Cybersecurity in Smart Buildings

Cybersecurity has typically been the number one barrier to smart buildings. Security, privacy, integrity, and availability of data are top concerns. We have seen some solutions beginning to address this issue, but the concern is high on the agenda of most customers. 

There is a real need for industry standards that create a benchmark for everyone to comply with. 

As more IoT components connect to the internet, the risk increases. We need to work together to minimise the risk, adopting commonly agreed best-practice approaches and standards for governing BIoT systems and devices.

Why is cybersecurity important?

• We need smart buildings because they are more environmentally friendly, create healthier/more productive environments for employees, improve efficiency and insight, save costs, and enable predictive maintenance.

• Connectivity is essential for any building’s infrastructure, but as hybrid working becomes more common, we are seeing disparate workforces in various locations - whether that’s at home, in the office or in a hot desk collaborative space. Therefore, technology is the key to enabling business continuity.

• Vast amounts of data are collected from various sources, and landlords and facility managers need to be able to access it without compromising security.

• The ever-growing number of networked IoT devices and the convergence of OT and IT present new challenges. Cyber-breaching a single connected operational device could put the whole network at risk causing disruption to production, hindering business continuity, and exposing people to further danger.

• The smart revolution has happened quickly, and demand continues to increase, but cybersecurity is moving much more slowly. Historically it has not been of paramount concern for facilities management, as complex; proprietary protocols sheltered them from attack. To progress, the industry has adopted more open protocols that make integration more seamless and, therefore, can easily connect to the internet and other devices, creating many positive opportunities but also increasing the potential points of vulnerability.

• Studies have shown that 57% of IoT devices are vulnerable to medium or high-severity attacks.

What are the concerns?

• Increased vulnerability of cyber-attacks.

• Building users expect a seamless, fully connected in-building experience; any security solution must complement, not restrict, frictionless movement.

• Regular and proactive testing of cybersecurity systems is essential.

• Successful attacks of smart, connected systems or devices can not only lead to disruption to building operations or day to day working practices, but they can also potentially leave the company open to a wider enterprise systems breach.

• The immediate costs of a data breach can be in the millions of pounds, but damage to the brand reputation, as a result, can further compound these costs in the long term.

What are the positives?

• With the right technology at their fingertips, and the correct protocols in place, landlords can equip their offices for the modern, tech-loving workforce.

• Occupant happiness, productivity and comfort can improve, leading to a reduction in sick days and increased staff retention.

• Recent years have seen steady improvements in both the attitude of vendors, and cybersecurity provisions in common smart building standards and communications protocols.

• There is more awareness and, therefore, more vigilance.

What can be done to improve the cybersecurity of smart buildings?

• It is important to ensure IoT devices are not installed using default settings and do not communicate over unencrypted protocols. Many devices are now addressing this and have security built-in; this decreases the threat of vulnerabilities of third-party networks or devices.

• Make sure default usernames and passwords are changed straight away and are changed regularly, ensuring they are complex enough not to be guessed easily.

• Only give building stakeholders access to the information they need to perform their role; the threat is reduced by minimising access.

• Have policies in place to ensure that devices cannot be added to the network without IT staff being informed so that they can validate the risk and authorise the connection.

• Owners need to comply with the latest cybersecurity regulations and make cybersecurity a part of tender specifications. There are three key cybersecurity standards for the smart building industry: two international (IEC 62443, ISO 27001) and one EU-level (European NIS Directive). Building operators benefit from the precise definition of requirements, the implementation of standardised processes and the availability of documentation related to each respective.

However, no supplier can create IoT security alone - building operators, system integrators, planners and owners are all a crucial part of the process. The construction and retrofit supply chain need to understand the opportunities and challenges of smart buildings and robust cybersecurity. This attitude needs to be adopted and embraced by all.