Lucian Niemeyer, CEO of Building Cybersecurity, joins Stacey Shepard to explore how IFMA’s new partnership with BCS is helping facility managers better understand and manage cyber risks. From his Department of Defense background to developing a 16-step cybersecurity framework, Niemeyer shares how training, collaboration, and proactive strategies are reshaping cyber safety in the built environment.
In today's episode Lucian Niemeyer, CEO of Building Cybersecurity, joins Stacey Shepard, the President of Shepard Global Strategies to explore how IFMA’s new partnership with BCS is helping facility managers better understand and manage cyber risks. Together they discuss Lcuian's background at the United States Department of Defense to developing a 16-step cybersecurity framework that is available for free for facility managers. They highlight how training, collaboration, and proactive strategies are reshaping cyber safety in the built environment to drive safer, smarter facility management practices.
This episode is sponsored by ABM! Learn more about ABM here.
Lucian Niemeyer: [00:00:00] Facility managers are not yet aware that all the connected systems are putting on the network. Potentially can be vectors of attack. Real live attacks using HVAC systems believe it or not, to attack a casino.
These are, there's some pretty unbelievable stuff a bad actor could do with anything that has a chip in it. And we're putting more of those connected smart systems in our buildings.
Host: Welcome to Connected fm, a podcast connecting you to the latest insights, tools, and resources to help you succeed in facility management. This podcast is brought to you by ifma, the leading professional association for facility managers. If you are ready to grow your network and advance in your career, go to ifma.org to get started.
In today's episode, Lucian Niemeyer, the CEO and Co-founder of Building Cybersecurity joins Stacey Shepard, the president of Shepard Global Strategies to explore how IFMA's new partnership with building Cybersecurity is helping facility managers better [00:01:00] understand and manage cyber risks. Together, they discuss Lucian's background at the United States Department of Defense to developing a 16 step cybersecurity framework that is available for free for facility managers.
They highlight how training, collaboration, and proactive strategies are actively reshaping cyber safety in the built environment and much more. Now, let's get into it.
Stacey Shepard: Hi, I'm Stacey Shepard. I'm a consultant and also an advisory board member for a nonprofit called Building Cybersecurity, and I'm here with the CEO and Co-founder. Of BCS, Lucian Nemeyer.
Lucian Niemeyer: Hey Stacey. Glad to be with you.
Stacey Shepard: So we have recently embarked upon a strategic partnership with ifma and it really stemmed from the need to bring greater education and awareness to facility managers on the growing vulnerability and [00:02:00] threats.
So maybe you could share a little bit about how BCS got started and we can talk about some of the things that we've been able to bring. To the organization as well.
Lucian Niemeyer: Yeah, sure thing. So, first of all, it started with my opportunity to serve our country where I ran all facilities for the Department of Defense starting in 2017.
And I had a direct request by the Secretary of Defense to take a look at the facilities and the assets, the infrastructure we have in DOD. And to give an assessment to what degree it was secure and safe for our nation. And I gotta tell you, since that first request, I haven't slept for about eight years.
So I've been working on trying to not only make DOD facilities, but now face all of society. What can we do in buildings and homes and cars to make. Them cyber safe. Cyber secure, and less vulnerable to an attack, whether from a criminal, from a nation state from anybody that would want to do us harm.
We really have to focus on all the technologies we're putting into the built environment in, in, in our buildings. And not necessarily [00:03:00] to discourage technology, but to make sure that facility managers are aware that along with that technology comes the need to understand how you can mitigate cyber risk.
Stacey Shepard: Yeah, and we're seeing a greater proliferation of that technology coming about. You've got leveraging of ai greater usage of sensors, occupancy sensors, the ability to promote sustainability better asset performance. But yet with that comes. A lot of risk as well. And a lot of people think that the organization's CIO has that and that they're taking care of the situation and that's not their responsibility.
Lucian Niemeyer: Right. And facility managers are not yet aware that all the connected systems are putting on the network. Potentially can be vectors of attack. I mean, we've got some wild stories out there. Real live attacks using HVAC systems using, aquarium thermometers, believe it or not, to attack a casino.
