EMAIL INTERVIEW – Tom Shircliff and Rob Murchison and Ken Sinclair

Tom Shircliff and Rob Murchison are co-founders and principles of Intelligent Buildings, LLC a Smart Real Estate professional services company that provides planning and implementation management of next generation strategy for new building projects, existing portfolio optimization and smart community development.

Sinclair:  Guys, it was a packed Realcomm/IBcon this year, and I am told it was the largest one ever in both attendance and exhibiting. I saw your conference live interview HERE where you guys had a take on the conference and also a new approach to cybersecurity.

Shircliff and Murchison:  Thanks Ken, and yes, it was larger than in the past, and we have been tracking the interest in smart buildings from both building executives and solution providers. Taken in reverse order, the exhibiting numbers shows us there is now a “critical mass” in smart building solutions that we did not have even 5 years ago.

Sinclair:  So, what does that mean to the average building owner or real estate executive?

Shircliff and Murchison:  We say its really good news, and we have adjusted our consulting practices to that reality. Because there is so much technology you simply cannot have a “systems and features” conversation because that will never stop and you also have to ask your self - to what end? But the silver lining here is that as a real estate executive you can now talk in real estate terms not tech terms.

Sinclair:  What do you mean by that?

Shircliff and Murchison:  We mean that we start with conversations about real estate use cases and real estate outcomes and not technology. The technology is there, and so we flip the script and help owners talk about what they want to happen and then let the technology satisfy the use case - not take a system or solution and say “what can we do with it?”. So this is a great time for real estate people to talk about smart building in their terms and not in techie, smart building terms.

Sinclair:  I see. Well, it has never been that way, and I am sure there is some relief to those non-technical executives. What about the next phase of cybersecurity you talked about? It was such a dominant topic at Realcomm/IBcon this year that I felt like we were just scratching the surface in the industry?

Shircliff and Murchison:  You make a good point. We are surely not saying the industry has made very much progress in cybersecurity, but rather we want those who are working on assessments, policy and remediation to consider “day 2”. In other words there are some that are ahead of the curve in seeing their vulnerabilities and developing a plan - however, there are very few who are considering how to consistently keep an eye on policy compliance in a continual way.

Sinclair:  You mean like auditing or monitoring?

Shircliff and Murchison:  Yes. It's simpler than it sounds and not as intense as the traditional IT approach. We mean if you create a policy for your vendors, you need a systemic, consistent way to audit and monitor compliance or you end up with a swiss cheese approach, but with more holes than cheese.

Sinclair:  That makes sense, but it seems the industry as a whole is just getting started and far from that phase.

Shircliff and Murchison:  You are correct, and we don’t want to skip too far ahead in getting the right message out to your readers and the industry. The first step has to be risk assessments and in some cases, a form of inventory. Since OT cybersecurity has been an orphan topic caught between IT and FM, nobody has had responsibility historically. It sounds simple but documenting what systems are there, how they are connected and configured, who connected and configured them and objectively rating the risk gives you a gap analysis and road map on what to do to plug the holes.

Sinclair:  Is it primarily an IT of FM problem and who should lead?

Shircliff and Murchison:  It really depends on the organization. There is always an IT aspect to this, but we have found the larger issue is in the category of vendor risk management (VRM). As we noted in the Conference Live interview if you have 100 buildings, you might have upwards of 1,000 control systems and hundreds of contractors. That fragmentation makes for great inconsistency in what is happening today and how you measure against your policy going forward.

[an error occurred while processing this directive] Sinclair:  I have heard some say that this is not an urgent issue because we don't see any problems or events. What do you say to that?

Shircliff and Murchison:  The reason they are saying that is because usually building cybersecurity issues don't involve personal information and is therefore not reported publicly. We know first-hand from our customers that this is happening with increasing frequency. We have seen ransomware, malware and other hacking impacts as well as significant operational interruption due to contractor system configuration problems. In other words, simple or no passwords, super users, and out-of-date software or firmware. This again underscores that vendor risk management is a major subset of OT cybersecurity.

Sinclair:  What does this say about vendors and contractors?

Shircliff and Murchison:  Well, we want to be clear, that this is not “their fault” since there are usually few or no requirements from the building owners and managers. There are also many high-quality contractors that are doing a great job on this which bodes very well for them as this becomes a requirement for building owners. However, even when contractors are doing well on this it's usually not the same as their peer contractors which is still a VRM issue since the customer can’t look at things the same way across a building or a portfolio. You don't often see the same contractor managing the BAS and the elevator and parking systems, so there is still a need to level set on standards and measurement.

Sinclair:  OK. That makes sense. We will all keep watching this closely as the industry wrestles with cybersecurity in our building systems.