In the last issue, BCxA President Lean interviewed Min Kyriannis, Managing Director of EMDesign and JMK Grp (EMD|JMK). This week, we spoke with Wanda Lenkewich, President, and Matt Steeves, CISSP, CEH, CEM, DGCP, CxA, Program Manager, about how the market/business, technical and professional success of Chinook Systems’ Cyber Commissioning program has evolved.
Remember that Target Stores breach in 2013? Hackers gained access to Target's network with a username and password stolen from an HVAC company that remotely monitored energy consumption and temperatures at Target stores. Undetected, hackers uploaded and distributed malware programs across the company's huge cash register system.
Infiltration of building systems ranges from hacking a connected home camera to sabotaging a nuclear enrichment plant, and for a multitude of reasons —profit, espionage, hostility, spite, fun —or even by accident.
Thus: the nexus between facility systems cybersecurity and building commissioning or, as coined and trademarked by BCxA member Chinook Systems, Inc., as “CyberCx™”.
Chinook, a woman-owned business, is at the forefront of cybersecurity for industrial and facility-related control systems, commonly referred to as Operational Technology (OT) and was first to offer a fully integrated Cyber Commissioning (CyberCxTM) practice.
With a strong history in building commissioning and critical infrastructure solutions, Chinook stepped into the breach, as it were, to embrace cybersecurity as an aspect of commissioning services for government and private sector clients.
“About 5 years ago, we realized the need to prepare for industry growth, a subject that is now taking hold,” says Lenkewich. “CyberCx has turned a corner in the last couple of years. We created an internal team to serve new construction and existing buildings, developed and hired controls expertise to address the combined cyber vulnerabilities resulting from the convergence of information technology and operational technology (IT/OT). It was clear that there was no real understanding of cyber threats and IT/OT scope among facility operations people. Their focus and experience are not typically on the networks and cannot be compared; it’s completely different. Cyber involves a broad scope and interconnections to multiple control systems.”
Market/Business
What led you to specialize or incorporate CyberCx in your own work?
We found that the commissioning industry was focusing so much on energy efficiency, but not so much on security. We wanted facility managers to make decisions about their equipment and controls systems taking security into consideration. In buildings there is so much aging infrastructure needing to be upgraded or replaced — as we were understanding how big this problem was, we wanted to get to the forefront to solve the problems and provide training, expertise and guidance in how to strengthen the security posture and reduce the attack surface of our buildings. It was a natural progression for us. We wanted to know what the skills needed to be, in order to offer more to owners. As Chinook got into doing verification of secure systems for design/build, facility upgrades and replacements, especially for the Department of Defense (DoD), we needed to secure our own infrastructure, integrating Cyber and security controls into both our own company and our services.
What drivers were you seeing that led to that move?
A significant increase in malicious hacking and its impact on the physical environment such as power distribution systems; OT can link IT to the physical world. There were also accidental events, such as the download of unsecure patches. Of course, the building automation systems in both new and existing buildings were increasingly interconnected with IT systems. Where IT systems typically focus on the “confidentiality” of business information, the OT systems focus on needing to have “availability” of controls, to ensure ongoing building operations.
OT is easier to hack than IT – controls systems are designed to meet performance, reliability and safety requirements, typically lack cybersecurity and generally not monitored like IT systems, even using monitoring tools, as in MBCx. Continuous monitoring of building systems is focused on system performance and not cybersecurity which monitors the network for vulnerabilities and malicious traffic. The ease of hacking and lack of monitoring, combined with the interconnection between business and building control systems, can be an attractive potential target.
Who hires the CyberCx provider?
According to Lenkewich, “It kind of falls, like Cx, where you can be hired by anyone at any stage. We’re seeing it as a mandate on some federal side projects. In federal projects, the responsibility for hiring often gets put on the controls contractor as the Cyber Unified Facility Guide Specifications (UFGS) are included under Division 25, but controls contractors have no authority over data for things like fire alarms and elevators and specialty systems. The GC usually hires, but increasingly the case is to be hired in design. We have also been hired to write specifications for design firms, and we provide guidance. It’s often referred to as Risk Assessment when hired by the owner for existing buildings.”
What market sectors and building types do you work with most?
As more people are getting into the industry, we’re definitely seeing this as a market growth area. Chinook serves both new construction and existing building projects (although CyberCx is most often one piece in a larger EBCx project). We support high priority projects for military and private sector markets; currently performing services in 10 of the 16 Department of Homeland Security (DHS) critical infrastructure sectors. Our goal is to assess, quantify, prioritize, and reduce risk; Our role can range from assessment only, to an end to end process of designing, implementing and verifying security controls to achieve control systems authority to operate (ATO), to helping clients to develop policies and procedures to launch and sustain their cyber programs.
