Cybersecurity and Safety in Construction Projects

A

Welcome to season three, episode seven of CMAA's Construction Leader podcast. In an era where digital connectivity is integral to every aspect of our lives, from smart buildings to interconnected construction machinery, the need for robust cybersecurity measures has never been more pressing. Yet the engineering and construction industry lags behind in implementing comprehensive cyber safety standards, leaving critical infrastructure vulnerability to cyber threats. Cyberattacks on construction projects pose many risks, from data breaches to sabotage of essential systems, from securing project data and safeguarding intellectual property to ensuring the safety and integrity of building structures. The stakes are high, and the time to act is not tomorrow. It's now. Today we'll hear from an industry expert, cybersecurity professional, retired Air Force veteran, and former White House official, Assistant Secretary, Secretary of Defense, and thought leader who is leading the charge to establish a standard of care for cybersecurity in engineering and construction. The Honorable Lucian Niemeyer is the CEO of Building Cybersecurity and will provide us with real world examples and explore the challenges, opportunities and implications of integrating cyber security into the fabric of construction practices. Welcome to the podcast, Lucian.

B

Hey, Nick's really glad to be here and really do appreciate CMMA allowing me the opportunity to talk about some of the pressing issues of the day.

A

Great. I want to dive right in because there's a lot to get through here today and start by saying that it seems there always a national headline about nation state cyber attacks or potential of cyber attacks on power, water, communications and automated equipment that requires a response from the construction industry. How real are these threats and what's the role of construction professionals as they look to help prevent these potential attacks?

B

Yeah, I appreciate that question and it is very timely for what has been in the headlines in the past six months or so. You're seeing a lot of national security leaders testify before Congress that we have a new type of threat, a threat directly to the public safety of our nation. And that really gets into what a nation state can do to the infrastructure that's all around us. We think about everything that's connected in our homes, in our cars, in our ports, in our infrastructure. And the concern here is not just nation states, but criminal actors are starting to see the lucrative return of actually threatening human safety, threatening lives. And that's why you have a lot of folks testifying about the need to proactively and aggressively pursue this threat in a way that we don't necessarily deny technology or not use it anymore, but just make sure it's protected, starting in the design process and all the way through how we manage these smart devices everywhere around us.

C

So, Lucien, we hear so much about information technology, but there's also operational technology. So can you explain the difference between the two to our listeners?

B

Yeah, Carly, thank you so much. And it really does boil down to what they call cyber physical systems is when a keyboard can actually control a physical action. Think about your car. 2,000 microchips in it, a lot of data flowing, not just within your car, but but to the car manufacturer. And in some cases, the car manufacturer can affect the performance of your car just through a keystroke. Same thing you have on your iPhone. With your iPhone, you can control your cameras in your house, you can control your heating and ventilation, air conditioning. You can control or see who's coming in and out. So we have the desire to want to have this convenience, but what really, what I'm focused on are the technologies that connect the cyber world with the physical world and how those could be exploited. Just think about anything that you have a chip in, it is ultimately going to be able to be connected to the Internet and when it could potentially be exploited to create an unsafe condition. That's my passion. That's my world. That's what I've been working on for the last seven years.

C

Yeah. And there's two sides to every coin. As you said, that folks are looking for that convenience, but in addition to the reward, there's also a risk associated with that. And you mentioned early the design process. Can you talk about what improvements need to be made in the relationships between designers and contractors and construction managers and what's needed to establish a cyber safety standard of care?

