IoT is key to building efficiency, but cybersecurity has to be addressed
While the buildings we work and live in are getting better, smarter, and more connected as we speak, they are also becoming exponentially more vulnerable to cyber attacks, which means cybersecurity measures are a must for modern buildings.
Only a few years ago, commercial buildings consisted of isolated building management systems that typically used simple controls to monitor heating and air conditioning, elevators and lighting systems.
Today demand for better occupant experiences and energy efficiency are generating state-of-the-art commercial spaces that provide everything from smart grid-connected solar installations to reduce energy costs, programmable LED lighting solutions aimed at improving worker productivity, sophisticated AV solutions for management teams to communicate and facial recognition technology to grant access to restricted spaces.
A staggering range of new internet of things (IoT) devices and applications are required for these components to connect and communicate with one another to achieve the operational and functional efficiencies in today’s building management systems.
A report by analysis firm Gartner estimates enterprise spending on IoT security solutions worldwide will reach $1.5 billion in 2018, a 28% increase compared with last year. By 2021, security spending in IoT will more than double to $3.1 billion.
While enterprise executives are aware of the heightened cybersecurity risks and spending money to find solutions, they are struggling to implement proper protocols to prevent security breaches.
A recent survey by Ponemon Institute, an independent research firm specializing in security policy, found that 81% of corporate governance executives expect a data breach caused by an unsecured IoT device to occur in the next 24 months.
However, only 28% indicated that they include IoT-related risk as part of their third-party due diligence.
More than half of respondents said they have contractual agreements to mitigate third-party IoT risk, but only 26% reported that they have a method of proactively assessing these risks.
“Most organizations don’t realize how easy it is for a virus to enter into their systems. It can be as simple as someone log-in into their wifi or through third-party equipment like a vending machine,” said Richard Kaun vice president of industrial protection at cybersecurity firm Verve.
For this reason, building owners and plant operators should prioritize cybersecurity the same way that they prioritize safety Kaun says.
“Cybersecurity is often overlooked because you can’t calculate the ROI until a breach actually occurs,” Kaun said.
Part of the problem is a gap in the ways that IT and OT sectors deal with security. Existing off-the-shelf IT products are not made for building automation systems which require customized solutions based on size, scale, and use, experts say.
“You can’t just slap cybersecurity technology into the industrial plant and commercial building environments,” according to Kaun. “While IT is all about confidentiality, integrity, and availability, in the OT environment, operations are most important. IT firms must work with plant operators in the OT side to create a viable cybersecurity plan and implement protocols which prioritize securing the most important aspects of their business which usually is to get the plant up and returned to normal, safe, expected operation as quickly as possible.”
Integrating a variety of stakeholders with the proper expertise is one of the most effective ways to navigate the increasingly complex cybersecurity risk landscape.
Components of a cybersecurity plan
Since the main priority for building owners is to get systems back up and running again, they should focus on three critical things: white-listing, or having an inventory of connected devices, securing backup capabilities, and a process for identifying and fixing the offense.
“Incorporating an alerting system which can immediately notify staff in the case of a breach is essential—having a plan in place to deal with the breach that will define your chances of a quick recovery,” Kaun said.
Building and plant owners should create a white list or identify devices to be checked in the case of a security breach. Generating a record not only helps to devise a plan for blocking access points but it also helps security teams know where to look in the case of a breach
A white list enables the security team to identify all IP-connected devices which could allow malware and other security threats to infiltrate surveillance systems and gain access to cameras, elevator controls, gates, and building power systems to retrieve sensitive data.
Having a secure plan for getting up and running as soon as possible is critical to recovering from a cybersecurity breach, especially for buildings and plants where even a brief outage can cause millions in damages.
“A minute or hour of downtime can costs commercial building and industrial plants massive losses. Many don’t know where to start and their challenge how to plan proper protocols without compromising efficiency,” Kaun said.
A patch is a set of changes to a computer program or its supporting data designed to update, fix, or improve often used to fix security vulnerabilities and other bugs.
A proper patching protocol can help to secure the environment and get things up and running more quickly while eliminating the root entry point of the breach.
There’s no way to prevent a cyber attack 100% of the time, but a good security plan should entail procedures and protocols that outline how often white lists and back-up processes should be updated and checked.