Cyber Security and Safety in the Construction Industry with Lucian Niemeyer – Part Three

In an industry defined by what we create, it's the people who lead that make good things great. This is Get the Knack, a podcast by the National Academy of Construction, where we connect you with insights from experienced industry leaders to develop your skills and experience and help you achieve your fullest career potential. Welcome to today's session of Get the Knack. I'm Sue Steele and I'll be your host today. I was inducted into the National Academy of Construction in 2021. I'm absolutely thrilled to be the host for the third session of our podcast series with Lucian Niemeyer on cybersecurity. And I'm going to just quickly go through what we've covered so you can go back and look in the library and find these other sessions. But our first session was about establishing a cybersecurity standard of care for the engineering profession. Second was cyber protection in the design phase. And today we're going to talk about cyber commissioning and project delivery. Before we get started, I think many of you know Lucian, but I wanted him to give a brief self introduction and then we're going to dive into our subject topic. So welcome. Thank you very much, Sue, and it's great to be back for the third episode. And I'm thrilled to be able to share some time with you over the next 30 minutes about how can we continue that journey on cyber safety, which really I want to emphasize here. This really is a matter of human safety as you see the threats that are growing globally and even in this country with critical infrastructure. So unfortunately, the threat has gotten worse in the months since we recorded our first two episodes. So I'm going to be pointing that out. How can we as an engineering and construction community truly implement protections for both life and property? So real quick background on me, Lucian Niemeyer, I'm an Air Force veteran. Most of my life has been public service, 11 years working for the Senate Armed Services Committee doing national security policy, and then had the privilege to serve as the Assistant Secretary of Defense for Energy Installation and Environment, and where I kind of got into this whole concern at the direction of the Secretary of Defense personally to start looking at the threat posed by connected technologies throughout our society, not just for DOD installations, facilities, and infrastructure. Worked my tail off during that time to come up with tangible, real solutions. The work that we did within the Department of Defense turned into a nonprofit group that I now lead, which is buildingcybersecurity.org, where we took the work in DOD and now we are working to promulgate the framework we've developed throughout the built environment. That's the reason why my ascension into NAC last year, 2024, so thank you for the organization for inducting me. They have brought this mission to kind of raise awareness within the national construction community, but also other professional associations on how we need to aggressively confront a growing cyber safety risk in the projects, infrastructure, and buildings that we are building today, and how we need to really get after in the future enhancing those protections. So I'm thrilled that the National Academy of Construction has allowed us to talk for three episodes. This is incredible. I would highly recommend it. This is the third one, so if you find this interesting, please go to the other two, and also feel free to reach out to Sue or myself for further information and more information about the nonprofit, buildingcybersecurity.org. So Sue, over to you. Great. Great. Thank you for that setup. I didn't know there was so much more that you could share about your background, which is truly impressive, and you definitely were deserving of getting into the NAC, and we're thrilled to have you in the organization now. So just to kind of set things up for today, as you mentioned, we have done two other podcasts, and today we're going to focus on techniques and processes to reduce cyber risk during construction, the construction phase, and the turnover to the owner, which many of us call commissioning. And I know you have some definitions around commissioning, which I think are very important as far as cyber safety. So you said there's been a lot of changes, obviously, even in the last six months. So we have so many new modern technologies and things that are hitting us, and we're employing them in our business. How does a general contractor who's working with all these different technologies, how are they posing a threat to that general contractor? Yeah, I think what I want to do is also, what modern technologies are we talking about? And I actually used an antidote here. I don't know about everybody else on the call, on the line here, but I used to be able to fix my car pretty easily myself. I could get under the hood, I can actually figure out where the parts are, and I could fix it myself. A modern car today, you're more a computer technician than you are a mechanic, because of all the systems, all the sensors, all the connected systems that work together to make the car more efficient, and ultimately to enhance the user experience. We're having the same thing in the projects we're building, whether it be a building, whether it be an infrastructure, a pipeline, or whatever it is, the owners want more efficiency, they want a better way to manage their operations, and they want a better user experience in the facilities that they're operating in. So that's requiring us to put modern technologies in there. So when I say modern technologies, HVAC systems, access controls, fire controls, movement systems, escalators, elevators, and the modern technology is, okay, you