Technology in Construction is Now a Reality, with Drones Leading the Charge
Building Up To Smart Skyscrapers
The Big Renewable Projects You Should Know About
NSW's New Construction Plan Calls for Transparency and Collaboration
Can Affordable Housing Even Out Construction Cycle?
How to Gain Leads and Get Ahead of the Competition
How Digital Drawings Are Transforming Construction
The New Green Toolkit — What You Need to Know
By Willow Aliento
April 16, 2018
With the emergence of smart buildings leveraging the Internet of Things and other digital technologies has come a whole new set of risks, according to cyber security experts.
The same system that allows for remote monitoring of HVAC, for example, can also provide a gateway for cyber criminals to hack into sensitive systems or information and hold the occupants or the entire company “hostage” until a ransom is paid.
It’s not science fiction – it has already happened. At the start of this year, the Romantik Seehotel Jaegerwirt hotel in Austria was the target of an attack. The hackers seized control of the hotel’s electronic door lock system and no guest could get in or out of their rooms. A ransom in bitcoin was demanded, and paid by management due to the urgent public safety issue involved.
Last month, the Internet of Things Security Foundation [IoTSF] established a Smart Buildings Working Group. Its aim is to develop globally-applicable frameworks that can be implemented from the base build through to completion to mitigate these kinds of risks. Norman Disney & Young [NDY] Cyber Security advisor, Alan Mihalic, has been appointed as the working group chair.
Mihalic tells Jobsite that cyber security needs to be factored in from the very beginning of a project. That is because buildings are not just the structure anymore, they are also information hubs and a point of data aggregation. With the emergence of IoT technologies, they are also effectively connected to the internet – 24/7.
As he wrote in an article for engineering.com, the points of connection are not just the standard IT systems such as computing. More and more often, they are also the HVAC, the fire protection system, the security system, the lighting, and the vertical transportation. Mihalic says devices going into buildings – both as part of the build and also any subsequent new devices or systems – need to be “accredited and scrutinised”. There are plenty of substandard devices on the market – and these can easily become points of vulnerability. Bring Your Own Device policies can also create issues without the right level of security smarts.
Mihalic points out that where a building has connectivity throughout, someone bringing in a phone or an iPad that has malware on it can lead to infecting a wider system. Or let’s imagine someone finds a USB stick in the car park, plugs it in their office computer to see what’s on it. It happens to have a virus, which can then spread throughout the entire organisation.
“Recent ransomware attacks are about finding a vulnerability and exploiting it,” he says.
Part of the solution is an “education process” for the buildings sector about the critical importance of factoring in cyber security from the very beginning. It’s not solely about protecting data. As attacks like the 2016 Hollywood Presbyterian Medical Center attack showed – it is also a matter of public safety.
“Everything that touches a network raises an incredible risk,” Mihalic says. “I envisage the day will come when buildings will require a cyber certificate.”
This is not out of the question when the safety aspect is considered . We already expect that if we use an elevator, it will have been certified to meet safety standards.
Because digital technologies are becoming so embedded in critical systems, such as fire protection, ventilation, lighting, security and others, it makes sense, he says, they should also have to be certified.
Another safety aspect that is key even during a build is the increasing use of biometric controls to determine who can and cannot access a site. Again, not something anyone should want to see hacked.
In an article for the IoTSF, Mihalic emphasises that, “The incorporation of cyber security design frameworks and risk-based analysis tools for building services needs to become part of the building industry professional’s toolkit.
“This by no means requires an HVAC specialist or design engineer become a cyber security expert, but it does require the consideration of cyber security controls to be factored into their designs.”
That is why it is important to have cyber security experts involved from the earliest days of detailed design, right through to commissioning, handover, and post-occupancy evaluation. Any system or device that collects, shares, or aggregates data needs to be viewed from the cyber engineer’s perspective, he says, so they can inspect the solution, review it, and ensure appropriate controls are put in place.
The IoTSF Smart Buildings Working Group aims to establish a comprehensive set of guidelines to help each of the supply chain participants specify, procure, install, integrate, operate, and maintain IoT securely. This includes intelligent buildings equipment and controls, such as audio visual, fire, HVAC, lighting, and building security.
Independent cyber security expert and e-investigator, Simon Smith, says the human element also has to be taken into account. As he claims “the biggest weakness in any system is people.”
Risks can include data leaks or the stealing of information. As there are so many data streams and information sources involved in a business and also its building nowadays, he says every business should have a cyber-savvy person at the executive level that can “keep it all together”. Security needs to be mapped out as a process, he says. And if the company does not have a full-time cyber security expert, it needs to at least have a cyber security expert plan that can be put into action quickly.
Planning for cyber security is similar to a project plan, Smith explains. It maps out the inputs and the outputs and who’s going to do what. Overlaying the plan needs to be a system of regular audits.
There also need to be ground rules about who can have what information and strict rules concerning digital devices, such as laptops and USB sticks.
In looking at technology choices for smart buildings, he says the technology should be about meeting the needs of people, not technology for technology’s sake. Fundamentally, it comes down to “logic and commonsense” – things that can only emerge from “that technology called a human”, Smith says.
If you liked this article, here are a few more you may enjoy:
Smarter Buildings = A More Intelligent Future
Did You Build for You or the End User?
How Construction Technology is Saving Time, Money, and Jobs
When life is so busy, it can be easy to get into an unhealthy routine. Here are 11 easy ways to break up your routine and live a healthier, happier life…#1 Make your lunches for the entire week…on ... Read More
Maintaining a streamlined and efficient workflow is one of the primary goals of any construction firm. However, whether due to a lack of skilled la... Read More
Budget. Schedule. Quality. The trifecta of a project. But balancing that trifecta isn't easy to do. Our webinar, led by construction industry exper... Read More
Tim Kelly, S&P Technical Services Manager, looked at numerous document management systems, including EADOC and "probably 10 other systems." What bo... Read More
Workplace safety is a front-of-mind concern for any responsible construction company. Strict adherence and compliance with safety training regulati... Read More
Any construction company will have lots of data sloshing around, and many still rely on archaic methods of logging, filing and using that data, typ... Read More
May 14, 2018
The construction industry is on the rebound after the Great Recession and spending is at an all-time high. In November, investment in new projects ... Read More
May 21, 2018