The July Nexus Pro Members' Subject Matter Expert (SME) Workshop included a look into everyone's favorite topic---cybersecurity. Don't roll your eyes and skip past this talk though; the information is incredibly valuable and interesting.
Pro Members can watch the full recording, view the slides, and read the transcript here.
We have Mike MacMahon here talking about cybersecurity.
Twenty years in IT—started to work in the built environment backin around 2013, then really engaged back in 2015 to 2018, where I was designinginfrastructure and policies and procedures for a number of developers.
I'm a big collector of data. I just like to know things, so hopefully I can share some of that with you today on cybersecurity.
I'm currently with Newcomb & Boyd—been here for about two and a half years. We have been a mechanical electrical plumbing firm based out of Atlanta, and we're celebrating 100 years. They've been around 97.5 years longer than I've been with the company, but they've been doing fantastic work.
Cybersecurity is a concept of protecting digital assets.
We apply it basically to every system that operates within a building.
Those systems come in two forms: IT systems, which pretty much focus on data. OT systems, which manipulate the physical environment.
Now we're starting to see the convergence of the two systems and their reliance on each other.
Focus: The first focus for IT systems is digital. For OT systems, the focus is more physical, because it manipulates things in our real and physical environment.
Priority: The priority for IT systems is based on confidentiality of the data—keeping it away from things. For OT systems it’s more the safety of the environment.
Incidents: We took a look at incidents. The incidents of a cybersecurity breach is quite frequent with IT systems—malwares and ransomware-type attacks. They're very frequent. OT system incidents, while less frequent, can be much more destructive.
Go back and take a look at the Iranian nuclear program and that wonderful little worm called Stuxnet that attacked industrial control systems, learning the environment for a really long time like a spider in a web collecting data. Once it was able to figure out how to get into the drive system for the centrifuges, it attacked and spun them up and down until the centrifuges blew up. Very, very disruptive.
**Book recommendation by the audience: Countdown to Zero Day
Security patching: IT systems are generally patched weekly. OT systems every 10 years (Maybe). That's starting to change in the last couple of years, with a lot of manufacturers getting on board, not just releasing patches for what it does, but how it does it, so that's making some of this a little bit easier to transition over to IT systems for some of the management pieces.
We are starting to see the blending of your physical world and the digital space because physical things are producing data.
We really want to make sure that confidentiality of that data takes place.
The Smarter buildings get, the more systems get introduced. The more data they produce, the more the OT systems that used to be siloed start to align with IT systems.
Cybersecurity transitions into protecting the confidentiality and integrity of this data.
Data has a lot of value, and we have to protect that.
We have to make sure that we can trust the data that's being collected. That's where the integrity comes in. And we want to keep it private. We only want to be able to share data with who is supposed to have access.
Any form of improvement that we're reaching for in our smart building programs, is going to introduce tech. And the complexity increases even more because now we're not just introducing more technology and more systems into the building. But we're sharing some of that control and data and monitoring capabilities. That introduces a certain level of risk.
Cybersecurity is “knowing who's who in the zoo.” What technology do I have and who is sharing its data and control methodologies with who and with what (other systems and other people).
Cybersecurity is all about maturity. There is a beginning (you always start somewhere), but cybersecurity really doesn't end.
I've created a very simple chart that shows the risk on one side—high, medium and low—and a maturity cycle.
If you do nothing for cybersecurity, you're at a high level of risk. Your risk appetite is high. “I'm willing to eat that risk. I'm willing to exist at that level.”
The program starts with the intent to secure things. “I want to reduce my risk by putting in a program for cybersecurity.”
As soon as you have program intent, and when you start to implement your basic cyber hygiene (I’ll go over that in a bit), your risk level starts to lower over a very short, very quick period of time.
Your risk never hits low.
“Those who think themselves secure are more exposed todanger than any others.” – Charles Spurgeon
I don't know what I don't know. I like to operate in thatstate because that assumes a high level of preparedness, a high level ofvigilance. I want to be careful with everything that I do.
I like to think that cybersecurity is less about the technology and more about the people. That's why I always start with program intent because it is my intention to inform my people that I'm going to do something in the cybersecurity realm.
Eventually, you're going to reach a point of maturity where you are comfortable with the appetite for risk that you have in your environment and you're going to work to maintain.
Know your systems. What do I have?
Know your people. Who are the people that should have access to the systems? What are their responsibilities?
Limit access to systems based on need. Don't make everybody an administrator if they don't need to be.
