Last reviewed 15 January 2018

Alan Field explains how information security concerns can impact the facilities management professional and how awareness of this can be used to minimise the risks of data leaks and day-to-day service disruption due to malicious contractors accessing key equipment such as building management systems (BMS).

Riding into Dodge City

Information security risks relate to everybody and every organisation. There is no immunity to either planned or totally random attacks or other compromises of sensitive data whether in electronic or hard copy records. The threat can come from both within a working environment or from the far side of the world so can impact a facilities manager’s own organisation and that of their clients and contractors.

In addition, there are a few areas where the facilities management sector can be particularly exposed and these risks need to be understood.

Information security implies a wider concept than cyber security. In other words, where hard copy records are still maintained these can present data security risks. Compared to some sectors, facilities management can still be paper heavy, eg waste transfer notes and log books. Where paper records exist, any risks of data breach should be fully considered; it is not just cyberattacks that can lead to data leaks.

The virtual world is still something of a Wild West both with opportunities to develop and, unfortunately, predators to deter. Yet cyber risks are more than just virtual. For example, fibre gateways into buildings and, indeed, any physical telecommunications outside the perimeter of a building could be physically tampered with, with the aim of extracting or otherwise diverting data. Sometimes this may arise because of the tenants within a building presenting a higher risk, eg Government agencies or financial services. However, the targeting could also be more random.

There are several proprietary software tools that will help identify if physical tampering is happening and, of course, there are the normal physical security controls that can minimise the risk still further, eg periodic visual examination of the gateway infrastructure and strict access controls to the communications room(s) itself. The key point is to, first, recognise there can be a physical tampering risk.

There are human factor risks. For example, there may be deliberate or accidental sharing of passwords or circumventing other access credentials to information technology (IT) systems — both with internal staff and third parties. Third party access to credentials may be an issue with, say, a contact or processing centre where staff are comparatively poorly paid and may not always have a high degree of motivation, so the risk of passwords even being sold can be a real one.

Cyber security — be it human factors or other risks — applies to all level of management in a shared workplace, which is typically a facilities management professional’s environment. Where shared service arrangements operate, there should be — at the very least — clear contractual commitments (possibly even with penalties) between contractors and clients where one and other access IT platforms that belong to one and other. Ideally, where a facilities management professional has access to client IT systems there should be a virtual separation between these and other organisations’ IT platforms. This will prevent one compromised system infecting another. There has been at least one large data breach which occurred due to lack of controls from a contractor’s access into its client’s network.

This risk also applies to hard copy records, eg does the facilities management professional have access to client’s records and might some of these be considered confidential by the client? In other words, looking at all of those who have access to data — and not just one’s own employees — is essential. Never assume someone else’s information security is better than one’s own organisation. It simply might not be the case.

More than just data mining

Not all cyber risks relate to data mining. For example, BMS systems that require internet access for updates or have an element of web-based functionality could all be prone to cyberattacks. These attacks will often be entirely malicious — in other words to simply shut the system down, perhaps through corrupting the firmware program (to take over remote operation of that function or send disruptive instructions to another part of the IT platform). Or the attackers might aim be input a program that will, later, shut elements of the program or make it otherwise malfunction (sometimes described as “zero days” attacks).

The so-called internet of things (IoT) — where many everyday objects have internet connectivity — will present cyber vulnerabilities. For example, some simple firmware programmes may have been designed before modern cyber security controls were considered. If this firmware could enable connectivity with more complex programmes within a range of networked devices (eg a BMS) then — through the back door — many cyber vulnerabilities might be exacerbated.

This could already apply, particularly if the BMS has wireless devices (eg sensors, cameras, etc) which interacts with the main BMS programmes. This means the cyber risks of the entire BMS, ie all devices connected to it, need to be understood to see if any controls are necessary — it may be that the risks have been fully addressed at design stage but again, assumptions should not be made.

The facilities management professional’s own company’s intranet (eg to process or pass reporting information) may also lead to unplanned vulnerabilities. In other words, a BMS can present many cyber risks both operational and data security based. These need to be understood.

However, before a risk assessment is undertaken, an early question to ask is this. How far is the effective operation of the BMS dependent on internet access and wireless technologies? Remember “effective” can mean different things to different clients. To some, this would mean the key building services — to others it would also include the reporting functions that most modern BMS provide. Once local priorities are understood then either the design of the BMS or the applications themselves can be considered from a cyber security aspect, eg this might mean less dependence on wireless applications or, more likely, other countermeasures such as improved firewalls and advanced protections against malware might be cost-effective solutions.

Resiliency should be considered. If a successful cyberattack did take place, how would services be delivered if, say, the BMS was compromised? This may be dependant not just on client expectations but on what, for example, a BMS controls in the built environment. For example, if the BMS controls a complex HVAC and fire protection systems within a shopping centre then this is more of a critical issue than, say, a simpler BMS where manual interventions and control of devices might be a viable option.

As with all resiliency, one key issue is understanding both criticality of services and what fixes or workarounds might be possible. Where these seem impractical then alternative or parallel IT systems configurations to support the critical functions of the BMS might need to be considered at design stage.


Information security is more than just a corporate risk or something that is somebody else’s problem. Equally, information security is more than just about data breaches. Any functional device connected to the internet could be at risk from a cyberattack and, some would argue, even from malicious tampering at the manufacturing stage of the device’s chips or firmware configurations. As with all risk, these vulnerabilities need to be quantified and then responded to in a proportionate way — but certainly not ignored.