B

Yeah, this is one issue that I can't wait to be able to talk more with with the organization in October when we meet in San Francisco. But what I believe and what I've been pushing for is we need a new standard of care. The engineering profession has grown, and the reason why engineers are licensed is because they have a professional responsibility to maintain a standard of care for safety, whether it be a structural engineer, mechanical engineer, electrical engineer. They have to go through a rigorous process of education and then take a test and then be licensed to be able to carry out a standard of care. Currently, we don't have that for the virtual world, for the world of cyber threats, particularly in the physical environment. So my call and what I've been going around the nation talking about is we need to establish a specific engineering standard of care to protect the networks and the connected systems, what they call the backhaul networks within a building that connect all the Various technologies, fire controls, H vac, elevators, access. And we need to have an engineer that can take a look at that and engineer protections, starting with the first design charrette. What does the technology list need to look like? But what will the owner want to put in for technology into the building or structure? And this could be a car, this could be a plane, this could be anything that's built. But we'll focus on buildings. What does a owner want to put in there? How will that technology relate to the building systems? And then how does an engineer approach both and actually design with a standard of care to ensure that we have the sensors, the protections in place to really maintain occupant safety and continued operation of the building? That's really what I'm focused on as far as trying to get those questions asked in the very beginning of the design process and carried all the way through the life cycle of the building.

A

So what technologies, like starting with artificial intelligence and machine learning, should the construction industry be tracking?

B

Yeah, so there's a. There's a couple things. First of all, I strongly believe that machine learning and artificial intelligence is the future of design, particularly if you look at where you may ultimately be able to design a building using a digital twin. So it doesn't take a lot of imagination to realize that artificial intelligence can be trained to, to understand all building codes, to understand laws of phys physics, laws of hydraulics, and be able to assist an engineer and collaborate with an engineer. And how do you improve the operational efficiency, the structural integrity of any type of structure? So the goal here is not necessarily being afraid of AI, but realizing where that tool can enable an architect or an engineer to be able to move faster, to more efficiently and ultimately to potentially avoid those errors that just are human error that are made either in calculations or how designs are developed. And to be able to cover that. I see that growing. And then I also see artificial intelligence on the backside, being able to work within a digital twin to monitor a building so moderate for sustainability, moderate for cost efficiency, moderate for occupant experience, as well as monitor that building for cybersecurity. The technology is here today to allow artificial intelligence to be able to see, okay, there's a data anomaly in that H Vac system, or there's a power anomaly, or there's a vibration happening in an H Vac system, and that could be caused by something in that system about to go bad or some type of nefarious activity. That is what we need to embrace as we're looking forward to technologies. How Can AI machine learning ultimately allow us to have safer buildings at a faster pace and with more efficiency in the process?

C

So you did already mention digital twins, but can you elaborate on digital twins a little bit and let our listeners know what are they and why they're so critical role in the industry?

B

Yeah, sure thing. And look, we have grown up in the industry with cad, with BIM Computer Aided Design. So a digital twin is a virtual reproduction of a physical building or car or any a machine. And what a digital twin can do, it can allow you to design, model, simulate virtually without necessarily having to build something. But in the case of the building industry, I strongly believe for future construction that a digital twin should form the basis for the engineers to feed in their requirements, whether it be a structural, mechanical, electrical, they fit it into a virtual model so those engineers can see how that virtual model is living and breathing and then make variations to be able to refine their design. And then that digital twin, once it's refined and you have all the system inputs in and also you have the sensors, I believe in the future a digital twin will be able to tell a owner right away when there's been a major significant natural disaster, whether it be a hurricane or an earthquake. A digital twin will be able to say within minutes, okay, this structural member has deviated, or now you have a shift in loads. If you install the right set of sensors within a digital twin for the beginning, you can become much more aware of how your building is living and breathing and performing. For me, this has to be the future where starting with a clean slate, particularly greenfield development. What can a digital twin do beyond being a geospatial aid, but ultimately serving as the basis for design and then ultimately being passed over to the construction agent. As the construction agent is actually building the physical building, they can input into the digital twin what type of H VAC unit they installed and how does it deviate from the engineering specs. So you have a real time update to the twin of what's being installed, and then that twin serves as the basis for commissioning of that building, both building commissioning and cyber commissioning, to allow to form a baseline for performance. Then the owner can start tracking the life cycle of the building for deviations. So that twink can perform four different functions. And to me, it is the future of building design and construction and operations that you'll be able to see this virtually what is happening in your building, who's coming in? You can control access, you can control wellness, you can control performance factors, light and H Vac all or Monitor it and control it virtually. That, to me is the future and that's what I've been working on.