Change system defaults. Everything with a human interface ships with a default. Get rid of the passwords, get rid of the usernames, and create specific intentional passwords.
Open and Closed ports. Ex. I've got this little widget that comes in and it's got wireless and it's got an Ethernet connection. It's got Bluetooth on it, but I'm only going to use the Ethernet. I'm going to close off those unused interfaces and make sure that I'm only using a secure form of communication like HTTPS.
Know how your systems interact. The systems talk to each other and they can drive certain things. Know that there's a level of interaction. Know how they're logging into each other. It's either a direct access, or maybe it's a rest application interface or something along those lines. Also know how many people and systems are interacting. Ex: If I have vendors on site that are maintaining my building, I don't want them going in and installing their own cellular. I need to ask them, “What do you need to maintain the system that you're responsible for?”
Talk to your peers. Ask “What do you do for cybersecurity? What is your role?” Cybersecurity is all about trust. There is a lot of misplaced trust in the built environment that's existed for a really long time. Honest communication is starting to close the gap. If you're an installer, if you're a consultant and you're recommending a certain piece of equipment for the design, do your homework. Know the manufacturer has a really good program of cybersecurity built into the product. Make sure you tell the guys in the field.They need to turn it on. Make sure you tell the owner to have a cybersecurity policy.
That's basic cyber hygiene.
That at least gets you to a starting point if you have absolutely nothing.
The key program criteria: availability, integrity, and supportability.
Do a posture assessment. You can't know where you're going unless you know where you've been. I need to know what I have, so I know what to do next.
For instance, 20 year old building automation systems can't be scanned with today's cybersecurity scanning tools. Sometimes they freak out. They don't like that. You have to figure out a different way.
Take a risk-based approach. Evaluate your property or portfolio operations by identifying and defining the value of associated risk and tailor it to your operational appetite.
For example, it's not necessarily going to shut a building down if they open a window, but if they can't open windows, that might be a problem.
But if you're a hospital, the level of risk goes up. The same issue means you can't operate because infection control requires a certain degree of managed air in a particular space.
Have you met risk? Ensure that you're not introducing risk into your development. As systems get replaced, if you have policies and standards in place, you can use those to guide that upgrade. It's important to have a strong cyber program to guide that installation.
User vigilance. Not a big fan of the awareness thing because everybody's aware of it. I like vigilance because it's a more active approach. It promotes a more active role in your user group. Socialization of those policies and standards is crucial.
You want everybody to be aware that "hey, I have intent that I'm protecting all of my technology. I want my data to have integrity. I want to have account confidentiality associated with it, that it's going to be managed and you are going to be responsible for playing a role in that."
First is policy – what are my intended outcomes?
Inventory is a little bit grayed out. It's kind of something for more of an existing facility. What systems do you have in your environment?
Control objective could be I want encrypted communications from endpoints. I don't want other third parties bringing their devices on site and plugging them in, et cetera.
Standards are mandatory requirements to satisfy the control objectives. Ex: the control objective on remote access requires remote access so that no one's bringing their devices on site. The standard is going to define how I'm going to do that. I'm going to have some type of VPN system that is going to be compliant with this that provides this type of thing. (This is where we get into the IT world).
Once you have all of these standards in place, you can now give them to somebody else to inform secure design. It allows you to pick your manufacturers because they have to reach a certain level of capability in orderto be chosen for your environment to collect the data that will go to your system designers.
Cyber commissioning. It's the validation of controls through testing. Ex: I wrote my needs plan down and I stated what I wanted. I gave it to someone so that they could specify it for someone else to do. Now I'm going to come back and make sure that they did it according to the way I wrote it.
Operations. The ongoing management of the production environment. I want to have rules in place so that the people that are continuing to operate my property and making sure that these systems are maintained, are doing it in the way that I had intended through my policies.
Now we start at the beginning again.
Take a look and makesure that our policies are accommodating all of the technologies that we have in our building. If we have a new initiative to do some decarbonization strategies, that means metered data. Well, I've got policies, control objectives and standards that are going to dictate how that program should be implemented and run. Where's that data going to live? How will it get encrypted? Was it encrypted at rest? Is it encrypted? In flight? All of those things can be figured out pretty easily.
I highly recommend getting at least a high-level education if you're not already familiar with how some of these things work.
Not a big surprise.
Offers a framework to assess your risk posture, but also to help you get started down the path of where am I and where do I need to go.
Elevating the awareness across the real estate community to improve cybersecurity preparedness for buildings and facilities.
