 Welcome to Silicon Valley Energy Summit and this is our session on using IoT tools to make buildings more energy efficient while maintaining cybersecurity. And really the topic that came up, I'm a member of the planning committee and really that process entails us throwing out a whole host of topics that we were considering to include in this year's Energy Summit. And a couple of sort of criteria that we apply is is it really something actionable? Can the information be taken home and applied in your respective organizations? The others really is it a contemporary subject and I think you know internet of things is sort of the topic desurer if you will because it is being discussed almost everything you read has some reference to internet of things. I think there's many definitions and a lot of people perhaps see it differently than many enterprise organizations are at least approaching it. Because this is an energy conference we're trying to apply internet of things and really build environments and how it could improve energy efficiency. So that resonated with the planning committee and since I brought up the topic I you know no good deed goes on quite as I've got the responsibility to organize the committee of which we got some very great presenters for you today. Starting with Aaron Lapsley and Aaron is the program manager for smart buildings at Cushman Wakefield at the Google campus. And Aaron's got a long history in smart buildings previously he was the president of uh I forgot the name of that firm. Switch Automation. Switch Automation as well as a long history in the mechanical engineering background. He has a PE license in over three states in the US and really understands building automation. We have Robbie Jadub and Robbie's a product manager at Cisco and I think Cisco is one of the leading companies in really building digital building automation. They provide a really rich set of solutions. Kind of had been in the forefront of this but I think really tying in all of the automation with analytics with qualified partners that you go to the market with a really complete solution and Robbie will cover some of that. And then you know there's a real I think big challenge in particular in the enterprise and you know everyone may have a Alexa at home or a Google and internet security in your own homes may not be a top priority but within almost every organization and enterprise security is really on the board's agenda and at least at my company at NetApp we you know we are required to report on our progress with cyber security and we've got a pretty large team addressing with that and quite honestly as a consequence every day we seem to be restricted or there's multiple authentication processes, multi-factor authentication requirements for us and then segmentation of networks and we're finding it becoming you know perhaps some barriers to some people in the company would argue about impacting their productivity and there's a balance equation then you introduce the whole world of internet of things and I could imagine every CISO out there having this real big concern about what kind of vulnerabilities and risk that introduces to the enterprise network. So with that we have Jeff Claybin he's the CISO Chief Information Security Officer at SRI International and Jeff has a deep background in this particular space but also understands the general corporate environment being at companies like Applied Materials and Accenture and Sand Disp and a whole other host of Silicon Valley type companies. Jeff will bring in the really the discussion of how you intersect cyber security with development and implementation plan for internet of things and we're really more focused in on the building automation side. So with that really kind of want to open up the session and we've got a few presentations the agenda is before you and we'll really kind of go from just level setting with presentations to moderated discussion to audience Q&A and again I don't think we want to be really structured so if a question pops in your mind feel free to ask it because it's better to put it in the context if something comes to mind as the presenter has a slide up, Baume he's asked the question and we don't have to defer that to the end so with that Aaron please. Yeah I think I did but if you minimize that yours should be good. Okay hi I'm Aaron thanks for taking a few minutes here to listen to me talk a little bit about energy efficiency in IoT so I'm going to kick us off I'll probably be a little bit high level. As Ralph mentioned I'm an engineer I spent some time as a management consultant and as of the last six years or so I've really made a conscious effort to focus on sort of the convergence of building operations and technology and data and how we can develop programs to actually implement data-driven operational solutions and so I've worked with a lot of commercial and corporate real estate clients as a consultant I worked for about three years with it with a startup as mentioned and built and ran switch automations professional services team that worked with real estate portfolios to develop and deploy smart building programs. So you know I feel really at home at this conference this is a good place for me and I'm pretty excited to talk today. Kicking this off most people in the room probably are familiar with these slides these are clipped straight off EIA I like to point out that you know despite what a lot of the headline you know the ratio of headlines might suggest most of the energy in the United States and really across the world is consumed by things that don't move around so it's consistently been about 40 percent for the combination of residential and commercial buildings I think in the last year is down to about 18 percent for commercial I'd happily see industrial take up a bigger percentage of that pie if the whole pie got a lot smaller I think it makes sense that we use a lot of energy in the energy intensive areas and we use way too much in commercial and residential properties and I've spent these last six years learning that story over and over again about how much better buildings really could be so the good news is we know what to do to use less energy in buildings it's not that complicated you focus on the stuff that uses the most energy in commercial buildings about half of energy is consumed by HVAC in another quarter by lighting the vast majority of energy efficiency savings from lighting are going to come with and are coming from LED retrofits so about 85 percent of the savings typically come from from the LED retrofit itself and the remaining from smarter controls so really the sort of addressable part here for IOT that is still emerging is is the HVAC side that's the biggest area of impact there was this New York Times quiz last summer that was really interesting and they gave you four options it was on the headline page so what is going to have the biggest impact on global climate change and it was eating less meat adopting more wind farms adopting more public transportation or making H air conditioning specifically better and the answer was air conditioning and then there was a quote right below that when you know if you got the quiz right or wrong that was there in the box air conditioning is not exciting the most people but I like to remind people even beyond energy efficiency refrigerants themselves are highly potent greenhouse gases and essentially every molecule of refrigerant is going into the that's ever