A

So, speaking of the building, I feel like I can't buy any product nowadays that doesn't connect to WI Fi or the Internet. And more building systems are being connected to the Internet and reducing operation costs and improving both efficiency and sustainability. But what are the risks and rewards to being connected?

B

So the risks are that there are millions of new devices connected to the Internet every day, and every one of them potentially poses a vector for exploitation or nefarious activity. And so that risk has to be recognized. I don't think we are, I'm not sure. People, when they put smart devices in their home, I'm not sure they do understand or realize that there might be a risk there. Insurance companies do, but most folks don't. Same with their car. You buy a modern car these days, you cannot escape the fact that that car is connected to the manufacturer. And it's not just Tesla, it's all manufacturers. And they have a requirement to update the software in your car, but they also have the ability potentially to use an industry term, to brick your car to make it inoperable if you're behind in payments or something like that. So it's tough for us to escape technology. We can try. There's a lot of folks who try to not have these devices in their home, but it's going to get to a point where it is difficult to find a TV that's not smart or find a car that's not connected. But as opposed to trying to running away from it, the goal is how do we understand that there is a safety issue here that we have to address very deliberately, that we ultimately need both standards and policy to offer a consumer, okay, yes, I'm going to buy this smart car, but when do I get a dashboard light option? When do I have the ability to know there's a data anomaly in my car, I need to pull over? Those are the types of things that we need to be pushing for. It's not, sorry to get away from the connectedness of society or to try to keep firewalls and air gaps, which are those were at one point the adequate level of protection, but that's 15 years ago. We're moving more towards a converged IT OT world where you do need to have some type of standards to how do you design cyber safety, which is a term that I'm using more and more. Cyber safety, and more importantly, maintain it, monitor it, and maintain it over the life cycle. Of an asset. So the goal is really can't get away from technology connectedness. How do you ultimately use it to our advantage? Because connected technologies can do a great deal of good for us. But ultimately, how do we make sure we're implementing protections along the way?

A

Thanks. I don't think I'm going to sleep well tonight now thinking about my car. But I appreciate process.

B

I haven't slept well for seven years, ever since I spent a lot of time when I was at the Department of Defense, I spent a lot of time with the National Security Agency. And when I ultimately realized what can happen to us, yeah, we have to get after this. And I've made that my passion with my nonprofit since I left federal service. But you're right, it can be a little daunting sometimes to think about it.

C

So in order to help put some protections in place, you advocate for the need for construction managers to perform a cyber commissioning for systems in addition to building commissioning prior to opening a new or renovated facility. What's the difference between those?

B

Thank you so much, Carly, for that question, because I'm really advocating for this has to be the part of future construction activities. So we have a long history in the industry of what they call a building commissioning. At the end of construction, you do a check of all the building systems, the H VAC systems, the lighting, the fire controls, and you should, by theory, maintain a commissioning program through the life cycle of the building so that the H Vac at year one or two or three is performing like it was supposed to perform. I mean, you don't have deviations from that where everyone's using a space heater or a mini air conditioner under their desk because it hasn't been commissioned or balanced in years. So a building commissioning program to me is a must for maintaining sustainable, efficient building. Aside from that, you also now have connectedness between all these systems. Your fire controls are connected to your H vac, you've got remote access. A lot of times modern buildings are being maintained remotely through third party service providers. You have a need to say, okay, I want to be able to control my H Vac off my phone. I want to be able to do all these things, but I also want to make sure I'm not creating risk. So a cyber commissioning would be a separate team as an owner rep coming in and checking the configurations for all the systems in the building so there are no default passwords or there are no unknown access points digitally that the owner's not aware of. So I do believe this is a growing trend in the industry that we need a cyber commissioning. It's not a lot of money. We're starting to do those for real estate owners through our nonprofit, but be able to come in and do a quick check of all the systems to ensure they're configured. Now, my goal eventually is to identify those requirements at the beginning of the design as a construction agent is selecting products and working with vendors to put in the products. They are being given instructions as they're installing the products, how to configure them. We're not quite there yet, but the goal is to have that be part of design instructions and then have a commissioning confirm that the building systems were installed and are operating like they were designed, particularly if there was thoughtful care given to, okay, how do we protect the cybersecurity of these systems? That's working as well. So really, the intent is to do a virtual check, not just a physical check, of how the systems in the building are going to work before the building is occupied.

