minimal risk.
Continuous Improvement Through Feedback: Configuring feedback loops within your integrated communication platforms allows for regular, structured reviews. This simplifies the process of gathering feedback from vendors and internal teams, making it easier to identify areas for improvement and ensure your vendor management process remains effective and responsive to change.
Embracing CRE Technology for Streamlined Operations
CRE technology is not just a tool for managing vendors. It’s a way to simplify and optimize the entire process. The true value lies in how well this technology is configured and utilized. By focusing on core criteria, automating routine tasks, and centralizing information, CRE teams can manage vendors more effectively. This streamlined approach reduces costs, improves efficiency, and strengthens vendor relationships, ultimately leading to better project outcomes. In today’s competitive environment, adopting a well-configured, technology-driven approach to vendor management is not just beneficial—it’s essential.
Leadership in today’s era of technology, as well as AI, is often misunderstood.
It is not about having all the answers, selecting the perfect platform, or executing a flawless transformation plan. For most asset managers, facility leaders, and IT teams, the real challenge is knowing where to begin when the landscape feels complex and the stakes feel high.
Across commercial real estate (CRE), leaders understand that technology is no longer optional. Yet many hesitate to act—not out of resistance, but out of a desire to avoid making the wrong decision.
The sheer volume of data, analytics, AI capabilities, smart building tools, and aging infrastructure—without the right mindset—can quickly become technology debt. That accumulation often creates a fear that none of it will ever pay back at scale.
In practice, the opposite is true: Embracing complexity through discipline liberates us to achieve outcomes more rapidly.
Progress Takes Time
Progress in building technology is not a sprint. It’s a marathon defined by small, deliberate steps taken over time—each one worth acknowledging. The leaders who succeed are not those who wait for perfect clarity, but those who lower the bar for starting, commit to learning as they go, and embrace the complexity of the three-legged stool: people, process, and technology.
This is one of the most important leadership shifts in modern CRE operations. Rather than pursuing immediate, portfolio-wide transformations or demanding instant returns on investment, effective leaders focus on establishing proof of value. They begin with clearly defined use cases aligned to specific operational needs and allow early wins to build confidence and momentum. Consider a few examples:
Facility managers often start by implementing automated fault detection and diagnostics (FDD) in a single building. The objective is not sophisticated dashboards, but practical outcomes: reduced downtime, fewer emergency repairs, and more predictable maintenance. This step is most effective when paired with a solid computerized maintenance management system (CMMS) or integrated workplace management system (IWMS), ensuring insights translate into action.
Asset managers may begin by applying AI-driven occupancy and utilization analysis across a small segment of the portfolio. This is an area where AI has shifted the paradigm. A common misconception is that these insights require deploying new sensors throughout a building. The field of human mobility analytics has matured, and per-occupant metrics are now viable at scale. These tools can reveal patterns that improve tenant satisfaction and retention, often without installing a single sensor. In many cases, occupants already carry powerful data sources with them every day through their mobile devices.
Still, data alone does not create outcomes. Teams must clearly define the problem to be solved and establish the right processes around it. One of the most common missteps is relying solely on per-square-foot energy metrics. An energy-efficient, low-occupancy building on a Friday afternoon may look successful on paper while quietly eroding net operating income (NOI).
IT leaders often begin by applying familiar informational technology (IT) principles to operational technology (OT) environments. Yet it is still surprising how often organizations do not know what technology exists within the four walls of their buildings. Here again, AI has changed what is practical. It is now possible to continuously inventory technology assets from network switches and wireless access points to variable air volume (VAV) boxes and chillers. Knowing what is connected, and who or what is connecting, allows IT leaders to treat OT with the same rigor as IT, reducing risk and improving control. Talk about making the asset manager happy!
Starting with a single building enables these discoveries to occur in a controlled, scalable way. It also opens new conversations between IT leaders and asset managers, particularly around risk reduction, and—in some cases—opportunities to lower insurance costs.
