The News Room The News Room The News Room
HVAC/R Nov 13, 2022

Accountable operational technology

Estimates suggest people spend an average of 90 percent of their time indoors (Klepeis et al. 2001). Most occupants of the built environment take for granted that their comfort, health, safety, and welfare are by-products of complex physical machines and processes. These electrical and mechanical systems are often closely monitored and automated by an intricate infrastructure of sensors, networks, control devices, and software. When this transdisciplinary approach is leveraged to realize the synergy between the physical and digital worlds, particularly when internet technology is involved, it becomes a cyberphysical system (Fiore, Tamborrini, and Barbero, 2018). In process control and the built environment, the cyberphysical system is operational technology (OT) that highlights the commonalities with and differences from information technology (IT) systems.

The virtualization of cyberphysical systems and convergence of OT and IT is proliferating. The technology in both disciplines is advancing at a rate almost too fast to comprehend. As the line between IT and OT systems rapidly blurs into IT/OT, it is important to understand a crucial difference. Threats to IT systems and data pose a risk to an organization’s operational efficacy, mission readiness, and reputation. However, threats to an OT system can impact the physical environment on which the health and welfare of innocent civilians depend.

Over the past several years, narratives that began with an introduction like this likely transitioned to the need for proper facility automation cybersecurity. There is a growing awareness of cybersecurity in facility automation IT/OT. For the most part, it focuses on protecting the confidentiality, integrity, and availability of digital systems, networks, devices, and data. Indeed, this is a foundational principle in sustainable facility automation. For more information about cybersecurity in facility automation, please read "Building Automation Systems (BAS) & Cybersecurity", the Q4 2016 RUNtime newsletter, the "Reliable Controls Hardening Guide", and the Building Automation Systems + Cybersecurity presentation. Rather than reinforce these concepts already well established in the Reliable Controls experience, this insight article is the first in a series that builds on the foundation already in place.

Many cybersecurity control measures focus on restricting access and then managing permission to manipulate the system and its information. These essential concepts, analogous to locking the front door to a facility, are essential. But the one variable that most compromises a facility’s OT system security is also fundamental to sustainable facility automation: people. Once a person is in the door, who is accountable for their actions?



Accountability is an interesting concept in which a person, organization, or institution is required or expected to justify actions or decisions. Many people might be able to act and be responsible for doing so. It is the accountable entity that answers the particularly difficult questions about actions taken and especially outcomes. Accountability encompasses an implicit trust and actionable recourse that exceeds simple responsibility.

Many mechanisms exist for securing access and permissions to operate a facility automation system. But remember, accountability goes beyond the ability to act. Accountability infers the ability to answer and justify. This requires understanding the root cause of outcomes, how decisions were made, why actions were taken, and who acted. For a facility automation system to empower accountability, it must closely monitor the activities of those who are permitted through the front door. It must make information regarding their actions and the processes being controlled available, and it must provide assurance that this information is accurate. Why is a higher level of accountability valuable to the built environment?


Financial accountability

Although some characteristics are similar, facility automation OT systems differ from traditional IT systems. Many of these differences stem from the fact that manipulation of data in a facility automation system has a direct effect on the physical world that can introduce significant risk to the health and welfare of occupants, cause damage to the environment, result in financial loss, and threaten an organization’s ability to execute its mission (Stouffer et al. 2015).

In addition to being costly to operate and maintain, the electrical and mechanical equipment automated by OT consumes significant energy and controls complex processes. Improper operation of this equipment through ignorance, misinformation, or malicious intent poses a significant risk to natural and fiscal resource consumption. Even minor inefficiencies can result in considerable costs over time. An accountable facility automation system is a tool that helps organizations understand how and why their resources are being expended and their facilities are being operated.


Perception accountability

Reflect for a moment on how a cybersecurity breach affects public perception of an organization. Brand reputation can take generations to establish and yet be tarnished almost immediately by a breach of confidential information, the manipulation of operational data, or the unavailability of critical systems. Fortunately, no significant negative impact to organizations or people has resulted from a facility automation breach or intentional interference. No one wants to be the first to report that a masterpiece has been irreparably damaged, or a school has been closed, or a patient on the operating table must be moved, or tenants must be evacuated because operational technologies are out of control or being operated without authorization. An accountable facility automation system should empower organizations to monitor and maintain their reputation and operational efficacy by providing an accurate understanding of who is operating the system and how.


Health and welfare accountability

Fear mongering is defined as an action or tactic of needlessly, deliberately arousing fear or alarm, especially for a specific purpose or monetary gain. A warning is defined as a statement that indicates possible impending danger. In no way meant to be the former, a reputation is nowhere near as difficult to restore as human health and life.

Improper operation of large equipment poses a safety risk to operators and occupants. The well-being of people who inhabit the built environment is directly influenced, positively and negatively, by the performance of the mechanical/electrical processes and the automation systems responsible for their monitoring and control. In pharmaceutical and agricultural manufacturing and storage facilities, for example, a poorly maintained environment can present a threat even to those who never set foot inside. An accountable facility automation system should provide assurance of a safe operating environment.

These are just a few compelling benefits of accountable OT at a high level. Some businesses in vertical markets are particularly aware of the need for accountability.