They have simple templates that you can download and use to at least get you started.
It's an agency of the US Department of Commerce whose mission is to promote American innovation and industrial competitiveness.
It starts with identification. Take inventory. Know what you have, I have to know what I have in order to know what to do with it.
What do I need to do to protect it? In other words, what are some of the threat vectors? Is it air gapped? Is it only connected to itself? Do I have vendors that come in and plug in their own laptop? (Which who knows what's on that laptop and where that thing's been?)
Have something to detect? This is kind of starting to get a little bit more beyond cyber hygiene and getting into the advanced spaces where you're going to have some type of system to be able to detect incidents.
Then once you have an event logged, you need to respond. You need to have a policy in place that says if this happens, we are going to do this. That's usually a disaster recovery or business continuity type use case for a policy. Those are all spelled out pretty simply on a lot of those websites that I gave you earlier.
Then how do I recover? You know, what are my service level agreements that I'm going to have with the tenants in my building on how quickly I'm going to be able to restore operations?
If you do nothing for cybersecurity, you're at a high level of risk. Your risk appetite is high. “I'm willing to eat that risk. I'm willing to exist at that level.”
The program starts with the intent to secure things. “I want to reduce my risk by putting in a program for cybersecurity.”
As soon as you have program intent, and when you start to implement your basic cyber hygiene (I’ll go over that in a bit), your risk level starts to lower over a very short, very quick period of time.
Your risk never hits low.
“Those who think themselves secure are more exposed todanger than any others.” – Charles Spurgeon
I don't know what I don't know. I like to operate in thatstate because that assumes a high level of preparedness, a high level ofvigilance. I want to be careful with everything that I do.
I like to think that cybersecurity is less about the technology and more about the people. That's why I always start with program intent because it is my intention to inform my people that I'm going to do something in the cybersecurity realm.
Eventually, you're going to reach a point of maturity where you are comfortable with the appetite for risk that you have in your environment and you're going to work to maintain.
Know your systems. What do I have?
Know your people. Who are the people that should have access to the systems? What are their responsibilities?
Limit access to systems based on need. Don't make everybody an administrator if they don't need to be.
Change system defaults. Everything with a human interface ships with a default. Get rid of the passwords, get rid of the usernames, and create specific intentional passwords.
Open and Closed ports. Ex. I've got this little widget that comes in and it's got wireless and it's got an Ethernet connection. It's got Bluetooth on it, but I'm only going to use the Ethernet. I'm going to close off those unused interfaces and make sure that I'm only using a secure form of communication like HTTPS.
Know how your systems interact. The systems talk to each other and they can drive certain things. Know that there's a level of interaction. Know how they're logging into each other. It's either a direct access, or maybe it's a rest application interface or something along those lines. Also know how many people and systems are interacting. Ex: If I have vendors on site that are maintaining my building, I don't want them going in and installing their own cellular. I need to ask them, “What do you need to maintain the system that you're responsible for?”
Talk to your peers. Ask “What do you do for cybersecurity? What is your role?” Cybersecurity is all about trust. There is a lot of misplaced trust in the built environment that's existed for a really long time. Honest communication is starting to close the gap. If you're an installer, if you're a consultant and you're recommending a certain piece of equipment for the design, do your homework. Know the manufacturer has a really good program of cybersecurity built into the product. Make sure you tell the guys in the field.They need to turn it on. Make sure you tell the owner to have a cybersecurity policy.
That's basic cyber hygiene.
That at least gets you to a starting point if you have absolutely nothing.
The key program criteria: availability, integrity, and supportability.
Do a posture assessment. You can't know where you're going unless you know where you've been. I need to know what I have, so I know what to do next.
For instance, 20 year old building automation systems can't be scanned with today's cybersecurity scanning tools. Sometimes they freak out. They don't like that. You have to figure out a different way.
Take a risk-based approach. Evaluate your property or portfolio operations by identifying and defining the value of associated risk and tailor it to your operational appetite.
For example, it's not necessarily going to shut a building down if they open a window, but if they can't open windows, that might be a problem.
But if you're a hospital, the level of risk goes up. The same issue means you can't operate because infection control requires a certain degree of managed air in a particular space.
Have you met risk? Ensure that you're not introducing risk into your development. As systems get replaced, if you have policies and standards in place, you can use those to guide that upgrade. It's important to have a strong cyber program to guide that installation.
