Perspectives

Is Your Building Cyber-Smart?

Written by Adham Sleiman and Ziad Nasrallah

From Cyber-smart to Cyber-secure: Smart Buildings and the Risk of Attack

A workplace that automatically changes room temperature based on weather forecasts, an office block that alerts security when a stranger enters a protected area, a factory capable of optimizing energy use. Once upon a time, such technological advancements would have ascended a brick-and-mortar structure to the realm of science fiction. Today, they are simply known as ‘smart.’ In fact, so rapidly has the digital age infiltrated our lives, it now permeates the very walls of the cities we live in, making smart buildings not just an option for modern life, but a necessity.

Through a connected web of digitally-enabled devices, networks and applications, smart buildings serve as a link between the physical and digital worlds. They bring together key features of connectivity, automation, open architecture and interoperability to optimize the total performance of buildings, businesses and their occupants, creating immense business value in the process.

However, as the world has come to learn, all digital developments have a dark side and as these 21^st century edifices develop, so too do the cybersecurity issues that threaten to undermine their foundations. With tremendous complexity and integration of systems, smart buildings represent an increasingly valuable target for hackers and in an age when the question is not if, but when, a hack attempt will occur, it is no longer enough for a building to be smart, it must be cyber-smart.

In the already-complicated battle against cyber threats, smart buildings face another complex and unique challenge—they are not just susceptible to data breaches and IT service disruptions; building automation systems affect the physical world too. As an organization connects its systems to IP networks, external access and the cloud, the potential exists for hackers to take down entire business operations.

What’s more, the same capabilities that provide beneficial new features to smart buildings can also introduce cyber risk to their occupants and to an organization’s bottom line. Risk scenarios include manipulation of heating or cooling at temperature-sensitive locations such as food manufacturing facilities or in corporate buildings where significant business disruption can result. They could also include the shutting down of vital temperature control or power management functions at a data center, potentially destroying IT equipment and taking business-critical applications offline; or the possibility of an attacker gaining unauthorized access to an internet-connected physical security system to enable kinetic attacks.

Such scenarios may seem far-fetched, but real-world examples are growing in number. Recent instances include a case where researchers hacked the building control system at a large internet search provider, allowing them to gain administrative access to digital building control panels. In another case, hackers took control of hundreds of rooms in a hi-tech Chinese hotel, enabling them to manipulate control systems and steal guest data. Then, in a third example, domain name system (DNS) provider, Dyn, was targeted, causing major internet outages across Europe and North America. The devices targeted included cameras, digital recorders and printers—many of the same devices installed throughout smart buildings.

As these cases demonstrate, the threat is real. However, it is important to remember that data breaches and attacks on physical infrastructure are not inevitable. With the right consideration and preparation, stakeholders—whether building owners, operators or managers—can shore up their defenses and transform their smart buildings into formidable fortresses.

Of course, with buildings, this is easier said than done, not least because old and multi-generational building infrastructure limits the options available. Unlike a smartphone that can be replaced almost every year, these capital assets are built to last decades, and only in recent years has security become a thought in the building design process. The result is a mix of old and new infrastructure, which inherently limits the types of security protections that can be layered into the smart building environment. As a result, there are no holistic “plug and play” cyber solutions. Securing the smart building environment takes a blended approach of risk-based planning, security architecture, technology, processes and people skills.

Five Steps to Frame the Cyber Challenge

Still, though the challenge is complex, it is not insurmountable. Here are five foundational steps to frame the cyber challenge and help smart building stakeholders to keep their foundations safe and secure.

1. Observe and orient around a specific challenge
As a first step, operators and managers need to decide which elements of their smart building matter most. Is it the connected physical security system? Or, ensuring continuous uptime of a data center? From here, the next step is to map the attack surface and the available pathways to sensitive assets. Here, it is useful to incorporate credible cyber threat intelligence that can help gauge the likelihood of different threats. Collectively, this systematic process can assist in determining the real cyber risk landscape—and defending against it.

2. Forget old silos
For cyber risks to be well managed, buy-in from across the business is vital. IT, cybersecurity and facility teams typically have the expertise and the access to take the lead. Working together as one cohesive unit, they also need to coordinate with a range of internal and external stakeholders. Externally, it is important to work with business partners and vendors that materially invest in and value cybersecurity. Across all of these stakeholders, trusted partnerships are indispensable.

3. Change the culture
Even with the smartest team, the most expert capabilities and the most advanced technology solutions, cybersecurity will fail if support from across the ecosystem is lacking. With this in mind, it is vital that the cyber issue is heard loud and clear amongst an organization’s leadership and stakeholders. To foster support, smart building owners, operators and managers must build a culture that understands the intrinsic relationship between cybersecurity and the future of a business.

4. Build the right capabilities
Shoring up a building against a cyberattack is about more than just acquiring the right technologies; deployment of technological tools must be balanced with investments in people and processes. As part of this effort, it is important to incorporate cybersecurity across the smart building lifecycle, being careful not to overburden the process.

5. Get operational
Checking the box on today’s threat is all well and good, but what about the threat of tomorrow? Cyber attackers are ever-evolving adversaries, so it is crucial to continually monitor internal and external intelligence to understand the continuously-changing risk profile. ‘Allies’ such as building controls manufacturers and analytics service providers with a demonstrated commitment to product security can also help smart building stay ahead.

Perspectives

Cybersecurity: The Millennial Dimension

Read about how the MENA region’s government, industry, and academic stakeholders can play their part in attracting millennial cybersecurity talent. Read More

Perspectives