by Rob Goss and Mike Magee

Cyberattacks on building systems can have severe consequences, including unauthorized access to sensitive data, disruption of critical services, physical damage, and a risk to life safety. Building compliance regulations are in place to ensure that the design and construction maintain, physical safety, energy efficiency, and environmental standards. Only recently, with the increasing digitization of building systems, have oversight organizations begun to create guidelines and standards to address the cybersecurity risks affecting the digital infrastructure.

It is worth noting that compliance remains a business decision, not a regulation enforceable by government organizations overseeing building design and construction. In fact, legal counsel, risk officers, IT officers, and insurance consultants may be the best advocates for authorizing the needed resources.

Selecting the appropriate standard may take some research. It can be confusing to understand how to apply the various standards and guidelines to commercial real estate. Throughout the years, different standards and guidelines have been created. Many of the earlier standards, such as International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 2700 were very broad. Eventually, the National Institute of Standards and Technology (NIST) cybersecurity framework was developed with a greater focus on operational technology (OT), especially industrial systems and manufacturing controls.  This helped, but the application to an office building’s building automation system (BAS) was still obscured. The newest standard that is out there is called IEC 62443, which was recognized back in 2021. This standard specifically looks at the safety, integrity, reliability, and security of control systems with the flexibility to be adaptable to many different situations.

Roadmap for Implementing a Cybersecurity Program

Each property will need to review the options to see what standard or guideline best fits the property’s unique conditions. Each standard is unique.  However, the implementation roadmap is similar:

• Understand the Standards and Guidelines: Review the relevant cybersecurity standards and guidelines or hire a qualified consultant to help identify which standards are applicable. Stay informed about any updates or changes that could be added to the cybersecurity policy.
• Risk Assessment: Conduct a thorough assessment to identify potential cybersecurity threats and vulnerabilities within the building’s digital systems, including Internet of Things (IoT) devices, building management system (BMS), and access control systems. This should include both a physical inspection of all critical systems inside the building and a digital scan of the network(s) to document how things are communicating both inside and out to the internet
• Evaluate and Develop a Cybersecurity Strategy: Evaluate the assessment data to determine the property’s current level of risk and allowable risk tolerance.  It may be best to stage the implementation of controls.  The allowable risk tolerance will prioritize the security controls you implement.  It is worth noting that each level of control or action taken comes at a cost.  It is important to determine the best balance between risk tolerance and impact on available resources.
• Security Controls: Based on the risk assessment, specific security controls could include network segmentation, firewalls, data encryption, secure authentication, and regular software updates. Policy changes will also need to be communicated to the operations team. It is important that they understand why these actions are taken so they don’t circumvent the work and create additional risk.
• Incident Response Planning: Develop and maintain an incident response plan outlining steps to be taken in the event of a cybersecurity breach, including communication protocols, roles and responsibilities, mitigation procedures and post-incident analysis. Train the operations staff on how to identify and alert potential issues.
• Continuous Monitoring and Reporting: Continuous monitoring of building systems for potential cybersecurity threats and policy compliance, with regular reporting of cybersecurity performance to regulatory bodies or stakeholders.  The monitoring should be automated as much as possible to avoid errors made through manual reporting.
• Compliance Audits and Risk Tolerance Review: Periodic audits to ensure ongoing compliance with cybersecurity regulations, assessing the effectiveness of implemented security measures and identifying areas for improvement.  Reviewing the risk tolerance during these audits will help ensure the property is applying the correct level of control based on current business needs and changes to tenants or staff.
• Training and Awareness: Emphasis on training and raising awareness among building personnel about cybersecurity best practices, threat recognition, and appropriate response actions.  Training and awareness exercises must be scheduled at a frequency that promotes importance and awareness.

The new cybersecurity compliance standards for buildings mark a major step forward in protecting modern infrastructure from the increasing risk of cyberattacks. By understanding and applying these standards, building owners and operators can strengthen the security of their digital systems, safeguard sensitive information, and maintain the safety and functionality of their properties.

While adjusting to these new requirements may initially demand time and resources, the long-term advantages of a secure, compliant building far outweigh the upfront costs. Achieving this won’t happen overnight—change takes time and investment. Developing an implementation roadmap that addresses the topics above can help prioritize actions and align efforts with risk tolerance reduction. With a well-structured plan, organizations can effectively navigate the complexities of building cybersecurity and shield their operations from future threats.