Government/Military Sector. We have provided life-cycle facilities engineering services to the Department of Defense, GSA, USACE, and others for more than 20 years. Last December, Lenkewich joined Daryl Haegley, Director of Mission Assurance & Cyber Deterrence for the DoD, to deliver “Cyber Awareness for Facilities Personnel,” a live 30-minute webinar on Cybersecurity for Facility Related Controls Systems (FRCS).
According to a recent article in Computerworld, “The average U.S. hospital manages over 19,300 of [connected] devices simultaneously. The proprietary nature of these devices means most health systems are unable to see which clinical or medical devices are connected to their networks, where these devices are located, and how they’re being operated.”
Private Commercial Sector. Healthcare facilities are critical right now, and Chinook also works in other areas such as transportation and data centers. The commercial sector is behind, but is starting to recognize the need for CyberCx. Commercial owners are more concerned than the Department of Defense about the business decision – i.e., the quantification and ROI of implementation and/or critical systems risk reduction, especially in healthcare facilities. At the same time, they are slowly making the move toward recognizing the potential cost of hacking exploits.
Are solicitations for CyberCx increasing? What’s changing? 
We coined the term in 2015 with the thought that we would be creating CyberCx processes correlated with traditional Cx. Today, we’re still being asked for separate proposals on the same project. We try to encourage owners to solicit concurrent activity, but most CxPs don’t meet the specification requirements inclusive of the training, certifications, and experience. When we respond to an RFP, we identify added value services...we’re seeing the words starting to come into the industry, but not yet embraced. It makes sense that industry will get there eventually, because CxPs often have strong controls backgrounds and aptitude for the work.
Additional IT and OT systems, and the increase in remote work have caused cyber to be discussed in work policies. Remote access can lead to numerous vulnerabilities. Building operations staff who participate in implementing CyberCx policies need to be considered mission essential personnel and be properly trained in a framework that spans from identification to recovery of a cyber incident.
How do CyberCx contracts differ from “traditional” Cx contracts?
We’re seeing, on the business side, that different levels of insurance are required. We carry our own cybersecurity insurance. As a Government Contractor, Chinook needs to internally comply with Cybersecurity Maturity Model Certification (CMMC) and National Institute of Standards and Technology (NIST) requirements. We maintain a higher level of internal security controls and cyber insurance, which is tied to our contracts – traditional Cx contracts wouldn’t reference internal controls, and there are different terms and conditions.
Technical and Professional
CyberCx Knowledge, Skills and Abilities
It has taken us long time to build the unicorn – you have to have a combination of engineering/facilities people and IT people. We studied and blended the knowledge, skills and abilities that are features of both, because CyberCx requires the ability to speak both languages. You can’t buy it off the shelf. At Chinook, our technology, building automation, and facility engineering people also have a passion for the controls network architectures and IT. We’ve tried to do it the other way around, training IT professionals to incorporate facility knowledge and skills, but that is not easy. CISSP certification, GICSP certification are highly recommended for interested professionals.
Implementation: CyberCx Facility Related Control Systems (FRCS)
New Construction. Although more straightforward than in existing buildings, implementation means you have to establish roles and responsibilities in a whole new group of internal (and sometimes external) stakeholders. In design for new construction, there’s much more focus on the network; usually left to a controls contractor. Much of the time, there is no current or knowledgeable assigned system owner for OT systems, and no familiarity with the IT side. This is steadily becoming more complex with the specification of Integrated Facility Management Systems (IFMS).
Existing Buildings. There are existing and likely unrecognized vulnerabilities in existing buildings due to legacy controls systems with proprietary and embedded operating systems; unsecured servers, laptops, and devices. We tend to see the same types of unmanaged systems over and over in projects —networked devices that were not connected before; wireless routers, missing patches; inconsistent account management; non-secured remote access; no active network monitoring.
The number of stakeholders increases significantly for existing building CyberCx. For example, we may work with a loss prevention department to secure their security and access control systems, or an event manager to secure their AV systems, or a warehouse manager to secure their overhead crane; where typically we wouldn’t work with such an expanded group of stakeholders. In addition, quantifying risk is more challenging for existing systems, as risk has gone unmanaged for numerous years.
According to Steeves, it takes a systematic process to peel the onion, starting with educating stakeholders who may not understand how the process and the technology work for OT systems. It’s a critical and challenging training exercise to help them grasp what it is, why it’s important, and what to do; and in most cases, it is the first time IT and OT staff are in the same room together.
As stakeholders become more knowledgeable in cybersecurity, their programs will continue to evolve and mature, and they will gain the ability to identify and quantify risk. It is anticipated that as risk mitigation strategies are developed, they will be implemented and incorporated into the clients’ commissioning programs and building operations in order to actively manage the residual risk associated with OT systems on an ongoing basis.
Stay tuned for future Checklist content and resources for CyberCx™ as a growing profession!