The common thread in each of these examples is restraint and discipline, grounding smart building initiatives on a solid footing rather than chasing complexity for its own sake.
Wherever the journey begins, it should begin small. But it should not be framed as a technology pilot. (That is my least favorite word of all smart buildings!) A pilot implies uncertainty and impermanence. Instead, these initiatives should be treated as proof of value—deliberate investments in learning, capability, and confidence. Without engaging people and establishing discipline through process, even the most advanced technology can quietly (and quickly) become debt.
Perfection Is Not The Goal, Progress Is
Embracing technology as a strategic asset does not require expertise on day one. It requires commitment to continuous improvement. Each step forward, no matter how modest, creates clarity that waiting never will.
The CRE leaders who will define the next decade are not those who waited until they felt ready. They are the ones who moved forward, learned in motion, and brought their organizations with them.
You do not need to be amazing to start, yet you can start to become amazing.
As the new year begins, many of us reflect on how to improve our lives—better health, less stress, smarter habits. Yet research shows that only 10% of people stick to their resolutions. Why? Because success requires intentionality, focus, and clear steps.
This truth doesn’t just apply to individuals; it’s equally relevant in the business world. For real estate owners, 2026 presents an opportunity to reset and resolve to meet the evolving needs of tenants, address market challenges, and position assets for success. The question is: Will you be among the 10% who succeed?
The Economic Landscape
The real estate market is still evolving rapidly compared to last year. More tenants are returning to working in offices as the government and the FIRE industry require employees to return to the office more days overall, which will ultimately create pressure on any occupant who gave up space to take advantage of work-from-home policies.
Economic conditions are favorable—interest rates are stabilizing, the cost of capital is declining, and cap rate compression is creating more competition for high-quality assets. Market fundamentals in some cities still have material vacancy issues; however, in high-quality space, there appears to be some positive movement. Supply discipline is still strong, with winners in the gateway cities like New York City, Vancouver, Boston, San Francisco, etc.
As reported in The Wall Street Journal, the bifurcation of the market favors quality assets. According to Nick Kordic, VP of Leasing at Oxford Properties Group, “The focus on quality extends beyond location and aesthetics. Large firms are committed to sustainability and to employee experiences in the building that include modern amenities and engaging, flexible workspaces.” Supporting this trend, Oxford Properties completed an expansion and renewal of a 300,000-square-foot lease with EY in a high-quality asset, further emphasizing the demand for well-located, adaptable environments that prioritize sustainability and modern tenant needs.
Resolving to Invest with Intentionality
In 2026, the smartest owners will resolve to act decisively. Here’s why:
The Cost of Inaction: Tenant dissatisfaction, increased turnover, and stagnant rents will plague those who fail to adapt.
The Lessons from Resolutions: Like personal goals, success in real estate requires focus, accountability, and alignment with broader strategies.
The Opportunity: By meeting tenant needs through targeted investments, owners can increase occupancy, strengthen relationships, and enhance asset value.
What Tenants Want Today
A landlord I spoke with shared that their CIO, responsible for corporate security, has been hearing more from leasing teams about the importance of building safety and consistency. The CIO noted an increasing dialogue on operational technology (OT), focusing on ensuring tenant investments are not jeopardized by poorly managed systems. These conversations reflect a growing demand for landlords to prioritize secure, reliable building environments as a core component of tenant satisfaction and retention.
To close the gap between tenant expectations and current offerings, owners must focus on key areas:
Amenities that Enhance Operations: High-functioning lobbies, gyms, conferencing spaces, food services, and flexible hoteling areas.
Technology Integration: Building-wide Wi-Fi, virtual access cards, mobile apps for tenant convenience, and ubiquitous cell coverage.
Wellness and Sustainability: Consistent heating and cooling, clean air, recycling programs, and community engagement initiatives.
Cybersecurity: Robust protections for building systems to ensure tenant safety and business continuity.
