While connectivity and automation have led to a tremendous opportunity in the smart building sector promising significant efficiency, safety and comfort to building owners and occupants, these systems are also increasingly becoming targets for hackers and cyber attacks, and building owners need to deploy proper cybersecurity protections.
Most building owners and operators evaluate and purchase smart building technologies based on business criteria such as functionality, efficiency and cost savings, but cybersecurity must also be a factor if owners intend to protect their assets and investments in the long run.
In North America alone the market for cybersecurity in smart commercial buildings has continued to grow, representing 47% of global revenues in 2016 and is expected to rise at a CAGR of 13.8% to $3.83 billion by 2021, according to research firm Memoori.
Understanding the cybersecurity threats in smart buildings
When multiple proprietary systems are centralized through connectivity, automation, open architecture, and interoperability to share data that helps optimize total performance of buildings and occupants, they also magnify the likelihood of cyber attacks by significantly increasing points of entry for malicious attacks.
As buildings become more networked across campuses, enabling owners to harness the power of the cloud to analyze data across all their buildings to optimize for cost savings, even a single breach can exponentially increase threats to all systems and completely paralyze building operations.
Common cybersecurity risk scenarios in smart buildings
The most common cyber threats to smart buildings are in the area of controls and unauthorized access to security systems. Here are few of the most common scenarios.
1. Shutting down heating or cooling for sensitive locations, such as pharmaceutical or food processing plants, laboratories, and warehouses
2. Shutting down cooling or power management functions for a data center, destroying IT equipment and taking business-critical applications offline
3. Manipulating cooling settings on an HVAC system in corporate buildings, which can create significant business disruption and lost productivity
4. Gaining unauthorized access to an internet-connected physical security system to enable kinetic attacks
In each of these scenarios, the common denominator is a direct loss of revenues for building owners for not taking the issue related to cybersecurity seriously. While traditional control systems do not include cybersecurity requirements and their addition can increase both costs to building owners designing and implementing appropriate protections before attacks can be a more cost-effective than the depletion of resources that often take place post attack.
Developing a sound cybersecurity strategy is a complex task which requires a customized approach based on the size and scale of operations. Below are some important considerations for building owners.
Five things to consider when developing a cybersecurity plan for your building
1. Know your building and limitations- Older legacy and multi-generational building infrastructure may limit what you can do to protect your buildings from cyber attacks. For this reason, it is critical to engage experienced firms in designing a cybersecurity plan that works for your building by identifying critical areas of vulnerability and then develop solutions appropriately. For example owners of a pharmaceutical plant or laboratory may have different priorities compared to an office building owners and may have to deploy resources differently to protect their assets.
2. Avoid “plug and play” cyber solutions. Securing a physical building from cyber attacks is a customized process, so plug and play solutions alone are not going to give you the level of security needed to protect against attacks. It’s important to design appropriate security solutions that can address vulnerabilities specific to your building.
3. Look beyond your existing IT shop- The most important advice to owners is that that they need to they extend beyond their own business and integrate internal stakeholders such as facility managers, IT staff and building operator and external parties such as manufacturers, third-party suppliers, and service providers to develop a cybersecurity plan.
4. Assess for latency and recovery. Assessing your tenants’ needs for latency and recovery is crucial. For example in financial institutions, pharmaceutical companies, hospitals, and high-tech companies, latency is an important factor and should be considered first. One of the ways to reduce the time required to react or recover from an attack is through the use of military-grade security for BAS applications.
5. Have a post-attack plan in place- While it’s not something owners might want to think about, having a post response to cyber attacks is integral to a good cybersecurity plan. Create a plan after considering and prioritizing things that need to be in place after an attack. A complete shut down can cause massive inventory losses or wreak havoc in supply chains, so it’s important to prioritize your recovery plan based on your business or tenant’s needs. Determine if it is most important to get up and running first or identifying the cause.