User vigilance. Not a big fan of the awareness thing because everybody's aware of it. I like vigilance because it's a more active approach. It promotes a more active role in your user group. Socialization of those policies and standards is crucial.
You want everybody to be aware that "hey, I have intent that I'm protecting all of my technology. I want my data to have integrity. I want to have account confidentiality associated with it, that it's going to be managed and you are going to be responsible for playing a role in that."
First is policy – what are my intended outcomes?
Inventory is a little bit grayed out. It's kind of something for more of an existing facility. What systems do you have in your environment?
Control objective could be I want encrypted communications from endpoints. I don't want other third parties bringing their devices on site and plugging them in, et cetera.
Standards are mandatory requirements to satisfy the control objectives. Ex: the control objective on remote access requires remote access so that no one's bringing their devices on site. The standard is going to define how I'm going to do that. I'm going to have some type of VPN system that is going to be compliant with this that provides this type of thing. (This is where we get into the IT world).
Once you have all of these standards in place, you can now give them to somebody else to inform secure design. It allows you to pick your manufacturers because they have to reach a certain level of capability in orderto be chosen for your environment to collect the data that will go to your system designers.
Cyber commissioning. It's the validation of controls through testing. Ex: I wrote my needs plan down and I stated what I wanted. I gave it to someone so that they could specify it for someone else to do. Now I'm going to come back and make sure that they did it according to the way I wrote it.
Operations. The ongoing management of the production environment. I want to have rules in place so that the people that are continuing to operate my property and making sure that these systems are maintained, are doing it in the way that I had intended through my policies.
Now we start at the beginning again.
Take a look and makesure that our policies are accommodating all of the technologies that we have in our building. If we have a new initiative to do some decarbonization strategies, that means metered data. Well, I've got policies, control objectives and standards that are going to dictate how that program should be implemented and run. Where's that data going to live? How will it get encrypted? Was it encrypted at rest? Is it encrypted? In flight? All of those things can be figured out pretty easily.
I highly recommend getting at least a high-level education if you're not already familiar with how some of these things work.
Not a big surprise.
Offers a framework to assess your risk posture, but also to help you get started down the path of where am I and where do I need to go.
Elevating the awareness across the real estate community to improve cybersecurity preparedness for buildings and facilities.
They have simple templates that you can download and use to at least get you started.
It's an agency of the US Department of Commerce whose mission is to promote American innovation and industrial competitiveness.
It starts with identification. Take inventory. Know what you have, I have to know what I have in order to know what to do with it.
What do I need to do to protect it? In other words, what are some of the threat vectors? Is it air gapped? Is it only connected to itself? Do I have vendors that come in and plug in their own laptop? (Which who knows what's on that laptop and where that thing's been?)
Have something to detect? This is kind of starting to get a little bit more beyond cyber hygiene and getting into the advanced spaces where you're going to have some type of system to be able to detect incidents.
Then once you have an event logged, you need to respond. You need to have a policy in place that says if this happens, we are going to do this. That's usually a disaster recovery or business continuity type use case for a policy. Those are all spelled out pretty simply on a lot of those websites that I gave you earlier.
Then how do I recover? You know, what are my service level agreements that I'm going to have with the tenants in my building on how quickly I'm going to be able to restore operations?
If you do nothing for cybersecurity, you're at a high level of risk. Your risk appetite is high. “I'm willing to eat that risk. I'm willing to exist at that level.”
The program starts with the intent to secure things. “I want to reduce my risk by putting in a program for cybersecurity.”
As soon as you have program intent, and when you start to implement your basic cyber hygiene (I’ll go over that in a bit), your risk level starts to lower over a very short, very quick period of time.
Your risk never hits low.
“Those who think themselves secure are more exposed todanger than any others.” – Charles Spurgeon
I don't know what I don't know. I like to operate in thatstate because that assumes a high level of preparedness, a high level ofvigilance. I want to be careful with everything that I do.
I like to think that cybersecurity is less about the technology and more about the people. That's why I always start with program intent because it is my intention to inform my people that I'm going to do something in the cybersecurity realm.
Eventually, you're going to reach a point of maturity where you are comfortable with the appetite for risk that you have in your environment and you're going to work to maintain.
Know your systems. What do I have?
Know your people. Who are the people that should have access to the systems? What are their responsibilities?
Limit access to systems based on need. Don't make everybody an administrator if they don't need to be.
Change system defaults. Everything with a human interface ships with a default. Get rid of the passwords, get rid of the usernames, and create specific intentional passwords.
