Our feature on the connected and smart building in the February print magazine prompted consultant James Willison to write, asking: who’s in charge of the ‘smart’ building?
I think this is a really important question to ask and so thank you so much for identifying this issue in the new IET/CPNI document “Resilience and Cyber Security of Technology in the Built Environment”. Your article clearly shows the dependence of Building Management Systems on Cyber Security and the IET has detailed many of the risks which will need to be managed as new intelligent buildings increase. There are many fascinating examples in this paper which anyone involved in the future of physical security should really be taking notice of. The issue, for example, of the integration of Corporate email and room bookings with the Heating and Air Conditioning systems. So what is the answer to the question? The author, Hugh Boyes, outlines how IT is responsible for data and the accountability of business owners for resilience. It does however become difficult as these areas ‘blur’ and so what he emphasizes, is a ‘shared responsibility across culturally and technically different teams’ (p10). This is crucial in ‘maintaining resilience and cyber security. It should be a multi-disciplinary team effort involving teams managing building and corporate IT systems’ (p35). It’s all very well to have this approach after or even during an incident but why wait? An effective strategy is required. This is what we have called, for many years, security convergence. There are three layers. First, the technological convergence which we see all around us now, then the cross functional teams and at the top the converged CISO/CSO leader(s) who manage(s) this. We have witnessed that organizations can apply aspects of convergence. The question of who is in charge is not an easy one. Why? It is perhaps because few are qualified to oversee all these risks and many are reluctant to establish these multi-disciplinary teams. I wonder how many actually exist? I am aware of one or two but then some successful cyber attacks on buildings may force organisations to follow the advice of the ANSIS ASIS PAP 2012 Standard which says:
“In order to understand the shared risk environment, the organization should consider:
a) A common basis for risk ownership and accountability;
b) An integrated risk assessment and harmonized treatment strategy;
c) Common lines of communications and reporting for assessing and managing risk in a cross-disciplinary and cross-functional fashion; and
d) Establishing cross-disciplinary and cross-functional teams to achieve a coordinated pre-emptive and response structure.” (xiv).
About James Willison
The writer is a member of the Security Institute, founder of Unified Security Ltd, and vice-chair of the security management body ASIS’ European Convergence/ESRM committee. Visit www.unifiedsecurity.net