manufactured has gone into the atmosphere there's a very small amount in very large industrial refrigeration plants that's reclaimed mostly because of health and safety reasons but you can essentially assume that every molecule refrigerant is going into the atmosphere so we're spending energy to make refrigerant that's going into the atmosphere that is you know our 22 that's being sunsetted in 2020 is 1500 or 1500 times more potent than CO2 you know methane that gets a lot of attention you know from sort of dairy cows or or meat industry it's only about 20 times more so this is a big deal and it's also massively being adopted so we know what to focus on we know how to run HVAC better we know how to design better we know how to operate better why doesn't it happen right should be fairly obvious and this is really the reason why because if you look this this date is for office buildings in large cities in the U.S. from Boma but if you look at the actual budget for a building utilities are typically in any given building about five to ten percent on average seven percent of the total rental income for a building so this is not the thing that moves the needle for the buildings so for these last sort of six seven years I've had this recurring cycle in my head over and over from these slides it's like okay huge opportunity we know what to do right but there's not that much that anyone's really going to do about it because it's a small impact and what I've started to learn and one of the reasons I'm excited to now be a Cushman and Wakefield I've kind of run the gamut of services you can do for real estate and engineering consulting and management consulting and technical consulting and a solution provider and now I'm with a property manager and I'm excited about that because the way that you get to address the energy bucket the utilities bucket on that is actually by taking that whole variable operating expense part and reducing those costs in every category and companies like ours like like Cushman and Wakefield and you know our competitive set are increasingly being asked by real estate portfolios particularly amongst companies who that's not their core competency corporations that do other things but have real estate assets they're being asked to actually provide glide paths or reductions for all of these things and so you can actually develop data-driven programs that really increase the operations of the buildings across the board in pretty much every category and as a part of that you get to address the energy piece of it which is really the part that I always cared about there's a ton of interesting stuff going on in repair and maintenance labor optimization getting the right skill sets in the right roles and what it comes down to is better management so management is kind of boring but you know I have this side that went to Harvard Business School and got an MBA and you know I have to sort of recognize the fact that the thing that's been missing in buildings in particular is just proper management there may be some disruptive technologies that come along and help here but to be honest with you it's the sort of boring fix the air conditioning part manage it better that's really going to get us to shape 20 or 30 percent off of that energy consumption so what does that well it's data and IOT oh yeah right yeah exactly well done yeah no don't turn it up just run it right so the history of iot we've got a guy video us ellipse balances perfect no worries the history of iot really is there in its early stages the history of building automation the first things that actually can you know controls that actually did stuff controlling things were the thermostat and industrial pneumatic controls and that sort of ran the show for a hundred years but the first actual data producing digit direct digital control system was a building automation system it actually was deployed in the year I was born 1981 in in Melbourne at the university of Melbourne um and um and that's straight from the wikipedia article on that so the um the system itself is you know at sort of the beginning of internet of things what it is is it's it's a network set of direct digital controls that are passing data between devices and actually communicating right there were other you know examples of computers controlling things before that but sort of this definition of a network direct digital control system is really the genesis of iot um that has advanced a lot in the proceeding 40 years and now you know in this world where you know I I sort of have a role in smart buildings really what that is doing is shepherding the future of iot into building operations um and um the things that were really really looking at are the four bullets under that upper rightmost box integrating systems of multiple types normalizing the data into a common model putting applications with decent user experience over the top of that so that people can do things with the data and then deploying increasingly low cost flexible sensor applications so we can get new sources of data out great example being vibration monitoring something everyone would love to have done say 10 years ago but it was too expensive now it's something that we can do relatively inexpensively uh because you don't need to bring out the building automation contractor to do it there's companies that actually provide that as a solution that's actually how you get predictive maintenance on on any kind of rotating equipment is through looking at vibration analysis so what does iot mean in buildings um it's a little bit complicated but there's sort of two flavors of it right there's the people that are always going to say we already do iot right we've already done this that is true what the key is is we're connecting that stuff now and putting the data into a useful place and I always have to remind them you you aren't necessarily doing things with a data warehouse your data was always hard to get to or not being used or not being permanently stored so there are sort of iot or modern it solutions that are helping the building automation side of this or metering side but the new iot applications really interesting and I break it into two categories that I've seen flexible censoring which is sort of i you know at working for a solution provider we want to be able to go put out cheap flexible sensors and move them around as needed um and innovative applications most of these are sold as vertically integrated software as a service solutions but we've got one going in with a company that's a small startup that is doing say plant soil moisture monitoring um out at the google campus so that you can actually water and fertilize at the right times and keep plants from turning over and dying um so innovative sort of domain specific applications that are actually really high value um all of this can sort of be lumped into a big framework for building technology I'm not going to spend a ton of time going through this but typically what's called smart buildings is really the b iot or building iot part of this it's the data producing things again some of that is core and you are going to have anyway and then there the challenge is connecting that stuff and then you've got these flags or innovative applications there's also a lot of stuff going on in what kushman is calling process automation a lot of interesting stuff with robotics uh in buildings particularly related to security cleaning um parking lot exterior environments maintenance and