Why implementing a properly-architected building services and security operations network is increasingly critical

If ever there was a time to be considering improvements to the strategic and operational management of your facilities, market conditions are indicating this is it.

In the wake of Covid-19 lockdowns, banks are reporting uncertainty around its impact on commercial property valuations, and have indicated that where transactions are occurring, they tend to be with higher quality properties. At the same time, the deployment of integrated, IP-based building management and security systems are on the rise. While they represent an efficient and economic way to manage and secure facilities, they are also potentially increasing cybersecurity risk.

For building owners and managers, these factors make the smart management of facilities even more critical. Managing costs, reducing security risks, and servicing tenants effectively, take on greater importance, and put a focus on the technology being used to integrate, connect and secure your building management, access control, and other on-site systems.

What is a building services network?

A building services and security operations network (BSN) is a dedicated, IP-based, building services and security operations network, separate to any on-site corporate network. It connects, integrates, secures and monitors a building’s management and security systems and services (such as building management, video surveillance, access control, HVAC, elevators, digital signage, lighting controls etc).

The BSN enables, secures, and connects both the new and legacy building management and security systems on which commercial buildings rely. The BSN’s firewall enables secure, remote access and VPN connectivity to be provided on a system-by-system basis for secure and remote operation, management, and support of each of the building services. Secure cloud back-up is also enabled and supported through the BSN firewall.

Property management costs and risks

Every day our network engineers in the field see numerous issues with commercial properties: unmanaged networks, unsecure networks, duplicate networks and infrastructure, lack of documentation, IP conflicts, unmanaged switches, no firewalls, and no remote access. These practices are exposing building owners and facilities managers to increased risks and costs in an already commercially-challenging and security-dynamic environment.

Managing cost and efficiency are key considerations. Without an effective BSN in place, your suppliers will find it hard to efficiently and remotely manage their systems, resulting in increased cost for maintenance. For example, if your access control system supplier doesn’t have remote access, any fault will require a site visit (often called a “truck roll”) – increasing costs and requiring additional management oversight.

Multiply that by the numerous systems that a modern building has and it adds up to significant inefficiency, overhead cost, and risk. The number of suppliers servicing a building will only increase as traditional systems are augmented by new ones such as digital signage, cloud video surveillance, smart building services, air-monitoring services, and guest WiFi services.

Business continuity is another issue – not just for your building, but for your tenants. Video surveillance network or component failures provide a classic example. The fault could be the video surveillance provider, the network video recorder, the POE switch, the cameras, or even a network-connectivity or ISP issue. Troubleshooting this without a properly-architected BSN will be difficult and costly. A properly designed BSN with appropriate network monitoring in place provides clarity of your network assets and components, an overview of your building (or site’s) network, and real-time visibility into the uptime and load on all of the IP-based devices and systems that sit on it. This enables a quick, and often remote, diagnosis of problems, rather than bouncing back and forth between suppliers and/or costly and multiple site visits.

Ultimately, continuity and cost issues reduce your competitiveness in a highly-constrained and competitive commercial real estate market. Property and facilities managers need to be able to understand any issues and respond efficiently and effectively. If your OPEX costs to tenants are continuing to grow, or are high relative to other similar buildings, your ability to attract quality tenants can be compromised.

Protecting your assets

The ability to manage risk is probably the biggest issue with which building owners and managers are grappling. While many building services platforms (e.g. video surveillance/CCTV, access control, HVAC) emerged pre-internet, they can no longer be treated as closed systems. The latest generation of building services and building security systems are all IP-based and are being installed alongside legacy systems. Too many IP-based devices remain unsecured in modern buildings. All of them require some sort of network integration, separation, as well as secure remote access.

The Ponemon Institute conducted a major USA study in 2019 that looked at business leaders’ perceptions of third party unsecured IoT (IP-based) devices within their facilities. Many of these are related to building systems – for example, climate control systems.

The study showed that 18% had experienced a data breach due to unsecured IoT devices and 23% had suffered a cyberattack. Eighty-one percent of respondents believe such a cyberattack is very likely in the next two years and 82% believe a data breach is very likely.

These statistics highlight the serious risks of cyber attacks on building management and security systems. Ransomware attacks on building management systems are increasing, access control systems have been hacked, and video surveillance systems accessed or disabled. If BSNs don’t keep up, these risks will continue to grow as hackers and other bad actors become more sophisticated.

