Home News Community

How can we manage the hacking risks of smart buildings?


 With the emergence of smart buildings leveraging the Internet of Things and other digital technologies has come a whole new set of risks, according to cyber security experts.

The same system that allows for remote monitoring of HVAC, for example, can also provide a gateway for cyber criminals to hack into sensitive systems or information and hold the occupants or the entire company “hostage” until a ransom is paid.

It’s not science fiction – it has already happened. At the start of this year, the Romantik Seehotel Jaegerwirt hotel in Austria was the target of an attack. The hackers seized control of the hotel’s electronic door lock system and no guest could get in or out of their rooms. A ransom in bitcoin was demanded, and paid by management due to the urgent public safety issue involved.

Last month, the Internet of Things Security Foundation [IoTSF] established a Smart Buildings Working Group. Its aim is to develop globally-applicable frameworks that can be implemented from the base build through to completion to mitigate these kinds of risks. Norman Disney & Young [NDY] Cyber Security advisor, Alan Mihalic, has been appointed as the working group chair.

Its aim is to develop globally-applicable frameworks that can be implemented from the base build through to completion to mitigate these kinds of risks. 

Mihalic tells Jobsite that cyber security needs to be factored in from the very beginning of a project. That is because buildings are not just the structure anymore, they are also information hubs and a point of data aggregation. With the emergence of IoT technologies, they are also effectively connected to the internet – 24/7.

As he wrote in an article for engineering.com, the points of connection are not just the standard IT systems such as computing. More and more often, they are also the HVAC, the fire protection system, the security system, the lighting, and the vertical transportation. Mihalic says devices going into buildings – both as part of the build and also any subsequent new devices or systems – need to be “accredited and scrutinised”.    There are plenty of substandard devices on the market – and these can easily become points of vulnerability. Bring Your Own Device policies can also create issues without the right level of security smarts.

Mihalic points out that where a building has connectivity throughout, someone bringing in a phone or an iPad that has malware on it can lead to infecting a wider system. Or let’s imagine someone finds a USB stick in the car park, plugs it in their office computer to see what’s on it. It happens to have a virus, which can then spread throughout the entire organisation.

“Recent ransomware attacks are about finding a vulnerability and exploiting it,” he says. 

“Recent ransomware attacks are about finding a vulnerability and exploiting it,” he says.

Part of the solution is an “education process” for the buildings sector about the critical importance of factoring in cyber security from the very beginning. It’s not solely about protecting data. As attacks like the 2016 Hollywood Presbyterian Medical Center attack showed – it is also a matter of public safety.

“Everything that touches a network raises an incredible risk,” Mihalic says. “I envisage the day will come when buildings will require a cyber certificate.”

This is not out of the question when the safety aspect is considered . We already expect that if we use an elevator, it will have been certified to meet safety standards.

Because digital technologies are becoming so embedded in critical systems, such as fire protection, ventilation, lighting, security and others, it makes sense, he says, they should also have to be certified.

Another safety aspect that is key even during a build is the increasing use of biometric controls to determine who can and cannot access a site. Again, not something anyone should want to see hacked.

In an article for the IoTSF, Mihalic emphasises that, “The incorporation of cyber security design frameworks and risk-based analysis tools for building services needs to become part of the building industry professional’s toolkit.

“This by no means requires an HVAC specialist or design engineer become a cyber security expert, but it does require the consideration of cyber security controls to be factored into their designs.”

That is why it is important to have cyber security experts involved from the earliest days of detailed design, right through to commissioning, handover, and post-occupancy evaluation. Any system or device that collects, shares, or aggregates data needs to be viewed from the cyber engineer’s perspective, he says, so they can inspect the solution, review it, and ensure appropriate controls are put in place.

"Any system or device that collects, shares, or aggregates data needs to be viewed from the cyber engineer’s perspective," he says. 

The IoTSF Smart Buildings Working Group aims to establish a comprehensive set of guidelines to help each of the supply chain participants specify, procure, install, integrate, operate, and maintain IoT securely. This includes intelligent buildings equipment and controls, such as audio visual, fire, HVAC, lighting, and building security.

Independent cyber security expert and e-investigator, Simon Smith, says the human element also has to be taken into account. As he claims “the biggest weakness in any system is people.”

Risks can include data leaks or the stealing of information.  As there are so many data streams and information sources involved in a business and also its building nowadays, he says every business should have a cyber-savvy person at the executive level that can “keep it all together”. Security needs to be mapped out as a process, he says. And if the company does not have a full-time cyber security expert, it needs to at least have a cyber security expert plan that can be put into action quickly.

Planning for cyber security is similar to a project plan, Smith explains. It maps out the inputs and the outputs and who’s going to do what. Overlaying the plan needs to be a system of regular audits.

There also need to be ground rules about who can have what information and strict rules concerning digital devices, such as laptops and USB sticks.

In looking at technology choices for smart buildings, he says the technology should be about meeting the needs of people, not technology for technology’s sake. Fundamentally, it comes down to “logic and commonsense” – things that can only emerge from “that technology called a human”, Smith says.

If you liked this article, here are a few more you may enjoy: 

Smarter Buildings = A More Intelligent Future

Did You Build for You or the End User?

How Construction Technology is Saving Time, Money, and Jobs


Add New Comment