those are always going to sort of be lumped into a smart buildings program uh semantically but we like to think of those things differently because that's sort of automating business processes um I don't know how fast and how far this is going to go I've done probably 15 what I would call legitimate smart building programs with different customers so real estate investment trust corporate real estate portfolios uh big commercial uh you know pension fund style long-term real estate asset investors um this framework holds across any set of buildings or connected assets the part where I am seeing the most lag in this is in the people in process it is not that hard at this point and it's actually reasonably economical to get the hardware out get the data into a database get it normalized it's finding people that know how and what to do with it that is consistently the challenge we run into so you know I listening to Cheryl talking to keynote you know about sort of disruptive places that people might invest in all of the stuff in innovation I sort of worry that we're missing the bar here or missing missing the important piece in getting skill sets raised up so if there's a startup that I wanted to start it would actually be some sort of educational institution that would teach people that want to work in buildings how to work with data and I just mean sort of basic skills around reading graphs and understanding you know time series data and charts and tables um this isn't complex query writing or machine learning we need people that can look at graphs and figure out how that means that this thing is broken and then send someone out to fix it um and so I'm really hopeful that we're going to get there over time uh particularly as a younger generation comes up working on buildings um and I think the rest of the folks are going to talk a lot more about sort of the security and the technical details of how that stuff gets plugged in um but I'll uh I'll stop for there sure I want to see how all of our commercial agencies working trying to work with existing building centers and more opportunity um sensors for public protection and uh enough help for any agency products absolutely the question is uh are you finding that um people are are being uh accepting of past the leader um IOT on their devices for the first you said you mentioned uh vibrations we use it for uh segments or not sure so you mean like behind the meter as in within within the four walls uh yeah that's the world that I live in right so I don't ever go outside of the meter I live off student meter right but I'm working super hard to get in there um and be able to more granular so the question is am I seeing this being adopted the answer is yes absolutely particularly the connected buildings part of this this bit right here that box that is starting to become increasingly common this is stuff you already have in place and just getting the data into a normalized area so every program I've ever worked on has involved some element of that um adding new sensors still very dependent on the appetite for investment I'm lucky enough to have a client in Google right now and part of the reason I went to take the engagement I did is because you know their portfolio is growing they care about their their people's productivity they care about the real estate assets a lot um I've never had a client that wanted to to to invest as much in this space before so there's a lot of people where everything is still low bid low cost and and sort of innovative solutions they push off to service providers but yeah I mean I think increasingly this is adopted across the board being adopted it's still early stage though on innovative stuff on the software side to do this bit here you know getting fairly advanced oh yeah I did a lot of work in India and um there's three companies that dominate the management and and um releasing uh transactions right for commercial buildings that are JLL, CDRE, Cushman, right Cushman and JLL and CDRE I think could play the usual transformability barriers I totally agree with that by the way I think they're probably the biggest barrier to energy efficiency in their business I also agree with that I'm only three months on Cushman right so I'm not totally native yet but this is a well recognized problem right that's a problem of the consulting industry too though right I designed it well and what won't get them sued I mean I used to be a consultant you know sure be able to make the most of the long-circuit machine market on more efficient so I feel you're interesting that's particularly bad in India is that what you're saying interesting I mean look there's a raft of problems in this I have a slide that I didn't you know I it could be 20 minutes that just actually expand that discussion I'd actually like to bring Ravi up yeah there is other requirements that get driven out of that and then Peter your point is very valid extremely complex set of problems and I agree with you the property managers play a huge role there let's talk about it afterwards yeah great thank you apart from struggling with power points I am a product manager at Cisco my name is Ravi Jadav and I focus on enterprise IoT now what that really means is I focus on solutions that help our customers digitize some of their most important assets and that's the list now Aaron briefly touched upon the transition from OT to IT and what that really means is there has to be some kind of a mechanism that's used underlying for these OT components that say anything in a building unlike HVAC a sensor so that they can talk to each other and that's what make the building really smart now I just wanted to bring this picture up and show the buildings of yesterday were pretty simple you would have an IP network you would have a phone EVX system that the most would have an intelligent HVAC but buildings of today are changing drastically we are talking to customers and you see all these subsystems deployed in the building they're getting very very advanced you can see your badging system security cameras sensors lighting far lamp systems everything is getting onto the network the problem is all of these systems work in silos if you had a lighting system it would have its own control network it would have its own power network if you are if you're looking at HVAC it would have its own power network its own control network but they don't essentially talk to each other now if you were to make the buildings efficient and smart it's really important that all these subsystems talk to each other so for example the one of the main drivers that we see that people are moving to more efficient buildings more digitized buildings is primarily the efficiency and the customer experiences that they can enable imagine a building where where the optical sensors talking to HVAC or the lights or or any other subsystems in the building and you could enable scenarios like let's say the room right next to us nobody's sitting in there the occupancy sensors can talk to the network tell the network controller hey this room is empty network controller then talks to the HVAC and say hey there's nobody in the room just turn off the HVAC right so so things like that can really make the building efficient some of the customer experiences that we have seen is a lot of customers are using use cases like if there's a fire hazard in a certain part of the building they're using lights connected to the network to drive the occupants away from the fire hazard