Five steps to gaining control

What most building owners or facilities managers want is confidence that their buildings are being managed efficiently and securely. To achieve this you need to design and implement a BSN that provides visibility, control, and security for the building and security services that sit on the BSN. The challenge is often that these services have been added incrementally, over time, without reference to the overall BSN architecture and evolving security requirements. Often there is no single network diagram or security policy covering a site or building’s BSN.

There are five key steps to gaining this confidence:

1. Auditing your building’s current state:

Get a clear view of your current situation, covering all of your building’s network and associated infrastructure. What building services and systems, network components, digital services, IoT devices, servers, and switches are in the network – how does it all fit together? What is the current state of network cybersecurity and IP planning? Where are the gaps and potential risks, where have there been failures, which services require truck-rolls and physical site visits to upgrade, patch and take a back-up?

2. Understand future state requirements:

What is your strategic roadmap for your facility? What are you planning to do with current and future building and digital services, such as the building management system, video surveillance, access control, digital signage and so on? What kind of cybersecurity posture is appropriate? Which services need to be integrated and talk with each other? Which services can be enabled with secure, remote access, and cloud back-up? What level of resiliency is required? What does a highly functional, safe and cost-effective approach to building services management look like?

The reality is that any building owner or manager wanting smarter, healthier, safer and more efficient facilities need to have a properly-architected, IP-based, secured, building services and security operations network in their building, or on their site.

3. Design a network to meet these requirements:

With your requirements documented, the next step is to prepare a high-level design (HLD) of the future state network and all of the services and components. This also includes the type of fibre circuit, firewall, switches, and level of redundancy/resiliency that is required. The HLD is translated into a low-level design (LLD), which specifies the exact IP and VLAN plan, firewall rules, how each service, and any new components, are integrated into a safe and secure network environment. Remote access rules and integration rules are also documented.

4. Implementation of a BSN and migration of current services:

In some cases, this will be a remediation and/or upgrade of an existing BSN, but the outcome needs to be the same: confidence that you have a BSN that is properly architected, documented, secured, managed and maintained, with secure remote access and cloud back-up enabled. Only those who are meant to remotely access a certain service or network element are able to gain access. This puts the facilities manager truly back in control.

5. Ongoing monitoring and management:

Key to the success of an effective BSN is the ability to decouple a service from the specific service provider. Building managers want visibility and control of the services that sit on their BSN. With a cloud-based network uptime monitoring system, they can easily keep track of every element on their network, helping facilities managers drive clear service level agreements with service providers. With a properly-architected, managed, and monitored BSN, it will be easier to identify when and where there is a fault or an outage and hold the appropriate party to account.

Gaining clarity and control

Covid-19 has impacted the way businesses are operating – and the commercial property sector is no exception. Part of that means taking a smarter approach to ensuring that your buildings are ‘smart’ and as efficient as possible. That includes implementing a well-managed BSN that gives building owners and facility managers visibility, clarity, and control of their sites. This in turn will help them not only respond to current constrained market conditions but deliver greater profitability due to increased efficiencies and reduced OPEX.

If you need some clarity, schedule a consultation with one of our building systems and security operations experts here.

7 Cybersecurity Considerations for Remote Working

COVID-19 has accelerated the adoption of remote or distributed working, yet many businesses are potentially unaware of some significant cybersecurity risks inherent in remote working. In this blog I highlight these risks and look at what your strategic response could be.

This blog is based on an interview I gave to the Adviser Talk podcast. Listen to the full interview here.

‘The best time to plant a tree was 20 years ago, and the second-best time is right now,’ goes the ancient Chinese saying. The same applies for ensuring that your business is prepared for the risks and opportunities in a world that has accelerated to distributed, digital workforces in its response to COVID-19.

You might be considering digitising and optimising your internal processes in pursuit of productivity gains, or moving your offline business online, to compete in a COVID-19 and post-COVID-19 world. A key focus area for business leaders in these turbulent times should be on enabling a seamless transition to an operating model that supports distributed/remote working while also ensuring business continuity and security. 

Enabling your staff to work from home (WFH) is an integral part of this approach. While New Zealand has opened up again after the initial lockdown, the desire to keep up at least some remote working is strong in most sectors. There is also the possibility of a second COVID-19 wave flaring up, resulting in another full or partial lockdown and on a local, regional or national basis.

Digital transformation was disrupting business models even before the COVID-19 era – the digitisation of manual processes, properly done, is a sure path to improved productivity. Not only that, but when teams are working remotely, cloud-based services and online processes help to ensure that everyone’s on the same page, even if they’re not in the same space.