Pretty amazing, you know, devices that could be turned into [00:04:00]listening devices like your electric vacuum cleaner that you have rolling around in your house all day. These are, there's some pretty unbelievable stuff a bad actor could do with anything that has a chip in it. And we're putting more of those connected smart systems in our buildings.
We just have to be aware, prepared, and that's the work that my nonprofit, our nonprofits done and we're working on together to offer frameworks to mitigate that risk.
Stacey Shepard: Yeah. And so that framework, I think is really something that we need to share with everyone. You had a, a. A cadre of experts that spent over a year of volunteerism
Lucian Niemeyer: almost two years.
And
Stacey Shepard: and came up with the 16 steps, which by the way, is located on www.buildingcybersecurity.org.
Lucian Niemeyer: Thanks to that safe.
Stacey Shepard: And and it's a free checklist of 16 steps. Talk a little bit about that because we don't all just want to bring about the risk and the challenge and the vulnerabilities. We wanna give an action plan as well.
Lucian Niemeyer: Yeah, sure thing. So it started with a working group. So when I [00:05:00] came outta that meeting with the Secretary of Defense, first thing I thought to myself, okay, I gotta bring in the real experts. So, when you're an Assistant Secretary of Defense, you can call up Siemens or Schneider Electric, Honeywell, all those, and they'll show up for a meeting.
So I brought 'em all together. We started talking about what could we do for the framework to reduce overall risk brought in a couple of organizations that are critical to our success, international Society of Automation. National Electrical Manufacturers Association, and together we started tackling this problem for all of society.
And what came out after a couple years of this working group is a nonprofit and a framework. And the 16 steps are the first step on any journey by anybody in the FM community that wants to offer to their building owners and clients. How do we actually. Realistically, legitimately, tangibly reduce cyber risk and enhance cyber protections.
So what we did over two years, and you're right, it was a lot of work by a lot of volunteers is to come up with a way to tailor the [00:06:00] standards that are out there that are very arcane and ultimately to.
I'd say really interpret them and come up with an easy to use checklist that anybody could take a look at. So yeah, I could definitely go do that or go fix that problem.
Stacey Shepard: And I think one of the best things about it it's as we hear a term called IT and OT convergence, right? So it protection of data.
OT is looking at your building automation systems, your control systems, your access control and having the right conversations because that's not what's happening. And so this checklist starts at the beginning, looking at governance and policy, looking at asset inventory, looking at risk management, everything through, through backup.
And it walks you through to be able to have proactive discussions on what are we doing, how well is it working? And to be able to not just take a reactive posture. And I think that's one of the benefits, many benefits that the organization's providing.
Host: [00:07:00] ABM creates possibility for world class facilities, helping systems perform businesses prosper and occupants thrive. A BM has over 100,000 hands and minds with the talent, technology, and innovative thinking. Tell people, work, learn, travel, and do more. A BM works every day to create new solutions for clients, industries, and communities.
They make a difference across billions of square feet and touch the lives of millions of people, and now they're inviting you to see what's possible. Get in touch with an A BM expert today at abm.com or call 866.624.1520. Again, that's abm.com or call 866.624.1520.
Lucian Niemeyer: Yeah. A lot of times when I talk to the FM community about cybersecurity, the room clears because they don't understand.
It actually is a matter of cyber safety. Facility managers have the highest [00:08:00] responsibility to their clients to ensure building safety, cyber safety is one of those risks that's growing. And a cyber attack on a, on an HVAC system or an elevator or a fire control, that building is down. You have to evacuate the building and that building may be down for weeks or months.
Not a lot of folks in the building industry understand that, and that's what we're trying to do is raise awareness and then offer tangible twos of, to reduce the risk.
Stacey Shepard: And I think a challenge is really about culture. So. I in an environment, facility management is all about safety and they have a culture that promotes that, but they don't really incorporate cybersecurity into an all hazard plan of action.