a lot of customers in the education industry are using lights to create a circadian rhythm so that they could keep the students engaged for longer period of time in their classrooms one of the various use cases that I wanted to bring up is it's from the hospitality industry one of our customers from the hotels industry what they did was they took everything that they could see in a hotel room and got it into the network right from the lights the window blind motors the electric mirrors POE TVs POE powered a mini fridge etc so the moment I walk into the room I set everything up to my liking the window shades the light temperature the TV channels are like to see and everything gets saved onto my profile the next time I walk into that same hotel chain doesn't matter which country I'm going into which hotel I'm going into as soon as I enter the room the same set of presets that I set earlier gets applied to my profile and the room is set to my liking so once we make the building smarter the use cases that you can enable as far as efficiency and customer experience is concerned are endless so and that's where Cisco comes into picture the vision we have is to get everything of these subsistence than worse onto one IP network so that they talk to each other and make the buildings more efficient more smart so that there's less human intervention and the building is kind of automated and runs on itself however there's a challenge with it we all know digitizing is important we all know that once a building is planned it's going to be there for the next 30 40 years and the building has to be ready for all the business and then for the business outcomes that the customer the building often comes looking for but when you when you when you try to get all these endpoints on the buildings onto the network they you inherently increase the attack surface all these endpoints there's a race to make these cheap and possibly they might not have the greatest the latest software stack on them this is the network's responsibility to provide a layered security approach so that the endpoints are protected from cybersecurity attacks or whatever attacks that are coming into the network and if in case an endpoint is compromised the network is contained and the endpoint is quality so the security at Cisco we focus to a great deal it's really really important and we all have seen these kind of attack university attacks by a vending machine a smart bird carrying out a lead-off attack right and that's where solutions like SDN software define networks come into play we believe making buildings smarter making buildings efficient is possible it's just that the consumers need to gain get an easier way to do it they need to get an automated way to do it right so the solutions like SDN and we call it software defined access is though they focus on three major things segmentation automation and assurance so what is segmentation segmentation in the sense that you create small segments into the network of users or things and you get give them access only to the things that they need access to for example if i'm walking into a Stanford facility today i'm getting on to the guest network i have no business talking to the vending machine or talking to the light similarly if if i have a light in the building it doesn't move it just stays there it has no business talking to my employee database or talking to my health health and so forth so it's really important that those segments are well defined and high opn points that we bring onto the network are constrained to talking into those segments unless you specify another one right the other important part is automation we all know segmentation is important we all know digitalization is important but there has to be a way where where a building manager specifies is intense and that is converted into everything that the network needs to do so if i specify an intense thing chef comes in and he should be only talk to the guest network like a light should only talk to a light and not an accurate sensor i should be able to define it on a controller in plain english and the controller should be able to automate it and take care of all the components that needs to drive it for cli level or or make that happen from a policy right and finally the the third important piece is assurance as far as cybersecurity is concerned it's it's really important that there is visibility into what's going on to your network because you can protect your network from the things that only you can see if the network visibility is not there network attacks might be proliferating in your networks and you might not even so it's really important that the endpoints are sending constantly data and the controller is taking this data making sense of it i'm telling you proactively what the problem might be so that you can take steps to prevent it instead of doing the damage control after the network is already the network attack is already so so those are the things we focus on as this go and i think that's the purpose that we do change the session we're going to talk more about about the visibility and that segmentation is up here thank you robbie good morning good morning i teach a graduate course of interior engineering at sanctoria university i've been in friday seven to nine p.m and my students are used to getting some compressed material so developing for ten minutes i'm going to give you a lot of information and i'll give you a link where i've got a video and i'll talk about this stuff in more detail sri smart buildings like the tech dc office sri international um grew up out of stanford over 70 years ago we're based here in normal park and throughout the u.s so our mission um interesting aligns with the core concept of what a smart building is all about right we want a safe environment that can help us be more productive if i start talking about side of security principles without first looking at the overall business objective the overall organizational objective about why we use this technology then i'm just so that it's something that's not going to have much value so i never start with the tech and i don't start with the security principle that's not the goal we're under attack we talked about this stuff on the news i think we're being desensitized to it um we could shut the light out again and make that point uh by the way our friends in eastern europe can do those things right now and uh search uh dragonfly our critical infrastructure and power grid are already infiltrated we're at risk so we're in a state of war um we can talk about this stuff calmly until something goes wrong once something goes wrong it's hard to describe the level of emotion and the thought of war and confusion and frustration when the tax have devastated consequences i didn't worry about the motivation of attackers as much as people are because like said you need to be called a system you put these types of network segmentations in place it's all principle based but there's so much to do and there's so much to protect in these complex systems that understanding the adversary's motivation is now becoming more important and prioritizing how we protect these complex systems so recent news from russia yes they're interested right there's a geopolitical component to my job and the chief security officer role my job is to help the organization make more informed decisions about risk i rather not take the full burden of that on my own so we have breaches at target at Equifax