can now operate your elevators from the security desk, or you want to be able to access your HVAC systems remotely, or you want your HVAC systems talking to your lighting and everything else, so you can connect them, everything, and they can work in unison to reduce the cost of operations. That's fantastic, and we do not need to dissuade that. But as a GC, you have to understand that there's now, you have subs, and you have integrators, and you have a whole slew of new people coming onto the site, communications engineers and teams, and they're having to wire things, and they're having to connect things, and your HVAC teams has to work with your fire controls team, and all these subs. By adding more connectivity, you're creating not just risk for making a mistake, but also risk for doing something in a way that, like, for instance, installing an HVAC system with a default password that could create a risk for an occupant or an owner down the road. So what we're looking at is, what are these technologies? How can they be installed? Remember, an HVAC system, modern HVAC systems, is as much a computer as it is anything else. How can they be installed, and how are they being installed by contractors who are aware that, okay, I've got to be careful in how I'm configuring these systems, more importantly, I have to record it so I can pass it back to the owner? We're not there yet, I think, as a construction industry globally, and that's really what we need to focus on, is that contractor awareness, and asking the questions of the owner as well as the subs. What are we doing to ensure we don't create cyber risk as we're installing and integrating these systems? I think that's a great point, and although we probably don't have time today, my mind is moving towards what's happening in the supply chain of those various systems to ensure that when it gets to the GC or the sub, it's secure and safe. Yeah, and that's a great question, Sue. And look, I grew up in standard HVAC systems, carrier, train, whoever we put them in. They're mechanical systems, and we had mechanical technicians and engineers who knew how to install that. It's just technology is changing so quickly and so rapidly that those installers may not certainly be as aware of the system they're installing than they were 10 or 15 years ago. So as a general contractor, you have to start asking, okay, we're getting top-of-the-line equipment here. Are you smart on how to work the control panels and the configurations and the interface with the network? I mean, those are the questions that an integrator hopefully can solve, but a GC needs to be asking the integrator, okay, how well-versed are you on the way these systems are all going to talk to each other? And it needs to go back to the engineers. There has to be much more collaboration between the design engineers and the specs. I mean, I've built things, I mean, how many GCs actually read the specs? Because they've been doing this for 20 years, right? Now those specs, those division 25 specs, the division 27, 28 have instructions in them that are specifically related to cyber protections that we need to be paying attention to in the construction industry. And we need to be reading that or coordinating with the design engineers as I'm installing the system. How do you want it configured? How do you want the passwords to be? How do you want the remote access? How much of it do you want? And then those designers got to get back to the owner and ask those questions as well. You're right. And since we covered design and engineering primarily in the first two episodes, I know you have more information there. I was wanting to continue on that theme and ask you more about other areas that the GC and the subs should be focused on to ensure they're constructing a safe and secure building. You mentioned the designer specs. What about some other things they should be doing during construction? A lot more interface with what I call the OEMs, the manufacturers. The Schneider Electrics of the world, Johnson Controls, Rockwell, Honeywell, all the control systems you're putting in, they need to take a greater role because they have a responsibility. I'll go back to the car analogy. People may not realize when you buy a car, a new car in 2025, you don't own the car like you used to. You actually sign an agreement that that car manufacturer is going to be updating firmware, software. There's going to be adding security patches. So you're in a relationship with that car manufacturer. A lot of the folks like myself, I'm not too thrilled about that. That's why I still drive my 2004 Jeep Rubicon with the zombie package option because I don't want anything really interfering with my car. But that's not where we're at today. It's very difficult to buy a car that is not connected and not being maintained without your knowledge. We're going to see more of breaking cars. In other words, you go to your car, you try to turn it on and it's going through a security update, just like your computer is. Well, same with HVAC systems, same with fire protection systems. So I think GCs and integrators and subs need to have a much more collaborative relationship with the OEMs and bring the OEM team, not just during construction to validate the connectivity, but also at the end of construction to actually teach those systems to a whole generation of building operators and technicians who may not have that background that you're getting a Cadillac, you're getting a computer. You need to make sure you have to maintain those systems. So I highly recommend coming out of this session as GCs, start asking integrators and subs, hey, are we talking to the OEMs? Are we ensuring we're not creating risk when we're installing a system that we may not be familiar with