Is Your Building Cyber-Smart?

A workplace that automatically changes room temperature based on weather forecasts, an office block that alerts security when a stranger enters a protected area, a factory capable of optimizing energy use. Once upon a time, such technological advancements would have ascended a brick-and-mortar structure to the realm of science fiction. Today, they are simply known as ‘smart.’ In fact, so rapidly has the digital age infiltrated our lives, it now permeates the very walls of the cities we live in, making smart buildings not just an option for modern life, but a necessity.

Through a connected web of digitally-enabled devices, networks and applications, smart buildings serve as a link between the physical and digital worlds. They bring together key features of connectivity, automation, open architecture and interoperability to optimize the total performance of buildings, businesses and their occupants, creating immense business value in the process.

However, as the world has come to learn, all digital developments have a dark side and as these 21^st century edifices develop, so too do the cybersecurity issues that threaten to undermine their foundations. With tremendous complexity and integration of systems, smart buildings represent an increasingly valuable target for hackers and in an age when the question is not if, but when, a hack attempt will occur, it is no longer enough for a building to be smart, it must be cyber-smart.

In the already-complicated battle against cyber threats, smart buildings face another complex and unique challenge—they are not just susceptible to data breaches and IT service disruptions; building automation systems affect the physical world too. As an organization connects its systems to IP networks, external access and the cloud, the potential exists for hackers to take down entire business operations.

What’s more, the same capabilities that provide beneficial new features to smart buildings can also introduce cyber risk to their occupants and to an organization’s bottom line. Risk scenarios include manipulation of heating or cooling at temperature-sensitive locations such as food manufacturing facilities or in corporate buildings where significant business disruption can result. They could also include the shutting down of vital temperature control or power management functions at a data center, potentially destroying IT equipment and taking business-critical applications offline; or the possibility of an attacker gaining unauthorized access to an internet-connected physical security system to enable kinetic attacks.

Such scenarios may seem far-fetched, but real-world examples are growing in number. Recent instances include a case where researchers hacked the building control system at a large internet search provider, allowing them to gain administrative access to digital building control panels. In another case, hackers took control of hundreds of rooms in a hi-tech Chinese hotel, enabling them to manipulate control systems and steal guest data. Then, in a third example, domain name system (DNS) provider, Dyn, was targeted, causing major internet outages across Europe and North America. The devices targeted included cameras, digital recorders and printers—many of the same devices installed throughout smart buildings.

As these cases demonstrate, the threat is real. However, it is important to remember that data breaches and attacks on physical infrastructure are not inevitable. With the right consideration and preparation, stakeholders—whether building owners, operators or managers—can shore up their defenses and transform their smart buildings into formidable fortresses.

Of course, with buildings, this is easier said than done, not least because old and multi-generational building infrastructure limits the options available. Unlike a smartphone that can be replaced almost every year, these capital assets are built to last decades, and only in recent years has security become a thought in the building design process. The result is a mix of old and new infrastructure, which inherently limits the types of security protections that can be layered into the smart building environment. As a result, there are no holistic “plug and play” cyber solutions. Securing the smart building environment takes a blended approach of risk-based planning, security architecture, technology, processes and people skills.