How to Protect Connected Campus Buildings from Cyber Attacks

The connected campus isn’t exactly a new phenomenon. After all, it’s been the better part of a century since the earliest precursors of the Internet connected researchers at UCLA with their counterparts at Stanford. The years since have seen leapfrogging technological revolutions alongside vast transformations to the very fabric of campus life. When those pioneers at UCLA sent the very first proto-email, they could scarcely have predicted where their innovations would be headed today.

“Campuses are cities,” said Cheryl Altany, former IT Global Strategy Executive for Higher Education/STEM/Campuses at Carrier. The systems it takes to keep campuses running are as complex as you’d expect for any modern municipality. As those operations shift increasingly into the digital sphere, they stand to bring immense benefits to students, faculty, and staff – as well as immense risks. 

During a presentation at the Higher Ed Facilities Forum, Altany and Nicole Darden Ford, Carrier’s VP and Chief Information Security Officer, explained what it will take to protect campuses in this new cyber frontier. 

“The Attackers Are Formidable”

The connected campus of the future, Altany said, is intelligent, sustainable, healthy, safe, and secure. Built with green technology and linked by the Internet of Things, it improves its inhabitants’ cognitive function and personal health while boosting the collective health of its community. Well-designed, high-functioning intelligent campuses will enjoy lower operational and labor costs, not to mention greater engagement from students, staff, and the public. 

There’s an unlimited plethora of opportunities for hackers in universities.”

There’s just one little problem: with increasing connectivity and complexity comes an increased risk of cyberattacks. “There are all kinds of things that can be hacked,” Altany said. “You get a good hacker, they can get into anything. Think about that – with all the buildings and research and medicines and drugs. There’s an unlimited plethora of opportunities for hackers in universities.”

To unpack these threats and how campuses should approach them, Altany introduced Ford, whose cybersecurity experience spans more than two decades in the public and private sectors. As Carrier’s CISO, she said, she’s witnessed billions of cybersecurity incidents every day. If institutions want to keep their systems secure, they have to make a commitment to security that’s commensurate with the threat. 

“There has to be a real investment in cybersecurity,” she warned. “We see unpatched vulnerabilities, we see weak points in defense… The attackers are formidable.”

“There Has to Be Somebody Who’s Watching”

Connected campuses face a litany of security challenges. As Ford explained, those unpatched vulnerabilities in legacy networks pose the risk of data exfiltration – a risk compounded by the use of inconsistent technologies, like inadequate firewalls and unsecure WiFi. More connected, high-volume networks offer larger attack surfaces to bad actors, like sophisticated cyber criminals with records of extracting ransoms for sensitive data. 

“Lots of schools are paying ransoms,” Ford said. “They’ve paid from $50,000 to a million dollars in ransoms over the last 20 months. The data is pretty staggering when you look at it.”

To conquer these challenges, institutions need to adopt a comprehensive, holistic approach to cybersecurity. Ford strongly recommended that institutions hire a Chief Information Security Officer if they haven’t already. “There has to be somebody who's watching,” she said. “They need to watch, they need to understand how to detect and respond to events. It's super important that you have somebody who does this full time on your behalf, and helps you to understand the risk associated with certain decisions that are made – by IT, by the administration, by the facilities teams.”

"Your facilities team should have an IT person who understands the building maintenance systems and how to secure them and vice versa."

Another crucial step is to reduce organizational siloing. “We still see siloed departments where the facilities managers aren't talking to the IT teams and vice versa – but they should,” Ford stressed. A successful cyber strategy depends on close collaboration between facilities, IT, and cyber teams; it also hinges on cross-functionality. “You need to make sure that you have cross-functional skills on each of the teams,” she said. “Your facilities team should have an IT person who understands the building maintenance systems and how to secure them and vice versa.” 

Democratizing Cybersecurity

Institutions can support these teams even further by establishing dedicated CISO advisory boards, and leveraging experienced CISOs in their own regions. “They have the battle scars to really help you and your campus navigate through some of the challenges,” she said. “If it's not things like ransomware, it'll be another attack, a different type of attack, because that's what these threat actors are doing. They're changing their attack methods and techniques. As we learn more about one set of attacks, they change.”

Finally, Ford argued that institutions should involve the student body in their cybersecurity strategies, perhaps by creating student cyber committees to earn buy-in, teach best practices, and democratize cybersecurity. Institutions can go even further than that by engaging their broader communities, taking advantage of local expertise and fostering a more robust societal commitment to security. 

“Make it everyone’s business,” she concluded. “A commitment to digital or IT as well as cyber is going to be critical in the days ahead.”