because it's so modern and so technologically advanced? Are we ensuring we're getting everything correct during construction? And that's a tough thing to do because in a way, they're the holders of the information. What are we going to do to ensure that there are clear lines of responsibility and liability if something goes wrong? To me, that's a piece of that getting to know the OEMs. Yeah, I think you brought up the word liability. That's a great issue. GCs are responsible for making sure there's enough, the correct amount of rebar in the concrete, that the lighting systems are grounded, the HVAC systems are installed in a way that won't create risk. And so that liability issue is something that should be looked at when it comes to cyber safety. I think we are going to be in a position in the future where there might be a lawsuit because there was a misconfigured HVAC system that led to some type of cyber attack, either the loss of data or worse, the loss of property or of life. And so we have to start being aware that there's a liability issue that extends beyond the traditional concerns of building safety into the cyber realm. And what can we do to mitigate that risk? And a lot of it is just installing systems correctly. But there's also new technologies that designers should be should be specking. Ideas of protections of operational technologies that are new to the domain that we should be looking at. And for the really good GCs out there and integrators, they should be asking those questions. Hey, how are we protecting these life essential systems in a building from cyber attack? And what could we install technology wise that would give the owner a better capability? And that can be a value engineering during construction. Absolutely. No, that's a great point. It should be integrated into value engineering. Now, we talked when we kicked this off that we're going to focus a little bit on commissioning. Tell us about how to ensure a cyber safe building at the end of construction that owners can be assured is going to be functional and operational. Yep. Yeah. And Sue, you and I have both been in this business for decades. We know that's the last thing we do. We do a punch list and we do a commissioning. So we need to demonstrate to the owner that the systems that were specified or were installed, we have to update the as-builts or the design drawings so the as-builts are accurate. And I think you and I mentioned there's only a couple of things in life that are never, ever right. And one of them is as-builts and the other one is any husband in an argument with his wife. So to me, we do need to look at the end of construction, making sure the as-builts, which are even more important. And by the way, I would love to do a whole nother episode with you, Sue, on getting out of the as-built business into the digital twin business, which I think virtual reproductions of the buildings are where we need to go. That's a whole nother episode. But when it comes to commissioning, we at the end of construction do a complete commissioning of all the systems, fire controls, HVAC, lighting, and to show the owner, yes, everything is operating. And more importantly, the commissioning is also used to balance things. For instance, HVAC systems, as you know, we have to balance the airflow through a building. And that commissioning process is important because that's the baseline for what we're turning over to the owner. What I don't see in the traditional commissioning process is a cyber commissioning, which is a report that goes back to the owner. OK, here's how your systems are configured. Here's the firmware that we installed. Here's what systems still have remote accesses open for remote maintenance, third-party maintenance. A lot of third-party maintenance these days on modern buildings are done by a truck driving by and checking systems. So what out there is for remote maintenance? I know when I had my HVAC system installed in my home, they're like, well, do you want to operate it off your phone? I'm like, absolutely not. But there are some folks that want to have that. So really, the owner needs a report of a cyber commissioning, how the systems within a building are configured, talking to each other, what the default passwords are, or what the new passwords are, and what the remote access is. And I really believe, and I know there's a lot of folks on the call who will argue with me on this, I think it needs to be an owner responsibility. In other words, I think the owner needs to bring in a third party and do a cyber commissioning, checking the configurations that the GC has done, and then also providing a report of how everything is configured in the building. I really believe we're at that point where we have to separate a building commissioning from a cyber commissioning. Now, building commissioning is traditionally a GC responsibility. Yes, and that's the right thing to do. But I think when it comes to cyber commissioning, that should be a report that doesn't necessarily check, well, I guess it does check the GC's work, in addition to providing the owner and the building operator and technician, okay, here's the entire inventory of all your connected systems, here's the list of their software, their hardware, here's how they're being patched by the manufacturer. So actually noting where you already have a interaction going on between Johnson Controls or Schneider Electric and the equipment in the building, and also what's available as far as remote access. That is a cyber commissioning. And for those on the call who want to know more about that, we actually created a statement of work for a cyber commissioning built around the framework that my nonprofit developed as an industry standard. So we're willing to give that out for