Here’s how your building can meet the updated NIS 2 cybersecurity directive

Modern buildings are increasingly reliant on networked systems and digital technologies. While this brings more efficient operations, it may also introduce vulnerability to disruptive cyberattacks.

Although not every attack makes headlines, they do occur—and are likely to increase in the future. This is particularly concerning given that a staggering 74% of buildings[i] today are unprepared for a cyberattack.

In the past, attacks were less of a threat because building Operational Technology (OT) systems (HVAC, building management systems, security systems, fire and life safety solutions) mainly operated in isolated, air-gapped silos not connected to the internet. Today’s increasingly intelligent facilities require greater connectivity to deliver the outcomes expected by owners. Hackers are aware of this shift. They understand that increased connectedness introduces new vulnerabilities and are quick to exploit any openings they find.

Aiming to address this weakness, the European Commission developed the NIS Directive[ii] in 2016 that aims to improve the security of the European Union’s (EU) information systems. The EU updated its cybersecurity legislation with the NIS 2 Directive last year, which will become law in October 2024 and require many measures pertinent to building operators in the EU. NIS 2 specifically focuses on OT systems and the unique vulnerabilities of OT environments crucial to essential infrastructure sectors.

A cyber-defense plan is no longer optional

In a building, a cyber incident can have severe consequences, disrupting critical systems and potential putting lives at risk. NIS 2 addresses this threat by mandating that building managers perform comprehensive cybersecurity assessments that cover many aspects of their infrastructure.

NIS 2 takes effect in October, but proactive building managers can get a jump on it today. Before conducting a complete cybersecurity assessment, they should put a plan in place that includes containment measures to prevent the spread of an attack, processes for assessing the extent of any damage, and protocols for system restoration.

It might seem overwhelming, but tackling it step by step can make it more manageable. Building managers should start by creating a basic cybersecurity framework tailored to their property’s infrastructure. The framework should include an inventory of critical building systems like HVAC controls, access management systems, lifts and smart building features as these systems can all be potential entry points for bad actors. The framework should also include an immediate incident-response plan that outlines steps to take if a cyber incident occurs to help limit disruption to building operations and potentially reduce threats.

Once the basic cybersecurity framework is in place, building managers should proceed to thoroughly inventory and classify all assets on the network and then run vulnerability scans and threat analyses specific to OT systems. This includes mapping out all digital touchpoints, understanding how they interact and identifying potential weaknesses. Based on this analysis, managers can then develop comprehensive security policies. These policies might include regular software updates, strict access controls and protocols for integrating new technologies into the existing system.

The human element is also critical

New cybersecurity guidelines like NIS 2 reflect a growing recognition of OT systems as potential vulnerabilities given both the the widening attack surface in buildings and increasing sophistication of attacks. For example, attackers often exploit compromised OT systems as entry points to infiltrate broader IT networks. In some cases, hackers use the comprised accounts of third-party vendors to launch an attack. This underscores the importance for building managers to implement integrated security strategies for both OT and IT systems, alongside stringent access controls.

It also highlights the need for basic cyber hygiene and training for staff on best practices and company-specific security protocols to foster a culture of awareness. In the context of buildings and NIS 2, implementing basic cyber hygiene and staff training is a critical component of security of modern building management systems.

For building operators, this means developing a comprehensive training program tailored to the unique aspects of the building’s operations. This includes educating staff on cybersecurity risks focusing on best practices for securely operating building systems, recognizing potential threats and understanding the implications of a security breach in the building environment.

NIS 2 emphasizes the importance of creating a culture of cybersecurity awareness across the organization. In a building management context, make sure all staff, from facility managers to maintenance personnel, understand their role in maintaining their building’s cyber defenses. This could involve training on proper password management for building control systems, regular refresher courses and updates on emerging threats specific to building systems and understanding the potential consequences of unauthorized access to building networks.

Ultimately, this focus on cyber hygiene and staff training helps buildings remain secure, operational and compliant with NIS 2 regulations, safeguarding both the physical infrastructure and the data of building occupants.

Honeywell helps protect OT environments against cyber threats

NIS 2 presents a considerable challenge to building managers, most of whom already have a to-do list that’s meters long. Honeywell Forge Cybersecurity+ for Buildings | Cyber Insights can help. It is designed to guide customers in directly mapping their compliance with the new NIS 2 regulations. The vendor-agnostic solution helps enable building operators to identify threats, anomalous behavior and vulnerabilities to assist managing and minimizing cybersecurity risks.

Unlike many traditional security-information solutions designed for IT networks, Cyber Insights is purpose-built for an OT environment. The solution is designed to detect, analyze and respond to cyber threats in near real time without the need for immediate human intervention. This approach is particularly relevant given the increasing complexity of building systems and the rapid pace at which cyber threats are now evolving.

To learn more about the latest NIS 2 Directive, download our whitepaper here. To learn more about how Honeywell Cyber Insights can help building operators gain real-time visibility into threats and improve their overall security posture, connect with a Honeywell expert today.

^[i] Security Infowatch.com, Blueprints for disaster? Protecting information in the construction industry [Accessed July 23, 2024]

^[ii] European Commission, Directive on measures for a high common level of cybersecurity across the Union (NIS2 Directive) [Accessed July 23, 2024]