U.S. Home Construction Jumps nearly 10 percent in January
Seattle Eyes Taller, Denser in Affordable Housing Proposal
Trump's Plan to Rebuild US Roads Relies on Local Dollars
Keeping Electronic Records Can Save you Much More than Just Paper
Smartphone Cameras Top the List for Improving Jobsite Safety
Construction Industry Tech Spending is On the Rise
Friday Funny: An "Occupational" Hazard
Market Sell-Off a Good Time to Brush Up on Financial Terms
By Willow Aliento
October 8, 2017
With the emergence of smart buildings leveraging the Internet of Things and other digital technologies has come a whole new set of risks, according to cyber security experts.
The same system that allows for remote monitoring of HVAC, for example, can also provide a gateway for cyber criminals to hack into sensitive systems or information and hold the occupants or the entire company “hostage” until a ransom is paid.
It’s not science fiction – it has already happened. At the start of this year, the Romantik Seehotel Jaegerwirt hotel in Austria was the target of an attack. The hackers seized control of the hotel’s electronic door lock system and no guest could get in or out of their rooms. A ransom in bitcoin was demanded, and paid by management due to the urgent public safety issue involved.
Last month, the Internet of Things Security Foundation [IoTSF] established a Smart Buildings Working Group. Its aim is to develop globally-applicable frameworks that can be implemented from the base build through to completion to mitigate these kinds of risks. Norman Disney & Young [NDY] Cyber Security advisor, Alan Mihalic, has been appointed as the working group chair.
Mihalic tells Jobsite that cyber security needs to be factored in from the very beginning of a project. That is because buildings are not just the structure anymore, they are also information hubs and a point of data aggregation. With the emergence of IoT technologies, they are also effectively connected to the internet – 24/7.
As he wrote in an article for engineering.com, the points of connection are not just the standard IT systems such as computing. More and more often, they are also the HVAC, the fire protection system, the security system, the lighting, and the vertical transportation. Mihalic says devices going into buildings – both as part of the build and also any subsequent new devices or systems – need to be “accredited and scrutinised”. There are plenty of substandard devices on the market – and these can easily become points of vulnerability. Bring Your Own Device policies can also create issues without the right level of security smarts.
Mihalic points out that where a building has connectivity throughout, someone bringing in a phone or an iPad that has malware on it can lead to infecting a wider system. Or let’s imagine someone finds a USB stick in the car park, plugs it in their office computer to see what’s on it. It happens to have a virus, which can then spread throughout the entire organisation.
“Recent ransomware attacks are about finding a vulnerability and exploiting it,” he says.
Part of the solution is an “education process” for the buildings sector about the critical importance of factoring in cyber security from the very beginning. It’s not solely about protecting data. As attacks like the 2016 Hollywood Presbyterian Medical Center attack showed – it is also a matter of public safety.
“Everything that touches a network raises an incredible risk,” Mihalic says. “I envisage the day will come when buildings will require a cyber certificate.”
This is not out of the question when the safety aspect is considered . We already expect that if we use an elevator, it will have been certified to meet safety standards.
Because digital technologies are becoming so embedded in critical systems, such as fire protection, ventilation, lighting, security and others, it makes sense, he says, they should also have to be certified.
Another safety aspect that is key even during a build is the increasing use of biometric controls to determine who can and cannot access a site. Again, not something anyone should want to see hacked.
In an article for the IoTSF, Mihalic emphasises that, “The incorporation of cyber security design frameworks and risk-based analysis tools for building services needs to become part of the building industry professional’s toolkit.
“This by no means requires an HVAC specialist or design engineer become a cyber security expert, but it does require the consideration of cyber security controls to be factored into their designs.”
That is why it is important to have cyber security experts involved from the earliest days of detailed design, right through to commissioning, handover, and post-occupancy evaluation. Any system or device that collects, shares, or aggregates data needs to be viewed from the cyber engineer’s perspective, he says, so they can inspect the solution, review it, and ensure appropriate controls are put in place.
The IoTSF Smart Buildings Working Group aims to establish a comprehensive set of guidelines to help each of the supply chain participants specify, procure, install, integrate, operate, and maintain IoT securely. This includes intelligent buildings equipment and controls, such as audio visual, fire, HVAC, lighting, and building security.
Independent cyber security expert and e-investigator, Simon Smith, says the human element also has to be taken into account. As he claims “the biggest weakness in any system is people.”
Risks can include data leaks or the stealing of information. As there are so many data streams and information sources involved in a business and also its building nowadays, he says every business should have a cyber-savvy person at the executive level that can “keep it all together”. Security needs to be mapped out as a process, he says. And if the company does not have a full-time cyber security expert, it needs to at least have a cyber security expert plan that can be put into action quickly.
Planning for cyber security is similar to a project plan, Smith explains. It maps out the inputs and the outputs and who’s going to do what. Overlaying the plan needs to be a system of regular audits.
There also need to be ground rules about who can have what information and strict rules concerning digital devices, such as laptops and USB sticks.
In looking at technology choices for smart buildings, he says the technology should be about meeting the needs of people, not technology for technology’s sake. Fundamentally, it comes down to “logic and commonsense” – things that can only emerge from “that technology called a human”, Smith says.
If you liked this article, here are a few more you may enjoy:
Smarter Buildings = A More Intelligent Future
Did You Build for You or the End User?
How Construction Technology is Saving Time, Money, and Jobs
In case you hadn’t heard, OSHA increased the cost of penalties by 78 per cent back in August of 2016, and another two per cent increase came your way just January 15 of this year. Further increases... Read More
If you're a construction worker, you're most likely working physical labor and it can get hot if you're working under the sun. Here's a guide for h... Read More
Pete says that Procore quickly breaks down the complicated pieces of data in his jobs, and presents them to the end user in a digestible format. "T... Read More
Hear Brad Hyatt, Associate Professor at California State University Fresno, discuss what students are learning in school to prepare them for const... Read More
Construction has always had a somewhat complicated relationship with technology. Over the last few decades there have been improvements in material... Read More
J. Colin Cagney, a director, KPMG Major Projects Advisory, knows that while most companies want to use data analytics to increase, they’re often no... Read More
Congress has passed the final version of the federal tax reform bill, and it will soon head to President Donald Trump to be signed into law. The qu... Read More
January 9, 2018