These elements aren’t just nice-to-haves; they’re essential to attracting and retaining tenants who value spaces that support productivity, collaboration, and wellness. CBRE’s “best vs. the rest” framework underscores that tenant preferences are rapidly reshaping expectations around modern office spaces, with a premium placed on well-equipped, secure, and user-friendly properties.
A Strategy for Action
Here’s how owners can act with intentionality and set their assets apart:
Assess Your Building’s Foundation: Work with property managers to evaluate physical, digital, system, and operational elements.
Map the Technology Ecosystem: Identify all systems, networks, software, and hardware, and assess how they interconnect.
Align Capabilities with Needs: Evaluate how these elements support tenant requirements, internal goals, and capital strategies.
Define and Align Your Vision: Ensure your vision aligns with capabilities and investments and clearly communicates a competitive value proposition.
Synchronize Leasing and Operations: Match leasing objectives with operational realities to avoid overpromising or underdelivering.
Prioritize Cybersecurity: Protect tenants and building systems from risks with proactive, reliable measures.
Collaborate with a Guide: Engage experts to help maintain focus and accountability, ensuring your strategy aligns with market trends.
Intelligent Buildings:
A Guide for Sophisticated Owners
For owners and managers seeking to bring this strategy to life, Intelligent Buildings offers advisory, assessment, and managed services to address these challenges. Here’s how:
For the Advanced Manager: Securing the Foundation
Sophisticated asset managers often grapple with justifying the return on investment (ROI) of improvements to key stakeholders. Partnering with Intelligent Buildings provides an excellent way to isolate and explore ROI related to efficiencies and technology investments. This analysis can be a valuable input to securing the capital necessary for unlocking investments that speed up leasing or maintain higher renewal rates, ultimately creating economic value.
For the Owner Ready to Build a Vision: Defining the Path Forward
For those who are just starting, Intelligent Buildings’ Advisory Services can help:
Formulate a Strategic Thesis: Develop a clear vision for aligning tenant needs, building technology capabilities, and capital strategies.
Structure the Journey: Create a roadmap for intentional investments that maximize value and attract tenants.
Set the Stage for Action: Build a foundation that ensures future initiatives unfold in a structured, deliberate manner.
For the Forward-Thinking Owner / Manager: Combine Strategy and Action
For property managers, the real hero in a complex space is one who recognizes what they don’t know and aligns rapidly with a guide who can focus them cost-effectively. Intelligent Buildings equips property managers with inventory tools and proven cybersecurity solutions that ensure critical systems are managed effectively. Starting with expert advice ensures managers are armed with the proper tools and strategies to align operational success with tenant needs.
Wrapping It All Together
Just as successful resolutions require intentionality, clarity, and follow-through, so does real estate investment. Don’t become a statistic of failed New Year’s resolutions. The smartest owners will:
Understand Tenant Needs: Use technology and dialogue to close the gap between expectations and offerings.
Invest in Quality Systems: Ensure the building’s foundation supports tenant satisfaction and operational efficiency.
Partner with Experts: Work with CRE technology experts to stay ahead of market trends related to technology and secure a competitive edge by executing a plan.
In 2026, resolve to act with purpose. By aligning your assets with tenant needs and leveraging the right tools and expertise, you can transform your properties and achieve your economic goals.
by Michael Magee, Director of Managed Services, & Rob Goss, Director of Service Development
Informational technology (IT) administrators have long attempted to impose IT standards on operational technology (OT) systems. However, OT system admins have resisted understanding that OT environments have unique requirements for real-time performance, reliability, and safety that significantly differ from those in typical IT systems. To address this issue, the International Society of Automation (ISA) and IEC (International Electrotechnical Commission) collaborated to create the ISA/IEC 62443 Industrial Cybersecurity Standards, which combine the best aspects of various standards to form an OT-specific policy. This is the standard that we all have been asking for. Nonetheless, the path to compliance remains challenging due to limited resources, budget constraints, and diverse infrastructures.