free, that anybody that says, look, I'm building a very critical piece of infrastructure, or I'm building a critical building, I think it would be good for the owner to protect my liability. Because remember, that report becomes potentially the basis for litigation, that protect my liability that I want to suggest a cyber commissioning to ensure that the way we install the systems and the way third parties came in with the communications and networks, it's all operating in the way the owner knows or wants to, particularly when it comes to reducing cyber risk. That's fantastic. I know later we'll have you give the website and the contact and all that, but the fact that you're offering that standard out to people that are listening today is fantastic. Thank you for that. Yeah, it's the future. I mean, I don't know how we can continue to build modern buildings and infrastructure. Remember, our goal here is to prevent owner risk or reduce owner risk. And I just don't know how we can go on without it, because we just cannot continue to be blind of what's operating in a building and ultimately how to manage it. And those building operators and those technicians, man, they really need that cyber commissioning report to be able to use as the baseline for actually operating the building safely. That's great. So you've given us a really good best practice for cyber commissioning. Now let's move into operations a little bit and talk about just the facility engineers and technicians that have to operate the building, maintain the building, the smart building. You know, what are some of the biggest challenges they're going to be faced with? And let me just pause by saying, having been on both sides, building it and operating it, sometimes it's not the same company. And you have independent people that come in and do property management or do operations management or reliability or maintainability from a third party. So I'm looking forward to hearing what you're going to say about the operating and maintenance side. Yeah, there's a lot of challenges. Well, first of all, I'll go back to the analogy of a car. I don't know about you. I'm not a fan of having 150 sensors in a car that tell me everything that's going on with my car, because ultimately those sensors go bad. So half the time you're spending money in chasing the sensor as opposed to chasing a problem in a car. Same thing in a building. Buildings are becoming much more technologically advanced and connected, and we want these sensors. We want these sensors for air control, air quality, health, health and wellness. The problem is the more stuff you put in that's connected, the more it can go wrong. You do need to have a building manager or a facility manager. And by the way, my nonprofit is partnered with the International Facility Management Association to offer guidance and training to facilities managers on how to manage and reduce cyber risk in a modern building. Please contact me if you want to find out more work that we're doing with IFMA. But yes, I think you have more issues that can go wrong. You have more problems you have to diagnose and fix, and it could be just a sensor as opposed to an underlying system. And we don't realize that today a cyber attack to an HVAC system or a fire control system renders that building immediately unsafe for occupancy. That is not resonating. So for that building owner or that building manager or operator, you've got to take these into account. All of a sudden I get an email that says it could be a phishing attack or, hey, we've seized your elevators. Okay, are the elevators working? You call and you're like, no, something's going on with the elevators. Guess what? You may have a bigger problem there and that you've got to actually evacuate the building because you don't even know if it's just the elevators or if it's the fire controls or HVAC systems or critical lighting systems or whatever else. So you have to make decisions a lot quicker to protect human safety. And it's really difficult for a building technician or building engineer to kind of manage all that now in a modern environment. So training. I think probably, Sue, one of the things that we need to work on together in the National Academy of Construction moving forward is how do we enhance training of modern systems for building owners and technicians? And I say operators and technicians. Owners, all they care is with the bottom line. But those building operators need to understand that now they're getting the equivalent of a 2025 high-performance car and they have to understand everything that's going on in that car. I don't know if you've ever tried to read an owner's manual for a modern car. It's like in three volumes these days. And unfortunately, that's what's happening right now with building. So we do need to understand training needs to be enhanced. We have to have a much better awareness of what is actually operating in the building. And then ultimately, we have to have an understanding that if something goes wrong, what's the correct way to get this done? Now, I will say I don't want to read a three-volume manual on how to operate something. I'd like to have it virtually in front of me. So I want to make the case again for the value that a virtual representation of your building through a digital twin will have in the future, where you have AI saying, hey, you got something going on. There's a data anomaly here, or there's a vibration somewhere in the building, or there's a leak, water leak. So I do believe that technicians and operators will, in the future, if the owner wants them to, have access to tools that can ultimately really improve the air efficiency and be able to detect concerns and problems a lot sooner and work towards preventative or predictive