the board now wants to know my opinion and i can help guide to keep the business in operation to satisfy the interests of stakeholders but there's management philosophy that gets applied now so in the news this week Equifax is redesigning their security organization to align the cyber security and physical security the cyber physical converged environment under one group of leadership because safety has now become our sphere of concern as well so how do we help us make these informed decisions right we ask a series of questions in the context of some type of a methodology and we use that to assess risk right so thinking about uh system iot device or honeywell or whatever else i don't think about just the device i do think about its capability but i think about how that's going to fit into a broader system and a system security plan and a longer management maintenance plan for all of these devices and that's just where fishermen network standpoint that the data generates how it uses that privacy concerns and all that on this stuff gets kind of confusing and it gets big quickly and that's why we need these methodologies and structured frameworks to think about the risk here's the money slide right this is what i fully focused on as sort of a takeaway for folks thinking about um how we solve some of these problems a lot of these principles are not new i like simplicity i like things i can understand and so i've seen a lot of different security tools and approaches and devices and what i'm looking for is something that i can apply these control models to that makes sense but the first time i talked about having security at a conference i said i don't think i'm an expert but i'm like nobody can be an expert because it's everything it's every protocol so we start with some type of architectural framework and we apply those value principles and then we think about domains of trust trusted zones at a network level how data could be segmented who has access to it and we take the traditional it management approach that involves patching systems and trying to maintain things which are already struggling with and operational technology sensors and stuff that even harder to patch at least we should separate those groups of risk so because we intertwine them that it could be lateral attack movement from your compromised HVAC system into a database for example so when we do that we think about what's the criticality what's the sensitivity of the information that we're dealing with uh where are things located and can we architect some of these devices and edge compute closer to the area where it needs to operate and thereby be simpler and more isolated it doesn't seem like it's cheaper but it is cheaper because if you build systems that can't be controlled well then i might not have input when you do but then when something goes wrong i will do my darndest to rip it out and find something that's better and that costs the organization more i want to explain this slide i need to talk to someone designing a system that's not just the end of this type of slide right if you can tell me what system you're building i can figure out where it can be attacked i can do a surface analysis i can do a threat model and i can then have an intelligent conversation about where to manage risk and apply security controls so my prerequisite to protecting this stuff is to play some type of a contest like this i gave a talk it was popular so i did a repeat performance the last month and then a couple weeks ago at two big conferences where i was just trying to take these ideas and merge them together so this is on youtube you can just replay them in octane both with k's and you can see the full hour long session they like this presentation either that takes philosophy and if you're hiring a security leadership you're paying for philosophy right it's sort of a art of warfare approach take that combine it with the blue team right the defenders responsibilities of architecting the system of planning things systematically and deploying them right and now taking the adversary the red teams approach and Lockheed Martin developed a very nice model because we don't just get attacked that happens systematically there's steps let's take the way we attack the things and use it and how we design and build systems we want to break this chain as early as possible this chain of doing reconnaissance of them weaponizing getting a foothold and then exploiting actual trading data because as soon as we can break that chain we have an advantage i won't cover all of this so this is just one example for each stage of project planning including my OP devices smart buildings everything else that i connect to then we can think about how do we counter reconnaissance how do we counter weaponization and all the way to eventually going to stop this explanation and i'm going fast but at least this resource is available afterwards so that's enough of admiring the problem right that's right without building solutions we have a great legacy of doing that and we have a internet of things security and privacy center we do interesting research we just wanted to dark a concept for the internet of battlefield things and so we love taking this knowledge as leading edge government funded research and then applying it back to commercial applications other state local you know international government applications we develop technology to understand what the environment is so here's the paradigm shift right you can try to block these things out more maybe see this next wave of venture capital is going into trying to characterize data traffic and no understanding what's normal and intervene from that standpoint a good example of hospitals so if a system can help me get this picture if a system to look at network traffic and say here's the reality department here's building management here's how they should talk here's how they shouldn't talk then i can start to identify where that's going to happen that's where tools i could can make the problem so here's sort of s rise approach we tend to start in the middle around the right right you know building biometrics into sam sun's latest mobile devices etc but I'm spending more time on is how can we get innovation driven companies access to this advanced research and applying techniques into their strategies if anyone's interested in that i'm glad to talk since the way afterwards AI understandability may be the most important thing on this slide so i'll get on my soapbox for a minute if you are a user an investor an engineer that is building or condoning building black ops ai solutions where you've got machine learning coming to conclusions and maybe decisions and recommendations that cannot be explained shame don't support it don't use it don't rely on it if they create a level of risk that i worse than russia coming at us every day it's really the scariest thing to imagine and we're building it ourselves but how to counter that we have to build AI systems that are understandable but there's great research going on there a lot of it is about having natural language interfaces to these tools so this is the conclusion now how do we make that explainable the group will say well alessary has all of our information why are we even trying no if you're ready to give up if you don't want to hear the bad news and deal with it you really shouldn't be in a spirit leadership role you have to tackle these things systemally so our iot security lab has a lot of good