And many times there is no plan. So that facility manager may not know who to call or what to do. There may not be a checklist or a book to look at
Lucian Niemeyer: or that checklist may be on the network that's been compromised. Exactly. They can't even get their, to their computer.
Stacey Shepard: And so. In looking at this we've also put together some [00:09:00] training.
And so in alignment with Cathy Pavick for professional development from ifma, we developed a cyber 101 course for all intents and purposes that we're distributing. Yep. And and then also looking at executing tabletop exercises where facility managers and leaders can go through kind of what if exercises to understand.
In a safe space some of the decisions that they should be making and thinking about things through a different lens.
Lucian Niemeyer: Yep. Sure thing. We actually just got done a workshop in Toronto, Canada where we sat down, shout out
Stacey Shepard: to the Toronto chapter for leading that.
Lucian Niemeyer: They seem to be the trendsetters.
So, you know, ifma Canada invited us up there and we talked to a group of building managers and facility managers and would like to take that show on the road. You know, any IFMA chapter around the country. They would like to host us, we'll come down to a half day seminar, talk about the cyber threat walk through a tabletop exercise of an actual cyber attack to a building, and ultimately what [00:10:00] facility matters need to do to mitigate their risk to quickly recover in the restore full operations of that facility.
Stacey Shepard: And I think one of the things that BCS also does, in addition to providing education and training, they also can come in and the members can actually provide cyber assessments. They can do cyber commissioning they can go through with training of the, of people. They can look, you can look at a campus wide, not just a facility itself but some of the capacities and capabilities.
Maybe you wanna hit on that briefly? Yeah,
Lucian Niemeyer: absolutely. We started out really focusing just on the framework, but as the popularity and the understanding of our mission has grown. We have definitely got into the training business. We're also reaching out to collaborate between ifma and the Building Owners and Manager Association, boma.
So our ideal workshop would be both BOMA members and IFMA members. So recovering the entire real estate landscape and taking a look at what can we do to bring our expertise to those managers [00:11:00] on a full range of cyber protections.
Stacey Shepard: Yeah. And see, speaking of cyber protections, a lot of people think, oh, well, do we need to have cyber security insurance?
And a lot of times this is inherent in your property and casualty insurance. So having organizations think about, what's written in, do you have policies that cover these liabilities and issues?
Lucian Niemeyer: Yeah and a lot of folks you know, facility manager that will hear they, that's what they'll hear from their C-suite.
Oh, we got insurance to cover cyber attack and we're not talking the same thing. You know, they need to push back saying, you, you can't transfer human safety risk. There's three things you do with risk. You assume it, you transfer, you mitigate it. And when it comes to safety, that's a CEO responsibility.
So we need to make it clear that the cyber threats can threaten property damage or physical harm. And in that case, you really cannot transfer that type of risk. It becomes something that you've got to work to mitigate and work with your insurer to reduce rates. Look you know, insurers reward good behavior.
You know, [00:12:00] whether you have a physical security system at home, even if it's your dog. Or you have a good driver discount they do reward good behavior. The goal here is to use our framework to demonstrate that we've implemented measures in order to have more favorable consideration when your next property and casualty policy suffer renewal.
Stacey Shepard: Yeah. So it's really about trying to change and incentivize behavior as you're and looking at the culture overall. So trying to raise that awareness is gonna be something that's gonna be key.
Lucian Niemeyer: Yeah and look for a lot of facility management companies, this is an additional offering. You know, not a lot of building owners are looking at cybersecurity, so I'm hoping we can also inspire some facility management companies to consider, Hey, what are we doing for our clients when it comes to the protection of the occupants from a cyber threat?
What more can we do and where can we partner with building cybersecurity.org to go ahead and make that happen?
Stacey Shepard: Absolutely. Thank you.
Host: Thanks for [00:13:00] tuning into the Connected FM podcast. If you enjoyed today's episode, please take a moment to rate and review the show because it really helps us reach more listeners just like you. And don't forget to hit the subscribe button so you never miss an episode. See you next time.