maintenance, but more preventative maintenance during building operations. So all is not lost. We want modern technology, but we need it on the back end to manage it as well. And that's where I think digital twins will play a big role in our industry, engineering industry, construction, and ultimately asset operations industry. Absolutely. We've had a few executive insights on digital twinning, and we've had a couple of podcasts on those maybe about a year ago. So I'm sure they need to be updated and refreshed, but we can come back to that in the context of operations and maintenance. Yeah. Yeah, we need to, because I'll tell you right now what's going on with computer chips in this world, the advancements every six months, what was a digital twin two years ago is not what a digital twin can do today. And so I think, yes, I think for our audience in the larger engineering community, we really do need to say, okay, what can we offer an owner that's revolutionary? Not just, I mean, get us out of as-built as a minimal, move us towards being able to monitor living, breathing reproduction of that building, and then using AI, artificial intelligence, to help us, aid us, aid those facility managers and owners on anomaly detection. And I say anomaly, HVAC's not running right. Something's balanced, it went off, or it could be too many space heaters in one room. That's an anomaly. You know, then you see, you can make those adjustments, you know, for both occupant safety as well as experience and wellness. Great. Hey, before we go to our last question and a very important topic, I wanted to just share a quick story that my risk awareness was heightened greatly about two weeks ago. I was in London and went to the tallest, one of the tallest buildings in London on the 65th floor. And immediately I realized, you know, it was the programmable elevator. You know, you have to say what floor you're going to. There were so many bells and whistles in that. And I thought, boy, I hope I can get out of here alive because I started thinking about all the things and that building was finished. I believe it was just really opened in February 25. Yeah, I'm sorry. I get accused of that all the time, Sue. I'm like the grim reaper, you know, that people can't sleep at night after they listen to our discussion. I really don't want to leave everybody with fear. I think we have solutions in place. I think that's the commitment of NAC moving forward. Okay, now let's work on solutions. We understand this risk and we have a lot of risk in our lives. You know, we accept risk into our homes when we're adding a smart refrigerator or a coffee maker or, you know, or a new computer or we're operating our lights and HVAC systems from our phone. Believe it or not, we're accepting risk and we want to because of the fact we love that convenience to be able to check in on our dog through our cameras. So we like having that convenience and we don't want to shy away from that, nor do we want to not sleep at night. What can we do realistically, affordably, economically to mitigate that risk? And that's really what I'm focused on. So let's sum up with what we are doing at the National Academy of Construction to address these growing risks. I know you're involved in some other initiatives. I'd just like our listeners to hear about those and, you know, realize what's coming. Yeah, so the last year since I joined NAC has been pretty amazing. A group of national leaders that understand this concern and they understand the need for the engineering community globally to take this head on. This is really not that much different when we introduced boilers back in the 1850s and the first one exploded and all of a sudden the engineering world and the insurance world got together and, okay, we got to make safer boilers. Same, you know, the fires of the 1800s. You can see the history of the professional engineering community grow as a result of catastrophic loss for which the insurance companies of the world say, hey, you got to help us fix this. So the goal is to bring that same power together, insurance, liability, engineering, construction together to say, okay, we need as a world to reduce cyber risk, particularly to human safety. And when you hear about our adversaries targeting our water systems, targeting our power systems, that's human safety. You know, and so what do we do to ensure that construction efforts do not either create more risk, but more importantly, reduce risk. So that's what we've brought to the NAC in the last year. And there's been a resounding amount of support for that. So the National Academy of Construction is now leading an effort with other professional associations to establish a global standard of care for cyber safety. So we talked about it in the first episode. It is now moving towards reality. So the NAC has spent a lot of time and effort in the last few months working with the associations to create a summit of leading architectural engineering construction firms, along with leading academic institutions, other associations, and also the cyber protection companies that are different from the OEMs. So two sets of industry vendor reps together to say, okay, how do we, what do we write for a standard of care? More importantly is how does this translate into a professional engineering and licensing requirement? And then who ultimately should be stamping drawings or digital twins for cyber safety? So the NAC is working on that. If anybody, we're looking at holding our summit either later this year or the beginning of 26, we're nailing down a couple of dates with some other professional societies that want to be involved. So we're collaborating on that within the next two weeks. We already have a basic agenda laid out. But the goal is to put our minds