resources a lot of these are free there's a membership group if you want to get more information about what we're doing um this is probably one other interesting area right so a smart building is part of a smart city which is part of a smart uh you know power grid and our power grid is under attack and so we're doing research for DARPA here as well um we don't have a good answer to the question what if our entire power grid gets shut down but we just put the switch back on we can do that with our laptop here we can find the power switch and et cetera but um so the research here i think is going to be foundationally important for everything we're building on top of us there's a few more resources um i'll give you one other homework assignment i guess is the open professor here for my students the first assignment is to do some reconnaissance figure out uh you know in their organization who their security leadership is what can be targeted as an individual i'd recommend you all create a list of all the digital assets you use to manage your lives and i've never had a student with us who already accounts they have to keep track of we probably have on average 200 and so make the list figure out how you rely on those things figure out what your contingency is if you can't do that in your personal life how can we do that more resilient thank you thank you jeff so we'll tee up a few questions and then uh hopefully we can preserve a little bit of time to the audience questions and answers as well you know i think the panelists all addressed many aspects of iot and peter's question with regard to over sizing in erin's point about really uh making sure we don't waste energy in its current state and so the promise of iot may be optimization or incremental optimization but you have to do the fundamentals don't have oversized equipment operated make sure it's operating to its original design or design intent um and then there's always the dilemma you're designing for something but the building is being used for some other occupancy and then you got to address those kinds of issues um so you you you solve for the the simplest thing and assume that's the case so you don't have wasted energy how do you see incremental energy efficiency and uh i think erin's slide the eia slide just sort of shown the distribution of lighting in hvac um in current state i'd say the lighting industry is a little bit more mature all of the providers out there can have lighting systems that operate over power over ethanette and with that it enables a connectivity to a device that then is already enabled with sensors and the sensors typically are light level sensors motion sensors temperature sensors so a lighting system offers an array of sensors that are essentially funded through a lighting upgrade and which i also then say the question really probably to erin and ravi in this case is how do you then build the business case to go forward and do lighting upgrades in a typical building environment you've got a lot of um long-term depreciation this lighting system in this building on the gap allowed depreciation is typically 30 years and this building seems to be about 10 years old 20 percent of the installed cost is already sunk in needs to be overcome on your return on investment analysis so you know oppose that question to building the business case through enhanced lighting and what is that return on investment that allows companies to move forward with iot type lighting upgrades so probably first question for you i don't think it's time for it so the way we look at it as so if you look at the green field requirements for traditional easy lighting versus this is the way which you work here with the lighting it's it's definitely must and yes studies in this environment but if you were to make a record of it and one thing to understand here is the value or the efficiency of the savings the cost savings is just marked from the lighting itself the search itself but the value it brings to the use cases that would enable that would be enabled with that like so if you put in a light as you mentioned mocklossy sensors that could enable some other use cases that would help organizations and will be managed to save money from other other great decade if you detect that there's no there's a certain part of the building that is not used by anybody for months stop selling the clean things there right and that's cause frame right there and that's that's making the building your processes more efficient so so we we attack it from both angles so not just the clock the ethics of the office of the catalyst effective but also the use cases that help you save money from the things that it is great yeah just yeah so the the way to pass practice and have the security approval review is that you can identify those other use cases proactively if you say you know we can do these other things and we'll figure it out later okay we want to have an architecture that can support that but the more I know how are you going to use these devices and what the information is in where it's going and actually draw a picture of it doesn't have to be pretty I mean just a whiteboard picture I can you know stick a snap but I understand that's going how to get back then that's sort of fast track to yeah this makes sense okay yeah and I think you guys already addressed that uh you know segmentation so we would have a lighting system we've done one in a building uh just down the street and center though where we upgraded the lighting in a retrofit application we're able to address lighting because we basically repurposed the space from office to some other specialized uses but we did recognize that the endpoint is a light and therefore the segmentation was on a real estate VLAN and did not ride on the trusted endpoint of the corporate network but it was in a subnet on a VLAN that had a certain level of privileges and I think that would suffice the security concerns that guys like Jeff would have because you're now provisioning the power and collecting the data on a segment of the network that only needs to have the privileges that it's required to run lighting um you know looking at the sort of the value proposition you have a lighting you have a rich array of sensors now gathering temperature data occupancy data and light level data and the light level data will optimize the lighting levels within the room and you have presets to that but I really think as a real estate professional the use of occupancy data is sort of unexplored and potentially a significant return on investment and so people that care about it too that's the interesting thing and it's the sort of Peter's comment about silence you know with the new organization we're having this conversation right now it's it's not it's space planning people that want the occupancy data and for them it's the holy grail right but but it's the it's the sort of facility operations people that are making this energy case to retrofit life pictures you know and that's particularly obvious with occupancy data but if there's other bioteas sources where that matters too I mean so I think increasingly you need someone or a group of people that can start to have these conversations about building technology above and beyond just the construction process absolutely and just to go uh let me just close on a point here so let's say you have occupancy data and the consulting engineers in the room and Peter and Aaron you can address this we in typical design have a