Point of View –
Ram Venkat –
When we think about Smart Buildings, we immediately think about their advantages. We think of the efficiencies such connected building technology offers developers, building managers and tenants. Whether it’s about efficiency, long-term value or brand perception, stakeholders will suffer if their building is not ‘smart’. However, do we think about their cybersecurity risks?
As our buildings become more complex, with the number of IoT connected devices and cloud services growing exponentially, the threat and chance of cyberattacks becomes even greater.
So, how can we understand these challenges and prevent them from happening in the future?
The Challenges of Smart Buildings
Today’s buildings systems often fall short of effectively managing any potential cyber intrusion. This is a direct result of there being an obvious disconnect between groups managing information technology (IT), who have extensive cybersecurity knowledge and the groups managing building operational technology (OT), who have the building management system (BMS) operational knowledge.
Previously, BMS required specialised knowledge of systems and protocols and didn’t require access to corporate network resources or the Internet.
Therefore, the security of a BMS network predominantly relied on obscurity and the lack of external connectivity. However, in this day and age, the evolution of BMS technology has meant that typical BMS control systems now use a combination of OT protocols, including ModBus and BACnet, as well as IT protocols such as HTTP and FTP. This has revolutionised the way smart buildings operate but it has also affected how they can be targeted from a cyber perspective.
The evolution of BMS technology is essentially a gold mine for hackers. Coupled with the disconnect between IT groups and OT groups, the de facto operational model for buildings needs to change. In recent years there have even been hacker communities and research groups that specialise in cyberattacks targeting smart buildings to retract important data.
Ultimately, the problem starts with the network of a BMS. This network can be deemed as a way in to the wider IT network of an organisation. Hence, not only does the management system itself become the target but so does the whole company.
For those looking to update their building technology, the risk of cyber-attacks is a huge roadblock. It prevents many sectors, most notably healthcare, FS and public sector, from investing in buildings enhancements. This is a direct result of the fear of attacks, and the damage and disruption they could cause. The reality is that an attack could cost millions to an organisation.
To mitigate these attacks and realise the full potential of smart buildings, operators and occupiers need to alter how smart building control systems are architected and managed from a cybersecurity perspective. Setting aside organisational barriers and acknowledging the IT/OT disconnect is the critical first step towards implementing and operating cyber secure smart building control systems.
Luckily, there has already been strong support in the OT control systems industry to address the security challenges being faced today.
Better yet, industry associations have risen to the need for common OT cybersecurity best practices, in particular with the development of the IEC 62443 global set of cybersecurity standards. This is set to improve safety, availability, integrity and confidentiality of systems used for industrial automation and control.
Fundamentally, there are four key ways that organisations can create a secure and operational smart building:
1. Assess and protect legacy OT building control systems
2. Choose IoT devices and vendors that follow a Secure Development Lifecycle approach
3. Implement secure OT building control system architectures
4. Bridge the secure OT building control systems through an IT Security Monitoring Zone
The future of building cyber security
The vulnerability of a BMS system working with these two sets of protocols lays on the disconnect between the groups in the IT team, who have the cybersecurity knowledge and the OT team, who have the operational knowledge. The smarter your building gets and the less these two groups work with each other, the more vulnerable technology will become resulting in the increase of external cyberattacks.
Teams need to work together to create a more secure system and organisations must adhere to certain practices to keep their building as secure as possible.