A

I think that makes a lot of sense. I think I can think of a. A couple airplane builders right now that probably need to do some kind of system check like that as well. But earlier you said. And I caught it, and I read it on your website before the call, and you said that Building Cybersecurity.org is a nonprofit, which was surprising to me. That's great. But how is it contributing to the establishment of industry standards in cyber security and safety?

B

So, first of all, a couple things. I can't tell you how much I've been beat up by my board, that we're a nonprofit because we've got something of significant value. So what? This nonprofit was formed about three years ago, and the intent was, hey, there are a lot of standards out there for cybersecurity. Cybersecurity is a huge word. When you talk to the commercial real estate industry and the building industry and you start showing them the complexity of cyber security, they have a tendency to glaze over and say, hey, I can't even think about this. As a matter of fact, I'm not really happy you told me about it, because now we have a responsibility to do something about it. So we as an organization decided we needed to take some of the national standards that are out there and global standards that are out there for the protection of, say, H VAC systems or products like that. And we needed to make it necessarily dumb it down, but make it easy enough for a building owner or a owner of a factory or owner of a stadium to say, hey, I can do These things. So that is really what we've endeavored. We've spent a solid two years researching and checking all the standards of the world, talking to all the major manufacturers of the world. A lot of them are actually members of our nonprofit. And the reason why we're a non profit is we needed a competitors to share ideas. And you can't do that in a for profit environment. You need to have competitors say, I want to come to the table, I want to do something good for society. And this is not necessarily for them, this is for all of us. This is for human safety, this is for our kids and grandkids. I want to contribute my expertise, I want to create an industry standard. So therefore, as we're designing, as we're constructing, as we're operating, we know that here's the industry standard, here's what industry says needs to be the protection levels. And we don't do a yes or no. It's not like this is an underwriter's lab where we're saying that appliance is electrically safe or unsafe. We're saying, okay, given your risk, we have levels of cybersecurity that you can maintain for your building based on your tenant risk, based on what your insurance company is telling you. You can have these levels and you can aspire and each one requires a little bit more investment. But the goal here is to give, you know, a sensible, practical, easy to use assessment tool and certification tool built around a framework, which is what we've done over the last two years, and to be able to use that for commissioning, use that for initial design. And we have a lot of our members are engineering and architectural firms who say, hey, we want to adopt the BCS building cybersecurity BCS framework. And we actually want to bring it to our clients in the design process and saying, here's what the industry is saying needs to be done. And the goal here is to build these standards for more industries, the water industry, the transportation industry. But right now we're really at a point of maturity only with our facility framework. And again, if you go back and look at some of the famous attacks, Colonial Pipeline, Target, there's been some other utility attacks. We're paying lawyers for 10 years to decide, okay, whose responsibility it was. And there's an understanding that there's really not industry standards that people can point to, say, okay, this is the authoritative source. So that's our goal. What can we do that's practical, that's a performance framework. In other words, it's not just like Lee You're a one and done. But it's a continuous process. How do you maintain this rating every day? And then ultimately, how can you do it at a cost that's affordable, where you're not a building owner, operators or managers saying, I can't do this. So that's our goal with the nonprofit, is to translate these standards in a way that can be used.

A

Speaking of use, let's just. You have the floor now, so I want you to be able to promote it a little bit. But also, how do you foresee the certification being used around the industry? Do you see this being something that's being put on RFIs and RFQs? So tell us a little bit about the certification program and how you perceive it being used.