minimum airflow if you had occupancy data and nobody's in the room you need minimum airflow and you you have an ashray requirement for that but the argument could be made you have to condition unoccupied spaces and and that's sort of like low hanging fruit just by having occupancy data that typically is not available in this conventional design you've got a thermostat on the wall operating it's most likely a variable air volume damper delivering air to the space but it's not detecting whether anybody is in the space it detects temperature from radiant heat but once you have occupancy data then you you have the ability to optimize and perhaps challenge the conventional approach of delivering at minimum air set point to delivering no air where air is not needed so there's these other I think business cases available to us when we start looking at the converged sensor data to optimize HVAC the temperature data if every one of these lights had a sensor on it giving you temperature readings you have a much richer array of sensor data than that one sensor on the wall and perhaps that one sensor on the wall is no longer needed and therefore you can rely on lighting sensors to modulate HVAC so as a person responsible for developing net app strategy for internet of things in the built environment you know where we're continuously challenged with how do you build the business case to sell it to management and don't know if Cisco or Aaron you've got other ideas in that particular area since you're already embarking upon it with Google you know how do we enhance the value proposition there any program I've worked on at a slide I didn't include it has five roughly five value drivers five or six you know and they sort of some of them are easily measurable and some of them are less measurable so the easiest to measure is reduced operating costs that's typically through repair maintenance and utilities the next be the most important at Google but that's somewhat unusual as occupant comfort some becoming more easily measured but you have to have really clean data and central spots and you can index spaces and normalize you can measure it through things like hot and cold calls too but it's somewhat more fungible what the value is you need an organization that actually just cares about that moving towards more predictive maintenance and reducing time to response and maximizing asset life and then optimizing your total space for both of which is really where occupancy comes in and that's sort of your set of benefits and the cost benefit analysis that you have to pick from and some of those you got to make assumptions on and some of them are pretty clear you know to set targets around energy so that's where I'd say to start just to think of it within that framework you know the cost side a little bit easier to come up with if you've got some skill sets or some experience in your staff let's go to the audience real quick okay so yeah the property owners. Yeah, and the convergence allows for that. Yeah. We're based on the ground. Here's what we're most likely to do, and here's how we can access the people to see what we do and see what we do. We're going to get a lot of resources out of it. That's a good question. The second question has to do with an underground or low-wile purpose. So, if you know what you're talking about, and if you're close to that point, then you should be able to see what the management's about to come. In the middle, they are both in the States, and sometimes in the States, the transition is the age, because sometimes it's long-term, and sometimes it's not able to do the math in the middle. And all of that determines whether or not you're doing the best in terms of the efficiency of the products, the effects, and so on. Because if there's a good amount of that, I mean, manage that for a little bit, because that helps me in seeing what we're doing at the time. Well, let me take the first one and hit the panel. Organizationally, what's very effective is that the Environmental Sustainability Team reported into the Business Day Workplace Research. So that's our structure. Unresponsible for environmental sustainability. Those are everyday conversations that data moves back and forth in perfect alignment. And then the reporting into our broader corporate social responsibility, my teammates on that already know all of the programs that the Facilities Ops teams have, or design and construction is considering. So that's one real simple way. It's just organization is structured so that the environmental sustainability folks are actually embedded into the real estate folks, and those conversations. We are stating those kinds of goals, and we've had a remarkable energy reduction performance, but not so much from office environments. So when you look at what is your real estate, the lab, data center side, we've made some significant reductions, but not so much in the office space. But yeah, we can't state those goals. Through a variety, mostly internal, we do some external reporting, but it's really just readouts to executive management and through our own communication, internal newsletters, and then reports we actually publish like CDP and a couple other platforms we're reporting to. Yeah, but I'd say that database is not necessarily shared. It's through the team that records that into the database, which shared as typical communication through SharePoint or intranet sites, internally. The second question also is a challenge, and I don't know if the panelists take that one on. What was it again? I was thinking about that one. Close the second. We need to think about the second one is about portfolio mix. Portfolio mix. It's a huge challenge. If you look at a company like what Google's done, they do lease a lot of space. You have to, because you're a big company, you're growing, but they do very strongly enforce the requirement to have at least some of the key data sources for IoT built in to their standards. For example, keeping a consistent building automation system across a large geographic portfolio. There are things you can build into the lease as a tenant. Obviously, the bigger you are, the more power you command as a tenant, the rates you're paying, you're going to have more control over that, but you can definitely enforce standards. Things like building automation systems, whether or not you get them with an open protocol or not, those things don't really add cost into the TI process, and you can just tell landlords. That is a significant challenge, particularly in commercial real estate, Portfolios, because all the properties are acquired. The vast majority of the properties in most commercial real estate, Portfolios, are acquired. You have every manner of device type technology and the ability to actually go through and invest to upgrade your fleet of digital infrastructure is a massive challenge. I'd say the biggest challenge I see is not so much figuring out what needs to be done. It's the skill sets, either at the corporate level or individual property teams, to know that they even need to upgrade something like a building automation system or how to put in a consistent metering network. There's just nobody thinking about that Portfolio level. It's a little bit better at the corporate side because things like standards can be built in around design. That's fairly common. We want our offices to feel consistent, and therefore the engineering types like us can get in our standards on infrastructure. It needs to be