Over the past decade, building control system cybersecurity has evolved dramatically. When I entered the industry more than ten years ago, cyberattacks targeting building controls seemed unlikely, often dismissed as isolated incidents by curious individuals. However, significant attacks were occurring, albeit frequently unreported. Companies typically chose to address these issues quietly and at considerable cost, preferring not to reveal their vulnerabilities. The advent of new regulations has ended this era of silence. Today, severe attacks are inevitable, their impacts are profound, and they will likely be publicly disclosed.
On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) implemented final regulations requiring public companies to disclose cybersecurity incidents annually (U.S. Securities and Exchange Commission, 2023). This regulation covers both Information Technology (IT) and Operational Technology (OT), mandating strong cybersecurity measures for building control systems like HVAC, lighting, and access controls, in addition to traditional IT infrastructure. Building owners must now adopt a proactive stance on OT cybersecurity to safeguard employees, tenants, assets, and brand reputation.
In late 2023, the National Security Memorandum designated commercial facilities as critical infrastructure. This designation underscores their importance to national economic security and public safety (National Security Memorandum, 2023). These facilities—such as retail centers, entertainment venues, and lodging establishments—are crucial because their incapacitation or destruction could significantly impact national security, economic stability, and public safety (National Security Memorandum, 2023).
The designation as critical infrastructure imposes substantial responsibilities on building owners, managers, and operators. They must enhance security measures, incorporating both physical upgrades and robust cybersecurity protections. Compliance with regulations such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework is essential for protecting against threats and ensuring operational resilience (National Institute of Standards and Technology, 2024). Furthermore, owners are required to promptly report any cyber incidents or security breaches to relevant government agencies, as mandated by bodies like the SEC.
Close collaboration with government entities is crucial for aligning security practices with sector-specific guidelines. This collaboration facilitates regulatory compliance and improves security measures through shared intelligence and resources. Investing in advanced technologies and providing ongoing training for personnel are critical for adapting to evolving security standards and mitigating potential risks.
Stricter access control measures may be required to regulate facility entry, impacting tenant and visitor interactions. Additionally, being classified as critical infrastructure can affect insurance considerations, including coverage requirements and premium costs. Adjusting lease agreements and operational procedures to meet heightened security needs is necessary to maintain a secure environment for all stakeholders.
Participating in public-private partnerships strengthens overall infrastructure protection efforts by leveraging collective expertise and resources from both governmental and private sectors. Understanding and mitigating potential legal liabilities is also essential, as failing to protect critical infrastructure adequately can lead to legal consequences. Proactive risk management and compliance measures are therefore vital.
Gartner predicts that by 2024, 75% of CEOs could face personal liability for cyber-physical security incidents (Gartner, 2023). Failure to adopt a proactive cybersecurity approach can place even top executives at risk. For instance, Timothy Brown, head of cybersecurity at SolarWinds, faced SEC charges for “deliberate misinformation about the company’s security vulnerabilities” (U.S. Securities and Exchange Commission, 2023). Similarly, the Federal Trade Commission (FTC) held James Rellas, CEO of Drizly, LLC, personally liable for the company’s inadequate information security practices (Federal Trade Commission, 2023).
Although we have not yet reached Gartner’s predicted figure, the forecast has prompted many organizations to prioritize cyber-physical security and invest in better protection measures. The cases of Brown and Rellas highlight the need for CEOs and CIOs to integrate security strategies encompassing both digital and physical infrastructure.
Cyber-physical security incidents impact both digital systems and physical infrastructure, often resulting in real-world consequences. These incidents occur where cybersecurity and physical security intersect, affecting both domains simultaneously. Cyber-physical incidents target critical infrastructure sectors, including commercial enterprises, energy facilities, transportation systems, healthcare institutions, and manufacturing plants. Unlike purely digital attacks, these incidents can cause physical harm, property damage, or environmental disasters.
Attack vectors for cyber-physical incidents are diverse, ranging from cyber domain attacks like hacking into building control systems to physical tampering with connected devices. The proliferation of Internet of Things (IoT) devices further complicates the landscape, increasing vulnerabilities that cyber-physical attacks can exploit. Regulatory bodies such as the SEC and FTC are imposing stricter guidelines, requiring building owners, managers, and operators to adopt integrated security approaches to address these multifaceted threats effectively (U.S. Securities and Exchange Commission, 2023; Federal Trade Commission, 2023).
The rise in attacks on building control systems—ranging from ransomware targeting OT to nation-state espionage—demonstrates the increasing sophistication and varied motivations of threat actors. Nation-states like Iran, Russia, China, and North Korea target critical infrastructure for financial gain, property damage, and physical harm. For example, a central plant was attacked in 2018, causing severe damage and resulting in a seven-day evacuation and three-month recovery period (Sky News, 2021).
In July 2021, Sky News reported the leak of documents detailing Iran’s offensive cyber research, which included plans to target critical infrastructure like water filtration and fuel supply systems (Sky News, 2021). Such nation-state attacks aim to gather intelligence, disrupt services, and gain strategic advantages.
The sophistication and resources of nation-state actors make them particularly dangerous. They often use advanced persistent threats (APTs), zero-day vulnerabilities, and complex multi-stage attacks to achieve their objectives. As OT systems become increasingly connected, the attack surface expands, making it essential for organizations to implement robust security measures to protect against these high-level threats.
The landscape of building control system cybersecurity has evolved significantly, transitioning from a niche concern to a critical priority for public and private sectors alike. The recent regulatory changes by the SEC and the designation of commercial facilities as critical infrastructure underscore the profound shift in how cybersecurity is approached within the building management domain. These developments highlight the increasing complexity of cybersecurity threats and the expanding scope of responsibilities for building owners and executives.
The evolving regulatory environment now places substantial emphasis on proactive measures, demanding that organizations fortify their defenses and ensure compliance with updated standards. As cyber-physical security incidents grow more sophisticated and pervasive, the potential for significant financial and reputational damage escalates. This reality is compounded by emerging trends such as heightened personal liability for CEOs and CIOs, reflecting a broader accountability for cybersecurity practices.
The onus is now on building owners and executives to adapt swiftly to these changes. Ignoring or underestimating the importance of robust cybersecurity measures can lead to severe consequences, including legal liabilities, operational disruptions, and significant cost. It is imperative for stakeholders to integrate comprehensive security strategies, invest in advanced technologies, and engage in continuous risk management to safeguard their assets and maintain operational resilience.
Ultimately, the evolving threat landscape and regulatory requirements make it clear: cybersecurity is no longer a peripheral concern but a central pillar of operational integrity and leadership accountability. The stakes are high, and proactive engagement is not just advisable—it is necessary to protect both the organization’s interests and the broader public safety.
References
Interested in learning about the state of play of the CRE industry? Read the full State of Play publication with this link. The publication features articles on the State of The Medical Office World; the Reality of Cyber Threats and Your Liability: Cybersecurity Outlook for CRE; Looking Ahead to CRE’s Next Normal; The Sustainability Imperative: Practical Strategies for Office Buildings; and Elements of Economic Development.
Interested in learning about the state of play of the CRE industry? Learn more about the state of the Industrial Real Estate Market with this video. And learn more about the state of the overall State of the CRE Market with this video.
Thank you to our State of Play Sponsors:
To stay up to date on news and resources such as this and other topics of importance to the real estate industry, subscribe to the free CRE Insight Journal Newsletter using this link.
Comments are closed.