The Leading News & Information Service For The Facilities, Workplace & Built Environment Community

Cybersecurity – Are Smart Buildings and its Data Vulnerable to Malware Attacks?

Cybersecurity – Are Smart Buildings and Its Data Vulnerable to Malware Attacks?
17 December 2020 | Updated 28 January 2022
 

As more and more of a building’s functions are automated and controlled via smart technology systems, has cybersecurity been an afterthought?

In 2020, Boris Johnson’s announced a £16.5 billon increase to defence spending, he stated that a substantial amount of this will be spent on cybersecurity defences.

When it comes to property and smart building systems, a huge amount of data is collected about the building and the people who use it. What are the vulnerabilities of such systems and how can they be overcome?

ThisWeekinFM spoke to Mike Gillespie, Managing Director and Co-Founder of security consultancy Advent IM about this issue. Gillespie is an experienced, senior information security and data protection practitioner.  Having been a member of the CSCIS Global Cybersecurity Select Committee for some time, he is now the Vice President of C3i Group on cybersecurity, cybercrime and cyber intelligence.

He also serves as a cyber spokesperson for the International Institute of Risk and Safety Management (IIRSM) and also as the Cyber Security Lead Adviser for the UK government’s Surveillance Camera Commissioner. 

 

"Whether it is personal data or not, the cybersecurity of smart systems MUST become a functional requirement because, as the risk from nefarious actors in cyberspace increases, their ability to do actual harm to people and assets increases with it." 

 

Smart Buildings and Health and Safety  

 

Some buildings are born smart, others have smartness thrust upon them. Many buildings fall into that latter category…

There is a whole industry growing up around web-enabling systems that were never meant to be internet-facing, sometimes because of a legitimate need, such as the need manage them more efficiently or frequently over multiple sites. The need to do this however, is not always supported by appropriate cybersecurity controls that are designed and implemented effectively, to enable that system to be safely and securely managed whilst achieving the functional needs. Even less focus is placed up on the longevity of resilience in this area.

It is accepted and expected that a building, new or in use, should comply with a wide range of regulatory requirements to be considered suitable and safe. There are a variety of standards that are employed for this, across health and safety, social inclusivity and the environment too. But there is nothing that says the systems that are integrated into a building, operating over cyberspace, systems that could potentially make both the building and its inhabitants vulnerable, should be robust and secure. Nothing that compels designers, engineers, architects, builders or users to embed and maintain a level of cybersecurity that is anywhere approaching the level of requirements that need to be fulfilled for health and safety, despite the fact these systems could in fact impact health and safety.

 

Mike Gillespie

Picture: a photograph of Mike Gillespie

 

Cybersecurity Seen as an “Inconvenience”

 

Indeed, in the smart building world, cybersecurity is seen as a bit of an inconvenience, at best it is considered a nice to have not a need to have which is a lost opportunity. At worst, it is considered something to avoid at all costs, which is tantamount to cutting corners with electrical or fabric safety... When it is considered, it is frequently an after-thought, and again this is a wasted opportunity to do it brilliantly and with an eye on the horizon. A bit like building a five-storey office block then deciding you want to put a lift in afterwards.

Modern building systems, by their very nature, generate data, lots of data.  Not fully considering the management of the information lifecycle as part of a smart building strategy often also means losing the ability to use, manage, share and exploit this information as a critical asset.

Furthermore, some of this is actually personal data, and provision for its collection, management, storage and deletion should be compliant with The Data Protection Act (2018).  It is vital therefore that smart buildings are considered from the perspective of Data Protection by design, Data Protection by default.

Whether it is personal data or not, the cybersecurity of smart systems MUST become a functional requirement because, as the risk from nefarious actors in cyberspace increases, their ability to do actual harm to people and assets increases with it. Assuming that data generated by a smart building system is not going to be of interest to someone is unwise. We have no idea what information may be useful to various threat actors, or what data they may be able to aggregate various sources into to make something useful to them. So, data creation, management and retention policies for the data these systems generate need to be in place to decide what stays, what goes and what needs to be protected. 

Whilst you could take some interpretation of SABRE to cover information security, this is nowhere near adequate for a smart building:

 

  • S Sources of information and also collaboration – where is information being generated, does it need protection, storage or deletion. What professionals are available to collaborate with to ensure cybersecurity is embedded in building systems?
  • M Malware can and does attack any internet-facing system. If you have a web-enabled system, then you do do cybersecurity.
  • A Availability. Who needs access to what and when? Don’t take a risk-averse attitude to cybersecurity, remember that security function is not to prevent all access, it is to protect valuable, necessary or sensitive information assets in an appropriate manner.
  • R Resilience and Risk reduction. Security’s role is to reduce and manage risk. The threat landscape changes constantly so risk may change in quite a volatile manner. Having an agile approach to cyber risk is vital. Is your cyber strategy able to cope with this whilst horizon scanning too?
  • T Threat assessments should always consider and cover cybersecurity threats if you have an asset that could be impacted form cyberspace. The days of Physical security in one camp and cyber in another are over.

 

Picture: a graphic showing a map of the world, with lock symbols across the top

Article written by Mike Gillespie | Published 17 December 2020

Share



Related Articles

Smart Buildings Enable Smarter Facilities Management

Shumon Choudhury, who has over 15 years of experience managing PRS & FM portfolios, writes about his experiences helping his clients to embrace smart...

 Read Full Article
Chicago's Smartest Building

800 Fulton Market, a gateway to one of Chicago’s fastest-growing neighbourhoods, has been completed.   Watch the...

 Read Full Article
How Technology and Smart Buildings Will Support the Daunting Retrofit Challenge

How will the intersection of retrofits, smart homes and digitally transformed building maintenance help the UK to achieve net-zero emissions by 2050? Nik Flytzanis,...

 Read Full Article
Everything You Need to Know About AI in Healthcare

Artificial intelligence is changing medical practice and the healthcare industry. Technologies including machine learning and digitised data acquisition are allowing...

 Read Full Article
Gensler’s Design Forecast – Predictions for Smart Buildings

After almost two years of stops and starts due to the pandemic, enduring resilience is defining the built environment – that’s according to Gensler’s...

 Read Full Article
Welcome to Smart Buildings & Technology

Welcome to ThisWeekinFM’s new Smart Buildings & Technology category, a hub where you can learn all about the implications of new technologies on the built...

 Read Full Article
BCIA Reveals Top Smart Buildings Award Nominees

The BCIA has revealed the finalists for its smart buildings award. This will award a manufacturer, installer or team in recognition of a project which demonstrates how...

 Read Full Article
Why CO2 Monitoring is 'Not Enough' for Healthy and Safe Offices

Will Cowell de Gruchy from Infogrid puts forward his argument for why the government should mandate smart air quality monitors in offices and schools. Will is the...

 Read Full Article
Smart Ventilation System Given Passivhaus Certification

SAV Systems' AirMaster AM 1000, a mechanical ventilation unit, has been awarded Passivhaus Component certification. The flagship AM 1000 is the first...

 Read Full Article
Report Suggests Knowledge of Smart Windows Amongst FMs is Lacking

One of the biggest growth barriers for the smart windows and glass market is a lack of end-user experience and education, according to trend analysis...

 Read Full Article