The Leading News & Information Service For The Facilities, Workplace & Built Environment Community

Cybersecurity – Are Smart Buildings and its Data Vulnerable to Malware Attacks?

Cybersecurity – Are Smart Buildings and Its Data Vulnerable to Malware Attacks?
17 December 2020 | Updated 28 January 2022

As more and more of a building’s functions are automated and controlled via smart technology systems, has cybersecurity been an afterthought?

In 2020, Boris Johnson’s announced a £16.5 billon increase to defence spending, he stated that a substantial amount of this will be spent on cybersecurity defences.

When it comes to property and smart building systems, a huge amount of data is collected about the building and the people who use it. What are the vulnerabilities of such systems and how can they be overcome?

ThisWeekinFM spoke to Mike Gillespie, Managing Director and Co-Founder of security consultancy Advent IM about this issue. Gillespie is an experienced, senior information security and data protection practitioner.  Having been a member of the CSCIS Global Cybersecurity Select Committee for some time, he is now the Vice President of C3i Group on cybersecurity, cybercrime and cyber intelligence.

He also serves as a cyber spokesperson for the International Institute of Risk and Safety Management (IIRSM) and also as the Cyber Security Lead Adviser for the UK government’s Surveillance Camera Commissioner. 


"Whether it is personal data or not, the cybersecurity of smart systems MUST become a functional requirement because, as the risk from nefarious actors in cyberspace increases, their ability to do actual harm to people and assets increases with it." 


Smart Buildings and Health and Safety  


Some buildings are born smart, others have smartness thrust upon them. Many buildings fall into that latter category…

There is a whole industry growing up around web-enabling systems that were never meant to be internet-facing, sometimes because of a legitimate need, such as the need manage them more efficiently or frequently over multiple sites. The need to do this however, is not always supported by appropriate cybersecurity controls that are designed and implemented effectively, to enable that system to be safely and securely managed whilst achieving the functional needs. Even less focus is placed up on the longevity of resilience in this area.

It is accepted and expected that a building, new or in use, should comply with a wide range of regulatory requirements to be considered suitable and safe. There are a variety of standards that are employed for this, across health and safety, social inclusivity and the environment too. But there is nothing that says the systems that are integrated into a building, operating over cyberspace, systems that could potentially make both the building and its inhabitants vulnerable, should be robust and secure. Nothing that compels designers, engineers, architects, builders or users to embed and maintain a level of cybersecurity that is anywhere approaching the level of requirements that need to be fulfilled for health and safety, despite the fact these systems could in fact impact health and safety.


Mike Gillespie

Picture: a photograph of Mike Gillespie


Cybersecurity Seen as an “Inconvenience”


Indeed, in the smart building world, cybersecurity is seen as a bit of an inconvenience, at best it is considered a nice to have not a need to have which is a lost opportunity. At worst, it is considered something to avoid at all costs, which is tantamount to cutting corners with electrical or fabric safety... When it is considered, it is frequently an after-thought, and again this is a wasted opportunity to do it brilliantly and with an eye on the horizon. A bit like building a five-storey office block then deciding you want to put a lift in afterwards.

Modern building systems, by their very nature, generate data, lots of data.  Not fully considering the management of the information lifecycle as part of a smart building strategy often also means losing the ability to use, manage, share and exploit this information as a critical asset.

Furthermore, some of this is actually personal data, and provision for its collection, management, storage and deletion should be compliant with The Data Protection Act (2018).  It is vital therefore that smart buildings are considered from the perspective of Data Protection by design, Data Protection by default.

Whether it is personal data or not, the cybersecurity of smart systems MUST become a functional requirement because, as the risk from nefarious actors in cyberspace increases, their ability to do actual harm to people and assets increases with it. Assuming that data generated by a smart building system is not going to be of interest to someone is unwise. We have no idea what information may be useful to various threat actors, or what data they may be able to aggregate various sources into to make something useful to them. So, data creation, management and retention policies for the data these systems generate need to be in place to decide what stays, what goes and what needs to be protected. 

Whilst you could take some interpretation of SABRE to cover information security, this is nowhere near adequate for a smart building:


  • S Sources of information and also collaboration – where is information being generated, does it need protection, storage or deletion. What professionals are available to collaborate with to ensure cybersecurity is embedded in building systems?
  • M Malware can and does attack any internet-facing system. If you have a web-enabled system, then you do do cybersecurity.
  • A Availability. Who needs access to what and when? Don’t take a risk-averse attitude to cybersecurity, remember that security function is not to prevent all access, it is to protect valuable, necessary or sensitive information assets in an appropriate manner.
  • R Resilience and Risk reduction. Security’s role is to reduce and manage risk. The threat landscape changes constantly so risk may change in quite a volatile manner. Having an agile approach to cyber risk is vital. Is your cyber strategy able to cope with this whilst horizon scanning too?
  • T Threat assessments should always consider and cover cybersecurity threats if you have an asset that could be impacted form cyberspace. The days of Physical security in one camp and cyber in another are over.


Picture: a graphic showing a map of the world, with lock symbols across the top

Article written by Mike Gillespie | Published 17 December 2020


Related Articles

Smart Buildings at Increased Risk of Cyber Attacks, Says Verdantix

The operational technology that powers connected devices across building systems is providing more entry points for cyber criminals to exploit, says research and advisory...

 Read Full Article
How to Identify and Address IoT Security Weaknesses

Data-driven facilities management is now the expected norm, but security concerns about IoT systems still remain amongst FMs and tenants. The Internet of Things (IoT)...

 Read Full Article
7 Steps for Creating a Smart Building

FM provider Service Works Global has released a new white paper that details the seven steps for creating a smart building.   The paper dispels the assumption...

 Read Full Article
Infogrid Closes $90m Series B Funding

Infogrid has received funding from Original Capital, SoftBank Vision Fund 2, JLL Spark and several others. The smart building technology company has raised $90 million...

 Read Full Article
Top 5 Smart Technology Trends for Buildings in 2023

Ahead of the return of their IFM Tour, Infraspeak has laid out their predictions for 2023 smart technology trends for buildings.   Watch the...

 Read Full Article
Interserve Fined £4.4m for Failure to Keep Staff Details Secure

The UK’s IT security watchdog has fined Interserve for breaching data protection law and failing to prevent a cyber attack. The Information Commissioner’s...

 Read Full Article
NHS IT Services Supplier Victim of Ransomware Attack

It has been confirmed that a ransomware attack is causing a major outage for NHS IT systems. Services affected include software used by NHS 111 and other patient notes...

 Read Full Article
Smart Buildings Enable Smarter Facilities Management

Shumon Choudhury, who has over 15 years of experience managing PRS & FM portfolios, writes about his experiences helping his clients to embrace smart...

 Read Full Article
Chicago's Smartest Building

800 Fulton Market, a gateway to one of Chicago’s fastest-growing neighbourhoods, has been completed.   Watch the...

 Read Full Article
How Technology and Smart Buildings Will Support the Daunting Retrofit Challenge

How will the intersection of retrofits, smart homes and digitally transformed building maintenance help the UK to achieve net-zero emissions by 2050? Nik Flytzanis,...

 Read Full Article