CYBERSECURITY
THE FIRST CYBERSECURITY STANDARD FOR COMMERCIAL REAL ESTATE BUILDING CONTROL SYSTEMS By: Fred Gordy Building control systems (i.e., operational technology or OT) have cybersecurity requirements that cannot be met using the standards available for IT. These IT standards were designed to protect data and data systems. The National Institute of Standards & Technology (NIST) is a preeminent standard for companies developing IT policies and processes. However, even NIST acknowledged the importance of identifying risk in OT devices. Its 2019 publication states that OT/IoT devices identify three high-level considerations that may affect the management of cybersecurity and privacy risks for IoT devices as compared to conventional IT devices: 1. Many IoT devices interact with the physical world in ways conventional IT devices usually do not. 2. Many IoT devices cannot be accessed, managed, or monitored in the same ways conventional IT devices can. 3. The availability, efficiency, and effectiveness of cybersecurity and privacy capabilities are often different for IoT devices than conventional IT devices.
6
Insight • Issue 2, 2022
Another noted authority, Gartner, also acknowledged that cybersecurity strategies for OT/IoT require tools, methodologies, and guidelines that are not available in the IT realm. The net-net is that building control systems need different standards to address their unique vulnerabilities and risks. As a result, the nonprofit organization Building Cyber Security (BCS) has created the first comprehensive set of building control system standards.