Open and Closed ports. Ex. I've got this little widget that comes in and it's got wireless and it's got an Ethernet connection. It's got Bluetooth on it, but I'm only going to use the Ethernet. I'm going to close off those unused interfaces and make sure that I'm only using a secure form of communication like HTTPS.
Know how your systems interact. The systems talk to each other and they can drive certain things. Know that there's a level of interaction. Know how they're logging into each other. It's either a direct access, or maybe it's a rest application interface or something along those lines. Also know how many people and systems are interacting. Ex: If I have vendors on site that are maintaining my building, I don't want them going in and installing their own cellular. I need to ask them, “What do you need to maintain the system that you're responsible for?”
Talk to your peers. Ask “What do you do for cybersecurity? What is your role?” Cybersecurity is all about trust. There is a lot of misplaced trust in the built environment that's existed for a really long time. Honest communication is starting to close the gap. If you're an installer, if you're a consultant and you're recommending a certain piece of equipment for the design, do your homework. Know the manufacturer has a really good program of cybersecurity built into the product. Make sure you tell the guys in the field.They need to turn it on. Make sure you tell the owner to have a cybersecurity policy.
That's basic cyber hygiene.
That at least gets you to a starting point if you have absolutely nothing.
The key program criteria: availability, integrity, and supportability.
Do a posture assessment. You can't know where you're going unless you know where you've been. I need to know what I have, so I know what to do next.
For instance, 20 year old building automation systems can't be scanned with today's cybersecurity scanning tools. Sometimes they freak out. They don't like that. You have to figure out a different way.
Take a risk-based approach. Evaluate your property or portfolio operations by identifying and defining the value of associated risk and tailor it to your operational appetite.
For example, it's not necessarily going to shut a building down if they open a window, but if they can't open windows, that might be a problem.
But if you're a hospital, the level of risk goes up. The same issue means you can't operate because infection control requires a certain degree of managed air in a particular space.
Have you met risk? Ensure that you're not introducing risk into your development. As systems get replaced, if you have policies and standards in place, you can use those to guide that upgrade. It's important to have a strong cyber program to guide that installation.
User vigilance. Not a big fan of the awareness thing because everybody's aware of it. I like vigilance because it's a more active approach. It promotes a more active role in your user group. Socialization of those policies and standards is crucial.
You want everybody to be aware that "hey, I have intent that I'm protecting all of my technology. I want my data to have integrity. I want to have account confidentiality associated with it, that it's going to be managed and you are going to be responsible for playing a role in that."
First is policy – what are my intended outcomes?
Inventory is a little bit grayed out. It's kind of something for more of an existing facility. What systems do you have in your environment?
Control objective could be I want encrypted communications from endpoints. I don't want other third parties bringing their devices on site and plugging them in, et cetera.
Standards are mandatory requirements to satisfy the control objectives. Ex: the control objective on remote access requires remote access so that no one's bringing their devices on site. The standard is going to define how I'm going to do that. I'm going to have some type of VPN system that is going to be compliant with this that provides this type of thing. (This is where we get into the IT world).
Once you have all of these standards in place, you can now give them to somebody else to inform secure design. It allows you to pick your manufacturers because they have to reach a certain level of capability in orderto be chosen for your environment to collect the data that will go to your system designers.
Cyber commissioning. It's the validation of controls through testing. Ex: I wrote my needs plan down and I stated what I wanted. I gave it to someone so that they could specify it for someone else to do. Now I'm going to come back and make sure that they did it according to the way I wrote it.
Operations. The ongoing management of the production environment. I want to have rules in place so that the people that are continuing to operate my property and making sure that these systems are maintained, are doing it in the way that I had intended through my policies.
Now we start at the beginning again.
Take a look and makesure that our policies are accommodating all of the technologies that we have in our building. If we have a new initiative to do some decarbonization strategies, that means metered data. Well, I've got policies, control objectives and standards that are going to dictate how that program should be implemented and run. Where's that data going to live? How will it get encrypted? Was it encrypted at rest? Is it encrypted? In flight? All of those things can be figured out pretty easily.
I highly recommend getting at least a high-level education if you're not already familiar with how some of these things work.
Not a big surprise.
Offers a framework to assess your risk posture, but also to help you get started down the path of where am I and where do I need to go.
Elevating the awareness across the real estate community to improve cybersecurity preparedness for buildings and facilities.
They have simple templates that you can download and use to at least get you started.
It's an agency of the US Department of Commerce whose mission is to promote American innovation and industrial competitiveness.
