Cybersecurity: The Gatekeeper to Value The concept of Facility IT mandates that information flows securely and easily between all elements of BAS, FM and IT.

Anto Budiardjo, Editor, New Deal Blog Contributing Editor

For the past three decades, the BAS industry has been steadily marching toward convergence with IT. One challenge many BAS companies have faced is how to maintain and grow their business in the midst of this process. Many, myself included, have opined that such convergence would lead to significant BAS advancements such as making buildings more efficient. Knowing BAS is a key component to improving occupant comfort, the inevitable convergence with IT is something building owners should see as a way to improve the performance and value of their core business.

On the technology front, IoT (Internet of Things) is driving down the cost of hardware; open source is democratizing software development, and communication technologies from 5G to WiFi are making connectivity cheap and ubiquitous. From a social perspective, we are all living super-connected lives with our smartphones as a must-have tool for both business and personal use. With that in mind, there is very little standing in the way of the BAS industry from leveraging this pervasive connectivity to achieve IT convergence and increase the value of what it offers.

In my December 2018 article, Cybersecurity and Facility IT, I laid out the rationale that, first, Facility IT is a useful framework in which to visualize the convergence between BAS, IT, and the oft-forgotten FM. The second rationale is that Facility IT cannot happen if the IT industry regards BAS as the pariah in the building or as a high cybersecurity risk. Despite valiant efforts by a number of companies to become more security-aware, the perceived attitude in BAS is that security is an afterthought--not a critical component. This has to change!

As many other industries have learned, information technology--the domain of IT--creates value by making complex systems more efficient and the assets they manage more productive. Consider supply chain management (SCM), the global automation systems and networks that manage the movement of goods across the world. Before the automation of SCM, we had trucks, ships, planes, cranes, forklifts, and other asset classes that had to be managed individually. As SCM exists now, we still have those exact same assets, but the difference is each asset class is significantly more productive, and the movement of goods is much more predictable, accurate and visible to businesses and consumers alike. Through SCM, information technology made those assets and their industries more valuable.

Facility IT is just like current day SCM; it’s a layer of information technology designed to make buildings and facilities more productive for their owners and consumers. For Facility IT to work, information needs to flow effortlessly across the various domains within buildings whether it stems from VAV boxes to cloud-based analytics databases or between an FM work order and the energy management system. The less friction in the flow of information (with access/security controls), the more Facility IT will maximize the performance of each component and improve the value of buildings.

[an error occurred while processing this directive]Imagine for a moment if cranes (critical to load/unload ships) were inherently risky from an information flow perspective, such that they cannot be part of SCM. In this scenario, the supply chain will track goods up to the port, but then the chain is broken since the cranes cannot inform the system it has loaded the goods in a certain part of the ship. The supply chain is no more!

The concept of Facility IT mandates that information flows securely and easily between all elements of BAS, FM and IT. This is where the BAS industry’s outcast status as a security risk is a major problem; for the BAS industry, this means that BAS companies will be excluded from the value that Facility IT promises.

A drumbeat that continues to rage in the BAS industry is the so-called IT-OT (Operational Technology, or the network separate from IT) debate. Many practitioners argue that the best approach to solving this problem is to separate IT networks from OT (BAS) networks. This is certainly a way for IT to bypass BAS’ insecurity, but it also removes the opportunity for the BAS industry to contribute to the value of Facility IT. This makes BAS the equivalent of the crane mentioned above--clearly outside of the value-creating space. Surely, this is not ideal!

The solution to this problem is to address the elephant in the room: Make BAS secure, and do this to the level now taken for granted by the IT community. We are already using many IT technologies and best practices. Now we have to take the next step in the cybersecurity area.

I don’t think the BAS industry wants to remain a pariah forever.