Cyber Security In Smart Buildings Inaction Is No Longer An Option

As advancements in connectivity, new technology, and service deployments powered by IoT and Big Data continue to make their way into the smart buildings’ landscape, cybersecurity concerns will intensify further. By Konkana Khaund, principal consultant, Energy & Environment, Frost & Sullivan

Today’s smart buildings are increasingly enabled by Internet of Things (IoT) and made functional by the ongoing convergence of operational ongoing convergence of Operational Technology (OT) systems and Information Technology (IT) systems in buildings. A host of new elements buildings. A host of new elements such as the cloud, remote access, data sharing and analytics, connected and shared networks has fundamentally changed how built environments are being used and connected and shared networks has fundamentally changed how built environments are being used and connected and shared networks has fundamentally changed how built environments are being used and operated.

Additionally, these elements into one that necessitates the open access and control of into one that necessitates the open access and control of many operators and service providers.

The role of these entities is, to a large extent, crucial in reaping the benefits of a converged and connected space. However, buildings are exposed to a new threat that has been downplayed and undervalued for a long time. After been downplayed and undervalued for a long time. witnessing a recent slew of security breaches, witnessing a recent slew of security breaches stakeholders of the smart buildings industry stakeholders of the smart buildings industry are recognising the potential damaging impact cyber threat pose for the industry and its related businesses.

Strategic Messages For The Industry

Through dedicated research and dialogue with industry participants, Frost & Sullivan concludes the following:

  • Investigating the issue of cyber threats in smart buildings is timely and pertinent.
  • While avoidance may not be an option, the ability to minimise the impact of cyber threats needs exploring.
  • Thought leaders and technology experts must collaborate to address various aspects of cybersecurity.
  • Evaluating the efficacy of technology solutions pioneered by leading companies at an industry level is important.
  • A well-rounded strategic initiative is necessary to deal with this disruptive trend.
  • Cyber threats demand the utmost recognition and intervention of administrators and regulators to implement industry-wide changes.

Pervasiveness of technology, ubiquitous connectivity, and an increasingly evolving machine-to-machine (M2M) environment will continue to impact and influence how smart buildings are operated, which will raise the need for protection against cyber risks quite significantly. A delayed head start not only poses a huge challenges in dealing with this complex issue but undermines the value and adequacy of initiatives that could potentially be used to ward off adversarial impacts. Irrespective of such shortfalls, however, inaction is no longer an option for the smart buildings industry.

Cyber Risks In Smart Buildings

Technology Progression

The Building Automation System (BAS) or a Building Operating System (BOS) has moved considerably from the physical realm to one with IT enabling all aspects of its functioning. Furthermore, there is now a new generation of connected and intelligent buildings powered by IoT. The continued entry of many technology vendors and service providers (ranging from billion-dollar IT conglomerates, established building technology companies, consultants, and a vast number of enabling technology and service providers) marks a completely transformational phase in the smart buildings’ trajectory.

The Integrated Building Network

The integrated network of a smart building is where the true benefits of a smart and converged infrastructure are realised by building owners and operators; however, this is also the point where extreme exposure to security vulnerabilities are manifest. From a traditionally static and proprietary environment of standalone systems, the smart buildings industry has gradually moved towards a dynamic environment characterised by open systems and protocols governing their operational aspects.

Protection through obscurity that standalone systems have enjoyed is no longer an available option for the present intelligent and interconnected systems running on open protocols and with virtually every other physical system within the building under their supervisory control. For instance, a network-enabled BAS that can control practically every physical system from Heating, Ventilation, and Air Conditioning (HVAC); lighting; physical security; and access control to energy management and data aggregation systems has the potential to trigger wide-scale security compromises for all such systems. Attackers infiltrating the BAS can potentially infiltrate the enterprise.

However, the scale of damages can inflate significantly when such open systems are overlaid with IoT, which essentially implies connecting all building systems and services such as monitoring, diagnostics, and analytics with an overlay of an Internet Protocol (IP) network that eliminates all human intervention. With IoT, the value of devices and data is closely interlinked, with each becoming meaningless without the other. With that comes the importance of aggregation of such data for providing granular inputs of a building’s performance hosted in a virtual and highly risk-prone frontier: the cloud.

IoT And Cyber Risks

Activities centering on IoT are delivering increasingly unique advantages and novel challenges. The advantages include real-time access, vast data generation and analytics, and interconnectivity of systems and devices. These advantages by themselves, however, offer little value unless the crucial decision to share the data and networks is simultaneously taken, as such permitting access to multiple service providers to tap into a smart building’s various systems and devices.

This access implies potential security breaches that could render a smart building, its occupants, and service providers powerless over an adversary’s damaging actions to corrupt networks, misuse critical information, and cause significant operational and financial loss.