Many articles on LinkedIn and the Internet tackle the technical aspects of 62443 compliance. Few discuss the commitment needed to embark on the journey. Compliance is not something you can gain by issuing a PO or complete as a personal goal. It will require buy-in from all levels of your organization, including the CISO, Property Manager, and Chief Building Engineer. This article lays out the considerations that should be discussed at the start of the journey to compliance.
The journey starts by documenting how your existing infrastructure and practices compare withyour security and maturity goals. This includes the following:
Inventory all OT systems. Develop a profile for each OT device, including the network configuration, connectivity/communication standards, and all software/firmware.
Conduct security risk assessments on the data collected above to identify potential threats and vulnerabilities and determine the risk level of each device and the systems they belong to.
If you are like most organizations, this process will identify some hidden risks that need to be addressed before starting the compliance journey or by adjusting the starting risk level.
Compliance will take some time, planning, and attention to detail. The following actions are recommended to start:
Establish a Project Charter for existing buildings and the Owner’s Project Requirements (OPR) when seeking compliance in an existing building is recommended.
Reference the Project Charter often to keep everyone focused on the goal, inform new team members, and document of any deviations.
Understand that pursuing a 62443 certification also requires changes in workflows. These changes will affect how your systems are administered and maintained.
The security and maturity levels determine what level of cyber controls or actions need to be implemented. You need to take time to identify the appropriate security level and maturity level that is right for your organization. Here are some topics to consider:
Review the security level carefully. A security level that may be appropriate for your organization may not be enough for your tenants or the tenants you are targeting. Fiduciaries, government, and law firms could require the property to pursue a higher security level.
The security level and maturity level are more complementary than dependencies. However, as you increase the security level, you may need to increase your maturity level to meet the requirements of the security level (e.g. If the security control requires a documented repeatable process, you may need to target a maturity level 3 that requires processes to be documented and repeatable).
Each increase is directly connected to increased resources, budget, and effort. Be realistic and document the reason why you select particular goals. This will help keep the project tracking in the same direction.
Be honest about your in-house capabilities. The journey will likely go through a few budget cycles and change existing workflows. Keeping momentum towards short-term goals is critical. To determine your in-house capabilities, ask the following questions:
Does your organization have the skill set and resources to complete the work?
Will stretching your in-house team beyond its capacity delay other initiatives, or worse, stall the project while the team works on other priorities?
Does your organization’s risk posture encourage which efforts need to be outsourced so that the risk is shared with the third party?
The path to 62443 compliance will require an established budget and a diverse team. Both elements should consider the work identified and the projected timeframe while allowing for flexibility if additional elements are identified. This includes the following:
Break the budget into phases or assign specific amounts to achieve a specific design principle. This will help the team track the project’s financial health and reserve funds for future phases.
Teams will also need a cybersecurity expert, IT representation, building and system engineers, and other technical consultants. The team may want to consider adding Human Resources (HR), legal counsel, and incident response managers to refine workflows, handle communications and training, and oversee risk. Roles should be clearly defined by task and schedule.
New construction will need to consider the team and budget for the construction and post-construction efforts. Care will be needed to include IT and the compliance team when establishing the initial planning budget.
Workflows are needed to maintain compliance. As different controls or design principles are enabled, new workflows will need to be established and rolled out to the users. Consider the following:
Determine how changes will be communicated. Constant changes can overwhelm users. Developing a regular cadence to update and train all users tends to yield better results.
Include your system vendors and third-party support vendors in the training. They are under contract to uphold your standards and need to be kept up to date.
By involving system vendors in the compliance process, you can leverage their expertise, resources, and support to implement new standards effectively. Consider the following:
Cybersecurity is a shared responsibility. It is important to ensure that all parties are aligned and current on the policies and procedures needed to keep the system safe and secure.
Vendors often have in-depth knowledge of the systems and devices they provide. Collaborating with them ensures that security measures are effectively integrated and configured correctly.
Vendors will be needed to keep software and hardware up to date and patched.