It starts with identification. Take inventory. Know what you have, I have to know what I have in order to know what to do with it.
What do I need to do to protect it? In other words, what are some of the threat vectors? Is it air gapped? Is it only connected to itself? Do I have vendors that come in and plug in their own laptop? (Which who knows what's on that laptop and where that thing's been?)
Have something to detect? This is kind of starting to get a little bit more beyond cyber hygiene and getting into the advanced spaces where you're going to have some type of system to be able to detect incidents.
Then once you have an event logged, you need to respond. You need to have a policy in place that says if this happens, we are going to do this. That's usually a disaster recovery or business continuity type use case for a policy. Those are all spelled out pretty simply on a lot of those websites that I gave you earlier.
Then how do I recover? You know, what are my service level agreements that I'm going to have with the tenants in my building on how quickly I'm going to be able to restore operations?
The July Nexus Pro Members' Subject Matter Expert (SME) Workshop included a look into everyone's favorite topic---cybersecurity. Don't roll your eyes and skip past this talk though; the information is incredibly valuable and interesting.
Pro Members can watch the full recording, view the slides, and read the transcript here.
We have Mike MacMahon here talking about cybersecurity.
Twenty years in IT—started to work in the built environment backin around 2013, then really engaged back in 2015 to 2018, where I was designinginfrastructure and policies and procedures for a number of developers.
I'm a big collector of data. I just like to know things, so hopefully I can share some of that with you today on cybersecurity.
I'm currently with Newcomb & Boyd—been here for about two and a half years. We have been a mechanical electrical plumbing firm based out of Atlanta, and we're celebrating 100 years. They've been around 97.5 years longer than I've been with the company, but they've been doing fantastic work.
Cybersecurity is a concept of protecting digital assets.
We apply it basically to every system that operates within a building.
Those systems come in two forms: IT systems, which pretty much focus on data. OT systems, which manipulate the physical environment.
Now we're starting to see the convergence of the two systems and their reliance on each other.
Focus: The first focus for IT systems is digital. For OT systems, the focus is more physical, because it manipulates things in our real and physical environment.
Priority: The priority for IT systems is based on confidentiality of the data—keeping it away from things. For OT systems it’s more the safety of the environment.
Incidents: We took a look at incidents. The incidents of a cybersecurity breach is quite frequent with IT systems—malwares and ransomware-type attacks. They're very frequent. OT system incidents, while less frequent, can be much more destructive.
Go back and take a look at the Iranian nuclear program and that wonderful little worm called Stuxnet that attacked industrial control systems, learning the environment for a really long time like a spider in a web collecting data. Once it was able to figure out how to get into the drive system for the centrifuges, it attacked and spun them up and down until the centrifuges blew up. Very, very disruptive.
**Book recommendation by the audience: Countdown to Zero Day
Security patching: IT systems are generally patched weekly. OT systems every 10 years (Maybe). That's starting to change in the last couple of years, with a lot of manufacturers getting on board, not just releasing patches for what it does, but how it does it, so that's making some of this a little bit easier to transition over to IT systems for some of the management pieces.
We are starting to see the blending of your physical world and the digital space because physical things are producing data.
We really want to make sure that confidentiality of that data takes place.
The Smarter buildings get, the more systems get introduced. The more data they produce, the more the OT systems that used to be siloed start to align with IT systems.
Cybersecurity transitions into protecting the confidentiality and integrity of this data.
Data has a lot of value, and we have to protect that.
We have to make sure that we can trust the data that's being collected. That's where the integrity comes in. And we want to keep it private. We only want to be able to share data with who is supposed to have access.
Any form of improvement that we're reaching for in our smart building programs, is going to introduce tech. And the complexity increases even more because now we're not just introducing more technology and more systems into the building. But we're sharing some of that control and data and monitoring capabilities. That introduces a certain level of risk.
Cybersecurity is “knowing who's who in the zoo.” What technology do I have and who is sharing its data and control methodologies with who and with what (other systems and other people).
Cybersecurity is all about maturity. There is a beginning (you always start somewhere), but cybersecurity really doesn't end.
I've created a very simple chart that shows the risk on one side—high, medium and low—and a maturity cycle.
Head over to Nexus Connect and see what’s new in the community. Don’t forget to check out the latest member-only events.
Go to Nexus ConnectJoin Nexus Pro and get full access including invite-only member gatherings, access to the community chatroom Nexus Connect, networking opportunities, and deep dive essays.
Sign Up