Cybersecurity - keeping smart buildings safe

In recent years, those working in IT services have seen a sharp rise in cybersecurity breaches, as technology becomes more widespread and, in some cases, vulnerable. Indi Sall, Technical Director of NG Bailey IT Services talks about why cybersecurity should be a consideration from the outset of any smart building project.

As consumers demand more innovative solutions to their everyday lives, technology is regularly being used for daily tasks and the use of these systems in places we live, and work are no exception. Smart technology allows buildings to become more energy efficient, for example, saving companies time and money every day.

But as innovative as these advances are, they have also created new attack avenues for hackers to exploit. IT teams and senior management are often reluctant to take ownership of managing the security of these systems, so it often falls to the unequipped facilities management teams to deal with, usually as an afterthought.

Major organisations who have previously enjoyed a high level of trust with customers have found themselves victim to large scale, devastating cyber-attacks and IT teams are continuously having to adapt and secure assets across corporate IT systems and install new, more complex, levels of defences.

While some more obvious attack avenues have been secured, we are starting to see a new vulnerability develop; smart buildings.

Why do we need to build with cybersecurity in mind?

Smart building projects are complex, multi-discipline endeavours, requiring inputs from specialist contractors, who are for the most part, not cybersecurity specialists. There are two major flaws which can arise if cybersecurity is not taken as a primary consideration in the construction of new builds. Firstly, building technology devices aren’t often built to optimise security as manufacturers still tend to think in terms of closed, single-technology systems. IT departments can be consulted, but even they often don’t have the experience of securing these cyber-physical systems. As there is limited knowledge of proper cybersecurity procedures at the design level, a knowledge gap is created which needs to be addressed at these critical stages.

Furthermore, when changes need to be made, either as part of the initial construction or a refurbishment project, and new technology is added to the network, the security of said network can be compromised. This is often a consequence when this additional technology is selected for its price, rather than its quality. Both these oversights can lead to vulnerabilities in smart systems which, if found, can be easily exploited by hackers. In 2013, hackers made use of stolen credentials from a HVAC maintenance contractor in order to infiltrate point of sale systems in the US retail brand Target, with the aim of stealing financial details.

We are yet to see a fully-blown, large scale cyber-attack affect a smart building, however, it is fair to say if vulnerabilities such as those detailed earlier aren’t dealt with, the consequences of an attack could be potentially far more serious and even possibly jeopardise the safety of the building’s occupants. This is further amplified by the fact that many smart building systems are built on older programmes such as Windows 7, which are more vulnerable to ransom attacks.

What can be done to help manage these risks?

In order to design, build and maintain these key systems which integrate into the cyber-physical environment of a smart building, it is now essential for specialist contractors to have a strong IT background and an understanding of basic cyber security principles and practices. The Institute of Engineering and Technology’s (IET) Code of Practice is a good place to start as it spells out in detail all the recommended considerations in terms of cyber risk management and business planning for new and existing smart buildings. It’s a great resource which often doesn’t attract as much attention as it should.

However, responsibility cannot fall entirely to the contractor responsible for the build. The client must also take ownership of putting in place effective cyber-security policies, procedures and standards and communicating them clearly to the supply chain. For instance, the Target data breach in 2013 could have been avoided if Target themselves had mandated that maintenance contractors use multifactor authentication to use their supplier portal for remote access to the network.

Addressing these measures as an afterthought in construction will only create more tedious work for those involved in the project. For instance, to secure an existing building often requires extensive penetration testing in order to identify any existing issues, followed by the long process of removing existing programmes and installing safer systems. Making cybersecurity considerations a priority when designing a building will make everyone’s lives a lot simpler, and a lot safer.