B

Yeah, so I don't necessarily see it as a plaque on the wall. As a matter of fact, I think that plaque on the wall is counterproductive because once you have that plaque, you don't ever do anything. You just took out. That plaque on the wall never goes away. So the certification really is going to be between a real estate owner, operator, manager, and their insurance company. When you look at what's happening right now in the world of ot, remember, I'm talking physical safety potential for property damage or loss of life. It's a property and casualty concern, not necessarily a cyber insurance concern. As the insurance industry is grappling with the increased threat to ot, they're going to be very welcoming and rewarding of those entities to say, hey, I've done taken proactive steps to not only start the journey, but I'm maintaining the journey and just continuous monitoring that allows me to have a level of protection and safety that somebody else doesn't have. So we see in my nonprofit, and we're aligned with aon, largest insurance broker in the world, we see the connection between property and casualty risk. And these are the policies that you have in your home and in your car and the need to mitigate that threat through investments and protections. A perfect example, when you or I buy our homeowner's policy for any home we're owning or renting, the question on the questionnaire is, okay, do you have a physical security system? And most of us, like me, you look at your dog and you're like, check, I got a physical security system. And then you get a discount for your homeowner's insurance policy, or if you're a good driver, you get a discount for your car insurance. So it's a similar concept that if you invest in human safety protections, virtual protections, that you should get a discount on your insurance. So we see that being the key to certification. And building owners is going to want to get certified, is going to want to be certified to a certain level, bronze, silver, gold or platinum, and then be able to show their insurer hey, where we've taken these steps. And the goal eventually is to get a return on investment for those investments by having a lower rate for property casualty.

C

Lucia and I think we have time for just one last question. And as we've mentioned, this is obviously an urgent national threat that we've been talking about today. What are the next steps to help address this threat?

B

Yeah, this is a key point. And so it goes back to everything I've talked about, the need for a engineering standard of care. The Department of Energy put out a cyber informed engineering strategy a couple of years and it's not really resonating in the industry. We definitely need to have a embracing of a national imperative for a cyber standard of care that runs across the journey profession and that can apply to anything critical infrastructure, buildings, anything. But we have to know what that is. And then the second thing is we have to employ it. We have to incorporate into our design process and all the way through our construction process. This can no longer be an optional. Cybersecurity is an optional program. For a lot of companies. Cyber safety has to be mandatory. So we've got to change that mindset. And then once we realize, okay, it's a safety issue, what do I need to do to maintain building or infrastructure safety through its life cycle? Now you're going to see more investments coming in because a CEO has a fiduciary responsibility to maintain the safety of what they're running. And that now it's no longer should I pay for cybersecurity, Should I take a risk? Should I transfer that risk to an insurance policy now? No, it's safety. I have to pay for it. So that's really what I think needs to happen is an acknowledgment that this is a threats real. It's not just data and software, it's actually property and lives are at risk. And then ultimately how do we address that? That is what I've been working on. And we're starting to see some traction. We're starting to see even nations leaders talk about human safety, public safety, citizen safety. And that drives a different type of conversation that I think we do definitely need in this country and around the world.

C

Thank you so much for joining the podcast today, Lucien. Even though we might lose a little sleep for those listening might lose a little sleep tonight, but it's an important topic. So we appreciate you coming on the podcast to talk about it.

B

Yeah, very much. And look, I love the fact that CMMA wants to take this on. Really look forward to seeing everybody here later in the year at the conference in San Francisco. And I really believe that this is a subject that I would want to discuss more with anybody that wants to listen. So anybody wants to get a hold of me, I'm@Lucian buildingcybersecurity.org or you can go around the website. We have a free checklist on the website that start your journey into seeing whether how you know what your risk is and what you need to do. Please just get involved. If this if my words inspire you, we do have free tools available to get started.

C

Lucien thanks again for joining the podcast today and for anyone who's interested in learning more about this initiative, they can visit buildingcybersecurity.org I know we talked briefly about AI today, but on the next episode of the Construction Leaders Podcast will be joined by members of CMAA's Technology Subcommittee to take a deeper dive into AI and its many uses in construction management. As always, make sure to download or subscribe to the podcast and follow us on social media maahq. Also, don't forget to leave us a review with your thoughts on today's episode, and please let us know what you'd like to hear in an upcoming episode. On behalf of cmaa, I'm Carly Trout with Nick Soto. Thanks for listening.