handled at a portfolio level and you need people to actually understand beyond what you see. The biggest problem I have is that lots of this stuff is hidden and even people that are used to the air conditioning part of it don't know enough about the control side of it. Your design engineers probably don't know enough about building automation. Some do, a few, but most don't. Requiring that people sort of having somebody just be their job and pulling in those skill sets is what's going to fix the problem on that. You know, I often find it weird when you're on your staff and you're basically taking an office to get a place to work with an estate team not only with a brand that has a good demographic, but also with a low-paying cheesier than me, I think we're happy. It'll make your project go faster with a better outcome. In most cases, yeah. Actually, that's a great segue to Jeff. If you don't mind just putting your IT hat on, you go into the unknown. We don't even know if we're going to have the landlord build a suite or we get to do it internally. How do you develop enough flexibility from an IT perspective to enable some IoT? That becomes an opportunity with at least negotiation because typical IT shops have their set of standards that don't necessarily contemplate IoT, but more connectivity for employees. I just want to start with a lay of the land. Give me something like that picture I showed, a simple version on a whiteboard. What are the components? What are the control planes to manage them? What are the options? Is there an opportunity to do network level segmentation? I didn't talk about microsegmentation, but if there's any virtualized systems involved, that's a whole other set of considerations. So you can quantify these different types of controls. I want to know what options I've got. I want to know what type of communication can happen between these systems also. I didn't really emphasize that, but we think things are isolated, but there's cyber-physical connections where an infrared sensor on my operational technology network can communicate with the IT side of the house. So I want to do some type of assessment there. It's like putting grace on a sports car, right? Those controls will let you create a more high-performance environment. Good, good. Any other questions from the audience? How are we doing on this stuff? Go ahead, please. Thank you for coming on stage for the development of health in the United States of America. So that all of this is happening in the United States of America and I think that I see a lot of these provisions that affect sort of disclosure in terms of building capabilities for requirements that, you know, for IT and marketing requirements, you know, be required to have to do a very building system. So if you're curious, whatever, you know, I know you're going to talk about how does it work for you, whether you see the work on these provisions that address this sort of thing and whether you think that the piece is really the place to have this kind of thing and that kind of separate part of the thing that I think Jack had highlighted, kind of the scary part probably was the kind of security threat that's potentially happening in your IT and your building system where you think you see all the life that you've created that are you know, the community and really a kind of connection. Which means the landlord that owns the building for the past 10 years. So from my standpoint, at least it's a deal that I've had service for a period of time. All deals are negotiable and it's better to write down the terms of the deal. So now, interesting thing I've seen, we have an office that's located in a Federal Reserve building. Their physical security, even IoT level stuff is quite impressive. Just because it's there, doesn't mean it's there for our interests. So these control systems that might create an illusion of security control, actual obligation, to manage these things in a certain way or to make sure that there's consistency. I won't rely upon them in my system security plan. That's the first fate of law that folks might make is everyone leads with this impressive we've got something encrypted or transport layer secure. So how does it apply and what's the commitment? And so having a service level agreement and so if it's a separate contract I've seen that you've got different options there. But the first thing is to write it down and as soon as folks don't want to write something down and commit to it, you know that it's not a control that you can rely on. I actually deal a lot with leases and from a boilerplate you don't see it but we do, we did a long lease up in Boulder and we put in those provisions. Conventionally a house system is landlords and they deliver air to us but we demanded in our lease to have access to their systems. We don't have control but we at least have read only so. I think you'll start seeing more and more at least engaged tenants start requesting provisions to certain systems that the landlord in typical leases is exclusive domain of the landlord. My intuition is that there's not nearly enough stuff in leases related to what you're getting from landlords. It's been a long time since I've reviewed one and they're mostly in New York and they're pretty slim on what you're actually getting. I suspect that's going to change particularly with space and service type models and people's expectations coming up about what they're actually getting. I hope it will get a lot more interesting. But I think landlords if companies have green leasing policies they're readily willing to disclose what their building performance are because it may get a dollar or two square foot more because elite certification or high performance building. So there are cases where the landlord is more than willing. State of California is alive. We were to sell a building. We've got to disclose its energy efficiency and actually provide supporting data for it. So it's not required but I would think that tenants would inquire on that at least a savvy tenant. Are we out of time? All right, one last question and we'll get out of here. Yeah. All the problems that we need to work out we have to think about the marginalization and how do you know that all of these problems are coming alive because all of them are small and we have a human and we have to do something to keep the problem alive. There's always two aspects of that. One is that the mid and smaller organizations are part of an ecosystem and now that we know that we've got these connections and data flowing between environments and you're managing more than I'm relying on you to have a certain level of control. So the larger your organizations I think have a new set of responsibilities to at least be a guide or set requirements. If something's important write it down. Tell these service providers what you need them to do what standards to follow, what frameworks and actually collect information and periodically monitor that this stuff is being controlled. So for a small organization how do you deal with all this complexity and how do you go and get help? Find service providers who might have more advanced security management aspects of what they're doing. So it's important to start asking these questions. Security is really just an aspect of quality. Once you can articulate what the quality is that you're expecting then you have a fighting chance of getting it. Great. Thank you. So we hope this was a good use of your time and please help me thank