Attacks on buildings and operational technology (OT) systems are occurring with increasing frequency. Yet, unlike public IT breaches that dominate our news cycles and inboxes, the effects of OT system breaches often remain private and localized, giving the false impression that they are rare and of little consequence.
But make no mistake, these attacks are real, frequent, and potentially devastating. Now, this article isn’t about convincing you that OT system threats exist. Instead, I’m going to assume you already recognize the critical need for cybersecurity and resilience in building systems. Here, I’ll focus on helping you step into the role of a cyber resilience provider and expert. First, I’ll outline why adopting these strategies is vital for your business (what’s in it for you?). Then, I’ll dive into four practical steps to becoming the OT cyber expert your customers didn’t know they needed.
What’s In It for You?
As a systems and solutions contractor, your success hinges on two main factors: the volume of opportunities to deliver solutions and the margins at which you can deliver them. Cyber resilience presents a significant opportunity for both.
First, you gain an Early Adopter Advantage: Cyber is surging into the OT market, and your ability to understand and deploy solutions in this area will set you apart. Those who adopt early will position themselves as leaders in a rapidly expanding field. This will also keep you relevant and “in the game” once these capabilities become requirements.
Second, you can deliver an Elevated Value Proposition: While energy efficiency and comfort are essential, delivering peace of mind through cybersecurity will resonate more profoundly with clients across the board, especially in the aftermath of an attack. You’re not just installing equipment—you’re safeguarding operations.
Third, you gain access to New Revenue Streams: Cyber solutions are not replacements for existing offerings. Rather, they’re an entirely new product and service category. Plus, they open doors to budgets outside the typical BAS scope, such as IT, Risk Management, and Loss Prevention.
Fourth, you’ll have all New Client Access: By offering cyber solutions, you can approach customers previously served by competitors who haven’t yet adopted cybersecurity measures, creating new opportunities for business development.
Lastly, you can greatly Reduce Liability: By recommending or implementing cybersecurity measures, you also mitigate potential legal exposure for your own company. If a breach occurs and you’ve provided (or at least offered) documented cyber solutions, the liability landscape shifts away from you.
4 Steps to Becoming an OT Cyber Provider
So how do you start to take advantage of these benefits? Well, transitioning to a cybersecurity service provider may seem daunting, but the onramps are numerous and gradual. Here’s a four-step roadmap to get you started!
Step 1 – Training to Teach: A great first step is to get training for you and your team. Understanding the foundations of cybersecurity will be critical before you can apply them to the OT space. More and more of these activities align with IT, so the better you can speak their language, the better off you’ll be providing cyber resiliency solutions and educating your customers are the risks and benefits. So, you have to be able to teach it while you sell it!
To get started, there are some free resources from organizations like CISA, particularly their ICS training. Then there are accredited certifications you can obtain from CompTIA, like their Security+ certification, or GIAC, for their GISCP certification.
These training steps are really the first phase gate of the process. If it’s too much for you or your team, you may want to look at hiring additional talent.
Step 2 – Partner Strategically: You don’t need to master everything overnight. Partner with consulting firms or product vendors specializing in gap analyses, network segmentation, and endpoint protection. These partnerships will enable you to offer comprehensive solutions without overextending your capabilities while still maintaining healthy profit margins. A very simple approach is to partner with a leader in cybersecurity assessments for commercial buildings. Provide their services to your clients, collect a healthy referral fee, and then benefit from being a part of the remediation services after the assessment. It’s a Win-Win-Win.
Step 3 – Focus on Tailored Frameworks: The cybersecurity landscape is rife with frameworks like ISA 62443 and NIST. Rather than getting lost in the sea of standards, focus on those designed specifically for building systems, like the Building Cyber Security (BCS) framework. BCS distills the most critical elements of several widely known standards into actionable guidelines tailored to OT environments, making it an excellent starting point. BCS offers a free eBook on their website that walks you through the high-level 16 steps to secure a building.
Step 4 – Plan Big, Start Small, Scale Fast: It’s essential to have a long-term vision for integrating cybersecurity solutions into your offerings, but starting with manageable, high-impact services like vulnerability assessments or basic network segmentation will help you appropriately ramp up your skillset. Along the way, you also need to get your own cyber program in order internally. This will help ensure you’re keeping up to date on requirements, but also, customers prefer someone who is “subscribed to their own newsletter.” Then, as your expertise grows, expand your services to include more advanced offerings like automated threat monitoring and incident response. But don’t take too long. To achieve the full benefits mentioned at the beginning of this article, time is of the essence.
Final Thoughts
If this path seems straightforward, that’s because it is. Cybersecurity may be complex, but entering the space doesn’t have to be. With basic training, a strategic partnership network, and a phased approach, you can position your company as a leader in OT cyber resilience. And in doing so, you’re not just protecting your customers… you’re contributing to the security of critical infrastructure nationwide.