10 of the World's Most Expensive Megaprojects
From the Top Down: Ending Sexual Harassment in the Construction Industry
Spending Up for the Month, Down for the Year
Friday Funny: "Raising the Roof"
Tracking Technology Helps Construction Companies Save Money, Improve Safety
What The ‘Tech’ Just Happened to Meetings?
Weekly Grind: The Future of Construction Technology Across the Country
Friday Funny: It's Just Ergonomics
By Willow Aliento
October 8, 2017
With the emergence of smart buildings leveraging the Internet of Things and other digital technologies has come a whole new set of risks, according to cyber security experts.
The same system that allows for remote monitoring of HVAC, for example, can also provide a gateway for cyber criminals to hack into sensitive systems or information and hold the occupants or the entire company “hostage” until a ransom is paid.
It’s not science fiction – it has already happened. At the start of this year, the Romantik Seehotel Jaegerwirt hotel in Austria was the target of an attack. The hackers seized control of the hotel’s electronic door lock system and no guest could get in or out of their rooms. A ransom in bitcoin was demanded, and paid by management due to the urgent public safety issue involved.
Last month, the Internet of Things Security Foundation [IoTSF] established a Smart Buildings Working Group. Its aim is to develop globally-applicable frameworks that can be implemented from the base build through to completion to mitigate these kinds of risks. Norman Disney & Young [NDY] Cyber Security advisor, Alan Mihalic, has been appointed as the working group chair.
Mihalic tells Jobsite that cyber security needs to be factored in from the very beginning of a project. That is because buildings are not just the structure anymore, they are also information hubs and a point of data aggregation. With the emergence of IoT technologies, they are also effectively connected to the internet – 24/7.
As he wrote in an article for engineering.com, the points of connection are not just the standard IT systems such as computing. More and more often, they are also the HVAC, the fire protection system, the security system, the lighting, and the vertical transportation. Mihalic says devices going into buildings – both as part of the build and also any subsequent new devices or systems – need to be “accredited and scrutinised”. There are plenty of substandard devices on the market – and these can easily become points of vulnerability. Bring Your Own Device policies can also create issues without the right level of security smarts.
Mihalic points out that where a building has connectivity throughout, someone bringing in a phone or an iPad that has malware on it can lead to infecting a wider system. Or let’s imagine someone finds a USB stick in the car park, plugs it in their office computer to see what’s on it. It happens to have a virus, which can then spread throughout the entire organisation.
“Recent ransomware attacks are about finding a vulnerability and exploiting it,” he says.
Part of the solution is an “education process” for the buildings sector about the critical importance of factoring in cyber security from the very beginning. It’s not solely about protecting data. As attacks like the 2016 Hollywood Presbyterian Medical Center attack showed – it is also a matter of public safety.
“Everything that touches a network raises an incredible risk,” Mihalic says. “I envisage the day will come when buildings will require a cyber certificate.”
This is not out of the question when the safety aspect is considered . We already expect that if we use an elevator, it will have been certified to meet safety standards.
Because digital technologies are becoming so embedded in critical systems, such as fire protection, ventilation, lighting, security and others, it makes sense, he says, they should also have to be certified.
Another safety aspect that is key even during a build is the increasing use of biometric controls to determine who can and cannot access a site. Again, not something anyone should want to see hacked.
In an article for the IoTSF, Mihalic emphasises that, “The incorporation of cyber security design frameworks and risk-based analysis tools for building services needs to become part of the building industry professional’s toolkit.
“This by no means requires an HVAC specialist or design engineer become a cyber security expert, but it does require the consideration of cyber security controls to be factored into their designs.”
That is why it is important to have cyber security experts involved from the earliest days of detailed design, right through to commissioning, handover, and post-occupancy evaluation. Any system or device that collects, shares, or aggregates data needs to be viewed from the cyber engineer’s perspective, he says, so they can inspect the solution, review it, and ensure appropriate controls are put in place.
The IoTSF Smart Buildings Working Group aims to establish a comprehensive set of guidelines to help each of the supply chain participants specify, procure, install, integrate, operate, and maintain IoT securely. This includes intelligent buildings equipment and controls, such as audio visual, fire, HVAC, lighting, and building security.
Independent cyber security expert and e-investigator, Simon Smith, says the human element also has to be taken into account. As he claims “the biggest weakness in any system is people.”
Risks can include data leaks or the stealing of information. As there are so many data streams and information sources involved in a business and also its building nowadays, he says every business should have a cyber-savvy person at the executive level that can “keep it all together”. Security needs to be mapped out as a process, he says. And if the company does not have a full-time cyber security expert, it needs to at least have a cyber security expert plan that can be put into action quickly.
Planning for cyber security is similar to a project plan, Smith explains. It maps out the inputs and the outputs and who’s going to do what. Overlaying the plan needs to be a system of regular audits.
There also need to be ground rules about who can have what information and strict rules concerning digital devices, such as laptops and USB sticks.
In looking at technology choices for smart buildings, he says the technology should be about meeting the needs of people, not technology for technology’s sake. Fundamentally, it comes down to “logic and commonsense” – things that can only emerge from “that technology called a human”, Smith says.
If you liked this article, here are a few more you may enjoy:
Smarter Buildings = A More Intelligent Future
Did You Build for You or the End User?
How Construction Technology is Saving Time, Money, and Jobs
That master strategist Sun Tzu knew a thing or two about out-thinking the competition. Turns out his focus on strategy over strength can be applied to gaining an edge in the construction industry. ... Read More
If you're a construction worker, you're most likely working physical labor and it can get hot if you're working under the sun. Here's a guide for h... Read More
As an architectural statement, the campus is a monument both to Apple’s corporate success and centrality to the global tech culture. At 176 acres, ... Read More
August 8, 2016
"Some of the cool things that we're doing on job sites today are with Rovers and the alive platform. Alive is that software platform that glues to... Read More
The National Association of Women in Construction has a new executive vice president. This change marks a “brand new day and brand new way” for the... Read More
Every construction business owner can learn a lot from competitors. But merely copying them won't do. You will just always stay one step behind. So... Read More
We've selected eight women from all walks of life to ask them one common question: what advice would you give women who want to enter the construct... Read More