together. So not just talk about the problem like you and I have been kind of amplifying, but come up with solutions. and write that standard of care. And then how does that translate into instructions for designers, for construct, for integrators, for GCs, and more importantly for building operators and how do you mitigate cyber safety risk in the built environment? So it's a great endeavor. I really, I can't believe how the leaders in NAC have come together and say, we got to solve this problem as Americans, as engineers, as folks, we in our whole profession care about human safety, it's our priority. We even have a safety committee within NAC to focus on workplace safety, but we also need to understand that this is a growing issue. So please, Sue, I would love to talk more in future episodes about this summit. We're looking at bringing together folks from One Day first, but ultimately send them away and come back for a repeat to actually promulgate a international, legally defined industry developed standard of care and then what needs to be done for cyber safety as a result of that. So I'm pretty excited that the NAC has taken a leadership role on that here just in the last few months. It's a strong close to a great series and a great podcast today. I'm thrilled to know that we're moving forward and putting feet and action to these ideas and these principles. Lucian, is there anything else you'd like to say before we wrap up the podcast? Sue, you've stuck with me through three episodes. I just wanna say thank you for that. I think our goal, and I'm hoping we do have a wide listenership, is to raise awareness in the construction community about what is a growing national threat, particularly posed by nation states. I mean, unfortunately, we're at a time in our nation's history where a keystroke, just a simple keystroke can cause catastrophic damage in the United States. I know our government is working on that very diligently, but we as the engineering profession need to do our part to solve the problem. So raising awareness has been great. Sue, I'm so sorry that I've been keeping you awake at night. I do wanna work on solutions, but I just wanna say thank you. And more importantly also to Christina for kind of putting all this together too. She's been the power behind all this as well. Big shout out. Not sure, I know whatever she decides to do is gonna be fantastic in life. So her support for this podcast has been incredible, but I just wanna say thank you, Sue, for allowing us to raise awareness on this issue. And hopefully we can continue to promote good solutions. Absolutely, absolutely. And kudos to Christina for being such a great partner on these episodes. But all good things come to an end, so we're gonna try to wrap up. I just feel like that I'd be remiss if I didn't talk about a few things that were sort of eyeopening to me. One was that we really need to have a totally separate cyber commissioning program plan from building commissioning. And you offered to share a new statement of work for that. And I'm gonna just quickly mention your website is buildingcybersecurity.org. Is that correct? Yeah, check us out and you'll see a free checklist on there. That's a great way to get started in understanding what we're trying to do. And then if people wanna reach out to me personally, it's Lucian, L-U-C-I-A-N, at buildingcybersecurity.org. That's perfect, that's perfect. Another thing that struck me was not to hand off this commissioning and startup to the GC, but to actually have the owner take full responsibility for it. And I think that's an important change with the sophistication of these connected buildings that we're building today. I also think that the role with the OEMs in terms of ensuring that all the equipment and all the procedures and practices are passed on and there's clear accountability and liability is really important. And I guess that's about it. Those are some of the top things I remember. But the main thing is you've opened the door to more information through the summit, through the National Academy of Construction that's up and coming. And we'll be sure to probably post that on your website so that we'll get that out on LinkedIn and on your website, on the NAC website. And when that date comes up, I'm sure a lot of the listeners will wanna be a part of that and tune in. I'm just gonna close with a word for the day. I found a great quote, I'm sure you'd agree. One of the main cyber risk is to think they don't exist. Focus on awareness, proactive security measures rather than dismantling the possibility or dismissing the possibility of cyber risks. And they're there, they're getting more severe. And although that does sound a little depressing and negative, I think if we are prepared and proactive, we'll be ready to face it at the time and to be on top of them. Yeah, we just need to treat as a safety program. Safety programs are not bad things. They preserve human life. We just need to treat the cybersecurity as a safety program and then we're 80% of the way there. That's fantastic and perfect. So thank you for tuning into this episode of Get The Nag with Lucian Niemeyer, CEO of Building Cybersecurity. And we covered today's cyber commissioning and startup in a project delivery. And I think that Lucian shared so many practical tips. I'm sure you'll wanna share this with your colleagues and your friends so that they can tune in and learn as much. We'll be back soon with more content. If you have any suggestions, you can go to the website for the NAC. It's naccon.org and we'll be happy to include them. So have a great day and have a safe day. Thank you for tuning in to Get The Nag because the construction industry needs people like you, leaders and innovators to build our future. Thank you.