Title 21 CFR Part 11—validated environments

The Code of Federal Regulations Title 21 prescribes rules for the U.S. Food and Drug Administration. Part 11 establishes the requirements for electronic records and signatures in processes and facilities regulated by Title 21. Practically speaking, Part 11 includes pharmaceutical manufacturing and storage, medical device manufacturing, biotech, biologic development, and research organizations.

The global pharmaceutical market reached US$1.2 trillion in spending 2018 and is expected to grow 4–5 percent to reach $1.5 trillion by 2023. Pharmaceutical spending in the United States in 2018 was up 5.2 percent at $485 billion (Pharmaceutical Commerce 2019); in Canada it was CAD$33.7 billion (Canadian Institute for Health Information 2018). Many vertical markets operating outside the United States are regulated by Title 21. Others are influenced by the legislation. In either case, validation requires accountable OT that complies with Part 11.



Many Reliable Controls Authorized Dealers are experiencing growing success in agriculture, particularly indoor farming. In 2019 food and agtech start-ups worldwide raised nearly US$250 billion, a 250 percent increase over 5 years. This investment growth is led by meat alternatives and indoor agriculture. Increased application of sensors and automation is improving greenhouse and vertical agriculture efficacy (Burwood-Taylor 2020).

Although electronic data for some emerging segments is not yet regulated by legislation like Title 21, it almost certainly will be. Accountable OT is positioned to provide industry-leading sustainable solutions for the agriculture market before validation is a requirement. This can place organizations ahead of the curve and ready when legislation is introduced. Accountable OT will help them feel well prepared for, and confident about, the future.

Facilities with critical environment requirements are of course not exclusive to the food and drug industry. Curators, conservators, and archivists are acutely aware of the irreparable damage that can be wrought on irreplaceable artifacts, documents, and works of art by poor indoor environment control. Data center administrators too face possible mission disruption if mechanical systems cannot maintain an appropriate operating environment. Surgical suites and operating rooms have critical requirements for temperature, humidity, and air quality.

These professionals are certainly expected to answer and justify outcomes and actions. Accountable OT can be crucial to helping them maintain the critical environments necessary for operational efficacy.


Accountable browser-user interface

Sustainable OT cannot realistically be isolated from the human element. People are an integral component to mission readiness and OT operation. An accountable user interface allows the management of who can change what and the monitoring of operator interaction. Traditional operation centers and workstations are relatively easy to secure and manage. However, contemporary facility operators expect true IT/OT integration that features browser-user interfaces (BUIs).

A subtle but important consideration is that a BUI presents a new spectrum of access and accountability issues. Fortunately for Reliable Controls Authorized Dealers and facility executives, the latest update of RC-WebView®1 includes many new features to provide BUI accountability:

  • User account credential expiry and lockout.
  • Administration management audit logging.
  • Dual authentication for user account management.
  • Dual authentication for system modification.
  • Data integrity assurance, including validated audit trails, signed Excel exports, and graphical log watermarks.
  • Context-filtered audit trail and alarm logs.

The subsequent insight installments in this series will describe each of these RC-WebView features and how they can be leveraged to provide an accountable BUI experience. We’ll also review the role of RC-WebView in a Title 21 CFR Part 11–validated system. Stay tuned.


Lead the Way

Threats to an OT system can literally impact the physical environment on which the health and welfare of innocent civilians depend. Making facility automation OT accountable is a valuable step to providing peace of mind for modern portfolios. It delivers assurance that facility data is accurate. It provides facility executives with the knowledge and context necessary to understand how their systems are operated and empowers operations teams to justify actions. Finally, an accountable facility automation OT BUI opens new market opportunities for Reliable Controls Authorized Dealers and is one more way we are people and technology you can rely on.

1 RC-WebView increment release 3.12.3 and official release 3.13.

Burwood-Taylor, Louisa. 2020. “Food and Agtech Startups Raised $20 Billion in 2019, Led by Meat Alternatives and Indoor Agriculture.” Forbes, February 25, 2020.

Canadian Institute for Health Information. Canada’s Drug Spending Growth Outpaces That for Hospitals and Doctors. November 20. 2018.

Fiore, Eleonora, Paolo Tamborrini, and Silvia Barbero. Designing With the Use of Data for a Better Understanding of People and Operating Contexts in Sociotechnical Systems (2018). Linköping: Polytechnic University of Turin.

Klepeis, Neil E., William C. Nelson, Wayne R. Ott, John P. Robinson, Andy M. Tsang, Paul Switzer, Joseph V. Behar, Stephen C. Hern, and William H. Englemann. The National Human Activity Pattern Survey (NHAPS): A Resource for Assessing Exposure to Environmental Pollutants (2001). Berkeley: Lawrence Berkeley National Laboratory.

Pharmaceutical Commerce. Global Pharma Spending Will Hit $1.5 Trillion in 2023, Says IQVIA (2019).

Stouffer, Keith, Victoria Pillitteri, Suzzane Lightmann, Marshall Abrams, and Adam Hahn. Guide to Industrial Control Systems (ICS) Security Revision 2 (2015). Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, Gaithersburg: National Institute of Standards and Technology.