Resilience and Cybersecurity: Putting Theory into Practice, Part 2

In part 1 of this series, I discussed how the seamless integration of digital technologies has increased the cybersecurity risk of building controls systems. Yet, by analyzing the adaptive capacity of building systems, managers can pinpoint vulnerable areas within an organization, determine what’s at stake, and address risk-prone infrastructure. Once this initial assessment has been made, the next step toward building cybersecurity and resilience is to determine a best solution for protecting those assets.

The failures of most cybersecurity projects today result from the application of a one size fits all ideology, which treats every building as if it’s the same. It doesn’t require complex theorization to understand that what works in one context may not work in another. In other words, cybersecurity for retail buildings and cybersecurity for banks cannot be treated as identical systems. Each building system entails a different set of considerations, from securing the network to training employees. The flexible resilience approach offers a framework for determining best solutions that is at once both useful in broad application and sensitive to the intricacies of building system dynamics.

Contextualizing the Approach

The resilience approach emphasizes the importance of experimentation and the ability for a system to test its structural foundation without losing its integrity. Applying this concept to cybersecurity means building automation systems must remain adaptable. This is done by providing a secure environment for experimenting with security breaches so that control systems can quickly learn how to identify and eliminate nonstandard threats. As building managers attempt to adapt practices better suited to their facility context, having the capacity to experiment is crucial for adopting best practices as this will contribute to the success and sustainability of those methods.

Okay, but How Does This Lead to Asset Protection?

Cybersecurity boils down to risk management and how much a company is willing to risk—which has less to do with compliance and more to do with understanding operational risk. The ability to safely test an organization’s subjective risk threshold and then apply those learned lessons, ultimately bolsters security, reduces remediation efforts, and increases asset protection. To conduct these tests, some businesses hire white hat security experts to ethically hack their own information systems.

These comprehensive evaluations are useful for exposing weak entry points and determining which assets are most vulnerable. Hawaiian Electric Company and Kauai Island Utility Cooperative, for instance, are working with the FBI and US Department of Homeland Security to keep their defense systems up to date through similar resilience-based tactics. Managers at the companies state that they constantly bring in outside companies to conduct penetration testings to locate areas of weakness or vulnerabilities. These methods are helping to harden operational systems and protect critical infrastructure through constant threat monitoring.