With IoT, two broad buckets of elements are at risk in the event of a cyber breach (machine and data), as depicted in exhibit 2.4. Firstly, by definition, the elimination of human intervention in the realm of IoT implies an M2M environment within the building that encompasses all physical systems that can interconnect and intercommunicate through an IP network that is at stake in the event of a cyber breach. Secondly, the inseparable relationship of device and data brought together through aggregation in the cloud or locally can be compromised in the event of a cyber breach.

These two broad buckets of machine and data and their intrinsic interlinks may result in cumulative damages that could potentially permeate into all layers of the enterprise, building and facility portfolio, users, operators, and service providers and their respective businesses and associated infrastructure. Interestingly, the smart buildings industry and its stakeholders have not evaluated, either wholly or partially, the extent of such damages in their complete manifestation.

Cyber Risk Management For Smart Buildings

Dealing with cyber risks and threats demands a sophisticated and robust approach for smart buildings, which essentially consists of a systematic review and analysis of aspects such as the following:

  • ICS vulnerabilities
  • Cost of damage
  • Scope and magnitude of cyber crimes
  • Technology initiatives and mitigation methods
  • A cybersecurity management strategy

The preceding section looked at the first two issues. This section reviews the scope of cyber crimes that relate to smart buildings before considering other aspects such as technology development for mitigation and plans for cybersecurity management.

Scope And Magnitude Of Cyber Crimes In Smart Buildings

Cyber crime encompasses a broad range of activities; however, cybersecurity professionals tend to group criminal activity into categories based on capabilities and impact. Frost & Sullivan has categorised these under the following four groups:

  • Terrorist organisations (eg: ISIS and Al-Qaeda) are considered low-to-moderate in impact and directed mostly for propaganda and recruitment; however, they could potentially launch high-impact attacks in the future.
  • Hacktivists (eg: politically motivated groups such as Anonymous and LulzSec) depict a steep upward trend since 2011 and are prone to high and low fluctuations as technology changes and as the business, economic, and socio-political landscape changes over time.
  • Organised crime (eg: profit-seeking criminals and criminal organisations) is considered a medium/high threat in terms of capabilities and impact and is primarily focused on data theft and not directed at destroying the host system so as to maintain a lifeline to illicit revenues.
  • Espionage (eg: corporate and government) is considered a high-skilled and high-impact growing threat involving computer and physical network attacks to obtain, destroy, and render critical information unavailable.

Among the four categories discussed above, the two considered most applicable to smart buildings, with the ability to inflict substantial damage, are espionage and organised crime.

However, the potential of hacktivism impacting a smart building cannot be ruled out. Similarly, depending upon the nature and strategic importance of the building, terrorist-devised cyber threats could be a strong possibility as well.

In Conclusion

Smart buildings are creating new standards in technology, comforts, efficiency, and operational gains for owners, users, operators, service providers, and the community at large. The influence of IoT in smart buildings has drastically changed both services and value delivery models; however, IoT has exposed buildings to unprecedented vulnerabilities of cyberspace. While still in the early stages, cybersecurity concerns have the potential to derail an otherwise fast-growing smart buildings industry and its associated markets, primarily because of significant operational and financial loses that all stakeholders will have to sustain in the event of a cyber breach.

The following are the key conclusions:

  • The smart buildings industry has the ability to prevent, or at least minimise, the damaging impact of cyber threats if it acts in a timely manner.
  • The industry should consider creating and implementing a robust cybersecurity strategy, factoring in anticipated technology changes.
  • Development of a dedicated cybersecurity workforce, particularly the emergence of CISOs, is expected to be a widely sought after trend to service the smart buildings industry effectively.
  • Availability of products focused on cybersecurity is a key unmet need because ICS systems were not designed with cyber security in mind.
  • As more ICS equipment becomes networked, the silos of IT and OT must work in collaboration to maintain uptime, integration, security, and real-time visibility.
  • In the future, more secure systems, devices, and advanced authentication techniques are expected to enter the smart buildings industry. The ability to segment the network into risk or trust zones is important.
  • Cyber threats demand the utmost recognition and intervention of administrators and regulators to implement industry-wide changes.

Evolving technology, advances in connectivity, and an M2M environment will continue to shape the trajectory of smart buildings, as such raising the need for protection against cyber threats. David Fisk rightly states in his paper: “If intelligent buildings are the future, then so too are cyber threats to building services.” The question is not how but when a cyber attack will strike smart buildings. It would be in the interests of all stakeholders if an appropriate response strategy is put in place without delay, such that cyber threats do not exert a destabilising impact on the smart buildings industry.

Rate this item
(0 votes)

About IAA

Established since 2001, Industrial Automation Asia (IAA) has emerged as the frontrunner in its industry. Our many achievements include being the first BPA audited automation publication in the region. Backed by a dedicated team of experienced professionals, IAA is committed to providing quality content for our readership of 33,000 registered professionals per issue, for both print and online.