Depending on the resources available, this may save you time and money as an experienced consultant will know exactly what is needed and may be able to evaluate cost-effective options. Consider the following:
Consultants provide an objective view of your current security posture, helping to identify gaps and vulnerabilities that internal teams might overlook.
Consultants focus exclusively on the compliance process, ensuring that it progresses efficiently without being sidetracked by other internal priorities.
Consultants are more familiar with this process and the technology available. They can develop customized strategies and solutions that align with your specific needs, operational environment, and business objectives.
This article has focused on the key business decisions needed to pursue ISO 62443. However, this discussion would not be complete without adding some technical detail around one of the key aspects of ISO 62443: emphasizing the environment of zones and conduits.
Zones
The easiest way to explain this concept is to ask yourself a question: What needs to be communicated to whom? Answering this should allow you to create a logical diagram showing your different systems and how they communicate with each other.
How you answer the previous question (or the logical diagram you created) is the basis for what zones or networks need to be created. An example of this would be a building management server needing to communicate with controllers. The building management server and the controllers would be placed in a zone that is isolated from the other systems. In this example, a zone would be created to group similar devices that need to communicate with each other within the parameters of a common security policy. Benefits to this architecture would be the isolation of like application traffic to minimize network congestion, develop inter-communication policies to minimize unauthorized communication, the elimination of un-federated internet access, and the ability to implement a remote access control policy. Zones or networks can be accomplished by deploying individual switches for each application, creating virtual local area networks (VLANs), which are virtual networks or using a management device to configure a software-defined network (SDN).
Conduits
Conduits control who or what is needed to communicate with a specific device, application, server, or zone. The policy that creates conduits can control communication between OT systems, like lighting controls and the building management system (BMS). It could also be used for remote access and management of critical OT systems. Conduits can also be configured within zones to restrict and isolate specific communications to meet security, critical communication, or privacy requirements.
Historically, communication to these systems was unfederated or wide open, allowing free communication to any device or person who had access to the network. This included internet access. In some cases (and still today), public Internet Protocol (IP) addresses were used on servers, allowing for direct access to applications and devices from the public Internet.
What Properties Can Do Now
Creating an Access Control Policy that starts creating zones of like devices that prevents (or limits) anyone from accessing the server or application from outside the zone is a great place to start. Using your knowledge and the information gathered from the security risk assessment will give you the basis for a conduit policy allowing OT system to OT system communication. It is also important that encryption like TLS and SSL is used to secure that application data. Next, address the remote access and management conduits. This piece is often harder to tackle than any other because vendors and engineers historically like things easy and less complicated—two things that don’t go hand in hand with security. The conduits that allow remote access to vendors and engineers must be controlled and be very specific. This has become extremely hard to do with our reliance on mobile devices and our always-available mentality. However, deploying an environment that uses zones and conduits will help you minimize the attack surface, reduce the risk of bad actors attacking system servers or applications, and give you more control over intercommunication.
Newer Technology May Help
Technologies like zero trust have filled a need to create trust between the vendor and engineer and the server or application that needs access. Unlike traditional VPNs, zero-trust solutions do not require inbound access policies. Once a zero-trust solution is deployed, you can create a firewall policy that doesn’t allow for inbound connections, giving you the ability to obfuscate your building and its critical systems from the Internet. Zero-trust solutions use a high level of encryption to ensure the security of the data as it traverses from the server to the end user accessing the data.
Embarking on the journey to ISA/IEC 62443 Industrial Cybersecurity Standards compliance is a multi-faceted endeavor that demands thorough planning, commitment, and active participation from various levels of your organization. From securing upper management buy-in to detailed documentary and procedural upkeep, every step requires deliberate action and alignment with broader organizational goals. Remember, effective compliance transcends mere regulatory adherence; it integrates seamlessly into the fabric of daily operations, enhancing security and operational efficiency. Navigating this path won’t be without its challenges, including budgeting, resource allocation, and evolving workflows, but with a clear plan and a united team, the risks can be mitigated and the journey towards robust cybersecurity can be successful.
