The number of smart buildings, with integrated building management technology at the core, is on the rise. The complex building automation system (BAS), which keeps occupants safe and comfortable, integrates various monitoring and control solutions such as heating, ventilation, and air-conditioning (HVAC), lighting, fire, security, networking onto a single platform. A smart building also uses data generated by IoT-enabled equipment, coupled with data gleaned from external sources, to allow for performance-enhancing, energy-saving decision making.
However, what makes a building “smart” is also what makes it vulnerable to cyberattacks. With poor security controls, compounded by the lack of global security standards, the plethora of IoT devices could be easy targets for hackers. Similarly, poorly secured wi-fi servers could be exploited.
Securing smart buildings thus takes a blended approach of risk-based planning, security architecture, technology, processes, and people skills. Such rigor, commonplace practice in IT systems, is not typical of BAS. Given the evolving threat landscape, it’s time that the strategy of protecting smart buildings keeps pace.
Protecting the Building Automation Systems
Prevention against intruder access is key to securing the smart built environment. The integrated BAS can be vulnerable to intrusions from within a corporate network. For instance, a hacker could gain access to the HVAC controls to compromise the stable environment within a laboratory thereby destroying years of research.
Ransomware attacks BAS the same way as it does other embedded controls systems. The BAS could be crippled through attacks on its operating system of the server, or by making critical files such as configuration and database files inaccessible.
It is good practice to deploy the BAS on a private network and to protect it from the Internet by a firewall. The servers should neither be used to check email, nor used to access websites that are not required for the running and management of the BAS. It’s also important to keep the systems updated with latest anti-virus software, revisions, and patches, as well as to conduct regular back-ups.
All building data needs to be encrypted at rest and in transit using industry-leading protocols. The platform itself should be protected by a regulated access control system, and data masked to restrict access to sensitive information.
Know Thy Devices
A robust endpoint security strategy in smart buildings is essential. The sheer number and variety of endpoints — mobile phones, tablets, and printers, for instance — could be targeted for unauthorized access. Email phishing and malware are usually distributed through the Internet; hence any end device that accesses the web and receives email attachments carries a degree of security risk.
Retaining control of systems and devices is equally crucial. It is important to identify and authenticate all devices and machines connected to the network. This would mitigate the risk of a hacker inserting a rogue, untrusted device into the network and taking control of any systems or machines. Strong cybersecurity solutions such as advance detection taps or strokes counts traps, recognise any forms of unknown actions, and in turn, lock down or isolate the network immediately to prevent any further damages.
A converged cyber-physical security application could bolster the overall security of smart buildings. This strategy relies on Artificial Intelligence (AI) to address real-time threats while keeping a check on false alarms. The analytics platform connects and combines data from internal and external sources with advanced risk algorithms to provide proactive threat protection.
By decreasing alarm “noise,” the approach allows security teams to focus attention on the highest priority events. Through this process, information is put into context and ranked by risk severity — all this to provide a complete security picture, and to deploy the right security resources on the right security priorities.
The Collaborative Factor
Cybersecurity is everyone’s responsibility - from building occupants to facilities managers. Basic cybersecurity practice such as sound password management is essential. Additional two-factor authentication to access sensitive or confidential data (for example patient database) offers stronger protection. Regular audits on security measures helps stem complacency.
The role of a facilities manager is more than about running a building. With the BAS technology now containing more IT-based hardware and software, facilities managers should collaborate with IT experts to address any cybersecurity concerns that threaten the smart built environment and, by extension, the building occupants.
No two smart buildings are exactly alike. The right system integrator takes a holistic view of the building’s systems, then designs and installs technology to support the business objectives for the building, delivering better outcomes for the occupants. The right BAS is optimized for the building to operate more efficiently and sustainably while improving comfort and safety.
It’s hard for one organization to go it alone in today’s rapid evolution of cyber threats. Industry initiatives such as the ISASecure are setting international cybersecurity standards and certification for the global ecosystem of intelligent buildings and smart city technologies.
In summary, securing smart buildings and building systems is a shared responsibility requiring focus and commitment from multiple parties. Businesses and organizations would benefit from a streamlined, multi-pronged approach that protects data, devices and manage security incidents, as well as to continually improve risk management for better overall operational efficiency.