The Leading News & Information Service For The Facilities, Workplace & Built Environment Community

Cybersecurity – Are Smart Buildings and its Data Vulnerable to Malware Attacks?

Cybersecurity – Are Smart Buildings and Its Data Vulnerable to Malware Attacks?
17 December 2020

As more and more of a building’s functions are automated and controlled via smart technology systems, has cybersecurity been an afterthought?

In Boris Johnson’s recent announcement of a £16.5bn increase to defence spending, he stated that a substantial amount of this will be spent on cybersecurity defences.

When it comes to property and smart building systems, a huge amount of data is collected about the building and the people who use it. What are the vulnerabilities of such systems and how can they be overcome?

ThisWeekinFM spoke to Mike Gillespie, Managing Director and Co-Founder of security consultancy Advent IM about this issue. Gillespie is an experienced, senior information security and data protection practitioner.  Having been a member of the CSCIS Global Cybersecurity Select Committee for some time, he is now the Vice President of C3i Group on cybersecurity, cybercrime and cyber intelligence.

He also serves as a cyber spokesperson for the International Institute of Risk and Safety Management (IIRSM) and also as the Cyber Security Lead Adviser for the UK government’s Surveillance Camera Commissioner. 


"Whether it is personal data or not, the cybersecurity of smart systems MUST become a functional requirement because, as the risk from nefarious actors in cyberspace increases, their ability to do actual harm to people and assets increases with it." 


Smart Buildings and Health and Safety  


Some buildings are born smart, others have smartness thrust upon them. Many buildings fall into that latter category…

There is a whole industry growing up around web-enabling systems that were never meant to be internet-facing, sometimes because of a legitimate need, such as the need manage them more efficiently or frequently over multiple sites. The need to do this however, is not always supported by appropriate cybersecurity controls that are designed and implemented effectively, to enable that system to be safely and securely managed whilst achieving the functional needs. Even less focus is placed up on the longevity of resilience in this area.

It is accepted and expected that a building, new or in use, should comply with a wide range of regulatory requirements to be considered suitable and safe. There are a variety of standards that are employed for this, across health and safety, social inclusivity and the environment too. But there is nothing that says the systems that are integrated into a building, operating over cyberspace, systems that could potentially make both the building and its inhabitants vulnerable, should be robust and secure. Nothing that compels designers, engineers, architects, builders or users to embed and maintain a level of cybersecurity that is anywhere approaching the level of requirements that need to be fulfilled for health and safety, despite the fact these systems could in fact impact health and safety.


Mike Gillespie

Picture: a photograph of Mike Gillespie


Cybersecurity Seen as an “Inconvenience”


Indeed, in the smart building world, cybersecurity is seen as a bit of an inconvenience, at best it is considered a nice to have not a need to have which is a lost opportunity. At worst, it is considered something to avoid at all costs, which is tantamount to cutting corners with electrical or fabric safety... When it is considered, it is frequently an after-thought, and again this is a wasted opportunity to do it brilliantly and with an eye on the horizon. A bit like building a five-storey office block then deciding you want to put a lift in afterwards.

Modern building systems, by their very nature, generate data, lots of data.  Not fully considering the management of the information lifecycle as part of a smart building strategy often also means losing the ability to use, manage, share and exploit this information as a critical asset.

Furthermore, some of this is actually personal data, and provision for its collection, management, storage and deletion should be compliant with The Data Protection Act (2018).  It is vital therefore that smart buildings are considered from the perspective of Data Protection by design, Data Protection by default.

Whether it is personal data or not, the cybersecurity of smart systems MUST become a functional requirement because, as the risk from nefarious actors in cyberspace increases, their ability to do actual harm to people and assets increases with it. Assuming that data generated by a smart building system is not going to be of interest to someone is unwise. We have no idea what information may be useful to various threat actors, or what data they may be able to aggregate various sources into to make something useful to them. So, data creation, management and retention policies for the data these systems generate need to be in place to decide what stays, what goes and what needs to be protected. 

Whilst you could take some interpretation of SABRE to cover information security, this is nowhere near adequate for a smart building:


  • S Sources of information and also collaboration – where is information being generated, does it need protection, storage or deletion. What professionals are available to collaborate with to ensure cybersecurity is embedded in building systems?
  • M Malware can and does attack any internet-facing system. If you have a web-enabled system, then you do do cybersecurity.
  • A Availability. Who needs access to what and when? Don’t take a risk-averse attitude to cybersecurity, remember that security function is not to prevent all access, it is to protect valuable, necessary or sensitive information assets in an appropriate manner.
  • R Resilience and Risk reduction. Security’s role is to reduce and manage risk. The threat landscape changes constantly so risk may change in quite a volatile manner. Having an agile approach to cyber risk is vital. Is your cyber strategy able to cope with this whilst horizon scanning too?
  • T Threat assessments should always consider and cover cybersecurity threats if you have an asset that could be impacted form cyberspace. The days of Physical security in one camp and cyber in another are over.


Picture: a graphic showing a map of the world, with lock symbols across the top

Article written by Mike Gillespie | Published 17 December 2020


Related Articles

Smart Ventilation System Given Passivhaus Certification

SAV Systems' AirMaster AM 1000, a mechanical ventilation unit, has been awarded Passivhaus Component certification. The flagship AM 1000 is the first...

 Read Full Article
Report Suggests Knowledge of Smart Windows Amongst FMs is Lacking

One of the biggest growth barriers for the smart windows and glass market is a lack of end-user experience and education, according to trend analysis...

 Read Full Article
Disruptive Technologies Named Property Tech Company Of The Year

Disruptive Technologies, the creator of the world’s smallest wireless sensors, has been named the Property Tech Company of the Year at the Global Business Tech...

 Read Full Article
Monitoring Energy Usage at Met Office HQ

Ralph James, FM & Technical Services Manager at the Met Office, explains how the latest sensor technology has allowed him to monitor the temperature and gather air...

 Read Full Article
Southworks at Rushworth Street Wins World's Smartest Building

MiddleCap, the real estate-focused investment group, has announced that its Southworks office development on Rushworth Street, London has been named the world’s...

 Read Full Article
Half of UK Employees Want Access to Workplace Virus Data

Infogrid has announced the results of a survey it conducted on what employees expectations for a healthy workplace are, as restrictions ease in England. Surveying...

 Read Full Article
Ericsson’s 5G Smart Factory Recognised by World Economic Forum

Ericsson’s Texas factory runs on 100 per cent renewable electricity and has been identified as a Fourth Industrial Revolution (4IR) pioneer. The World Economic...

 Read Full Article
24% of Planners Say Smart Cities Will be a Security Challenge 

Urban design professionals believe that the use of smart technology in public spaces could pose a security threat. Smart city technology can bring a great many...

 Read Full Article
Smart Building Opportunities for Printed Sensors

Smart buildings promise automated control of the buildings’ operations, along with integrated technology for human-machine...

 Read Full Article
Infogrid Raises $15.5m to Make “Any Building Smart”

Infogrid, the artificial intelligence technology company that automates facilities management and makes any building smart, has raised $15.5m from a combination of UK and...

 Read Full Article