Control Systems Cybersecurity USA (8th annual live) Control Systems Cybersecurity USA (8th annual live)

Building Control Systems-Don’t Trust Anybody or Anything (Physical)

- EDT
Stream and Physical Kenzies

Michael Chipley
PMC Group, President

Dr. Chipley has over 35 years of consulting experience in Program and Project Management in the areas of Cybersecurity, Energy, Environmental and Sustainable Design (LEED, Energy Star and Carbon Footprint); Critical Infrastructure Protection and Analysis; Building Information Modeling (BIM) Technology; and Emergency Management/Disaster Recovery.  He is trained as a SANS Global Industrial Control Systems Professional, a Project Management Professional, and a LEED Accredited Professional. He has a depth and breadth of experience with federal contracts and grants; has managed and directed both small and large and complex IT and OT engineering projects and has advanced skills using cloud/virtual/mobile, project management, MS Office suite, geospatial, building information modeling, emergency management, and financial accounting applications software. He has been an active member as a chair or board member in local professional societies and universities, teaches seminars and courses on IT and OT, security, and buildings systems convergence. He is the creator and instructor of the DHS Cybersecuring Building Control Systems and Cybersecuring DoD Control Systems Workshops, author of the Whole Building Design Guide Cybersecurity Resource page, author of the DoD Cybersecurity Resource page, and author of numerous DHS Building Infrastructure Protection Series (BIPS) publications.


In this era of converged Building Control Systems, the HVAC, Lighting, Fire, Parking, Elevators, Digital Signage have now become attack surfaces that can be used to compromise not just the building systems, but also the tenants and visitors of the building and their organizational IT systems. In this session we will explore some of the best practices for adopting Zero Trust architectures, use of Cloud services, SOC-as-a-Service, and Contingency Planning/Disaster Recovery for when a cyber incident does occur. Buildings are exceptionally difficult to protect as they are used in every sector but can have different ownership types (REITS, government, private sector), levels of physical security (contract guard, secure facility, Defense Industrial Base, etc.), different levels of energy security (stand-by power, prime power, Distributed Energy Resources), different levels of recovery/resiliency (medical, data centers, commercial office space, residential, etc.) and different financial business models (Triple Net Lease, Energy Savings Performance Contracts, LEED, EPA Energy Star, etc.). The session will look at the proliferation of attack surfaces address, examine the cost savings versus the potential impacts, how to balance risk to succeed -what does that risk management strategy look like? The building owners ultimately need to decide if they are sacrificing security for efficiency and the role their building will play in their portfolio for the next decades.