Three areas of cybersecurity risks in WFH environments

We’re seeing increased risks from remote working in three key areas: personal risk, business risk and government risk.

Staff are working from home often over insecure WiFi networks and without firewalls. They’re accessing their usual personal sites such as banking, shopping, and social media – which is frequently done from home – but now they are also accessing business systems and data, and/or government systems or infrastructure from home as well.

If your distributed workforce doesn’t have the correct protection on their computers, they aren’t using a secure WiFi network, firewall or certificate-based, always-on VPN, then it’s likely that their access to those enterprise or government systems, or their personal data, could be insecure and vulnerable to a compromise or exploit.

Currently, the biggest targets cybercriminals are exploiting are these inadequate and vulnerable WFH setups. This has created the “perfect storm” for cyber-criminals to access enterprise or government systems, to exfiltrate company data, personal information, financial information, or company intellectual property.

We’re seeing emails being attacked, malware on websites, ransomware, phishing attacks, man-in-the-middle attacks, hijacked mailboxes, invoice and identity scams, and extortion occurring more regularly around the world. These cyberattacks are being perpetrated both by individuals, as well as organised crime and criminal gangs, and in some cases even funded by state actors (i.e. rogue states are funding cyberattacks).

Historically, to steal or to destroy something, you had to actually be physically present onsite. Now, a nation state or a criminal can undertake a cyberattack from anywhere in the world against any business, government or person. Rogue nation states and their cyber armies, or criminal gangs, and even highly focused individuals, all present real risk in terms of individual or enterprise property theft or attack on a country’s infrastructure – and all of this remotely.

How can distributed workers (and your business) be protected?

What do you do if your staff are working from home and/or working off site? End users need, at a minimum, endpoint security protection on their laptops and on their mobiles, which helps protect against some of the types of attacks outlined above.

Here are seven basic security measures that businesses need to put in place for distributed workers and WFH workers to be secure:

1. Implement an endpoint protection solution for laptops, tablets, and mobiles. It should combine most if not all of the following: anti-virus, ransomware protection, anti-malware protection, data-loss protection, intrusion protection, anti-exploit technology, and web and application control.
2. Implement a mobile device management solution (MDM solution) to help control and manage personal and work laptops, tablets, and mobiles.
3. Use secure or encrypted networks – ensure that any WiFi connections are encrypted. At a minimum, use a basic firewall at home and/or certificate-based, always-on, VPN connectivity to the office and its systems.
4. Set up password manager software so that passwords can be long, unique for each website or service, and regularly changed.
5. Put company policies in place that require multi-factor authentication for every login to any significant system.
6. Conduct audits, provide cybersecurity and phishing training, and distribute regular reminders of best practice against cyberattacks.
7. Develop a plan and a pathway to improve security across your organisation as well as a disaster recovery and business continuity plan in the event of any successful cyberattack.

Mandatory disclosure of data breaches will shortly become a reality in New Zealand. A number of countries have already introduced mandatory reporting for significant cyberattacks and theft of customer or public information. Companies will be required to notify both the Privacy Commissioner, and any individuals whose data is compromised, about a cyberattack on their business if the breach has caused, or is likely to cause, serious harm. Now is the time to start preparing.

Managing employees that leave

Desperate times cause people to behave in desperate ways. Businesses need to protect against malicious behaviour, and remove any temptations by shutting every door possible for malicious activity.

When someone leaves a company, there should be a process that removes their access to various systems and applications. Running single sign-on (SSO), a method that ensures that a user connects to all its systems with a single user ID, is a sound strategy.

It’s beneficial for onboarding because you can quickly add new staff to a number of systems and applications, and you can control hierarchically what they have access to. Inversely, it’s also excellent for offboarding or exiting someone from the business, because in a single command, you can remove all rights to systems and applications. You can rest assured that they can no longer gain access to any of your enterprise systems.

Start planting that tree

As more companies embrace flexible or distributed work practices as a result of COVID-19 and the ongoing level of uncertainty, cybersecurity becomes increasingly important. Personal data, financial data, intellectual property, and enterprise and government systems that can be accessed remotely all need to be secure and protected.

When it comes to a company’s business continuity and disaster recovery planning, cybersecurity considerations are key. With the increased focus on this area, now’s a good time to ‘plant that tree’, and leverage cloud infrastructure and cybersecurity platforms that can help you secure your business in a cost-effective and manageable way.

Ensure your team is able to remotely and safely access and manage critical business data, regardless of where they’re working. Schedule a time with Martyn to discuss your organisation’s remote working strategy now.