As the world becomes increasingly interconnected our buildings are evolving into smart structures, integrating advanced technologies that improve users' experience, enable cost efficiency and meet high standards of sustainability.
However, with each new technology introduced the number of risks and vulnerabilities increases. So as we enter the era of smart buildings, it is imperative to recognise that robust cybersecurity is critical to safeguard these integrated systems – and building users themselves.
These systems include not only the IT required for processing and storing corporate data but also operational technology (OT) and the internet of things (IoT).
OT relates to building systems and controls such as heating, ventilation and air conditioning (HVAC), cameras and access control. These systems monitor events, processes and devices and make operational adjustments accordingly.
The IoT meanwhile refers to internet-connected devices on a network that communicate with each other and provide real-time data, such as smartphones, wearables, smart meters and occupancy and air quality sensors.
Smart building cybersecurity must therefore go beyond a corporate IT policy and extend into OT and the IoT, where cyber-attacks may manifest differently. Having rigorous IT cybersecurity does not mean that the building can be secure against OT or IoT-related threats.
IT cybersecurity is not always compatible with OT or IoT environments, and has the potential for failure and malfunction. It's thus important to be very clear about roles and responsibilities.
With the integration of OT and IoT systems there are more connected systems and more data points, and the risk of cyber-attacks increases.
If robust cybersecurity practices are not in place, cybercriminals can take advantage of the interconnectivity of these systems to access sensitive data or even gain control of building systems.
Moreover, integrating building systems networks without taking proper precautions can lead to vulnerabilities in one building system affecting all others. This could be a significant risk, as a single breach could cause widespread harm to a building's infrastructure.
Furthermore, new technology is being developed and adopted significantly faster than corresponding cybersecurity. This lag creates vulnerabilities that can be exploited by cybercriminals, making it essential to take proactive cybersecurity measures.
These new risks can result in threats to physical and life safety as well as reputational damage. For instance, a cybercriminal gaining control of an IoT-connected kettle can easily cause a fire or power cuts, which could lead to significant damage or even loss of life.
Meanwhile, a data leak can significantly affect a company's reputation meaning it is no longer trustworthy.
'If robust cybersecurity practices are not in place, cybercriminals can access sensitive data or even gain control of building systems'
While restructuring the network to avoid these risks may be cumbersome and costly, one emerging practice is to use logical network segmentation.
This keeps IT, OT and IoT systems in dedicated virtual networks running in parallel. Although they still use the same physical infrastructure, they only interchange data where necessary. Achieving this involves creating secondary networks with multiple virtual local area networks and subnets, using different firewalls and managed switches.
It's also important to monitor and control all access points into your core building system networks carefully, both inside and outside.
Having an automated process in place to monitor and track network vulnerabilities can be useful. If you suspect any incidents, it's best to treat them as real until proven otherwise and resolve them in a timely manner.
Effective management of service providers is also critical. Many services are provided by external suppliers and often managed remotely, making it easy to lose sight of areas that may be vulnerable to external unauthorised access.
A single device with poor security can compromise the whole network, so being able to test and audit all new devices easily and reliably is essential. To do so, you should screen services in advance to ensure adequate built-in cybersecurity and compliance with local industry standards.
In addition, make sure to integrate your security requirements into the terms and conditions agreed with suppliers. These should define your respective responsibilities and insurance policies.
You should also control and manage all device passwords and remote logins, and limit access to your wider network. An up-to-date, active directory can enable you to track who has access rights and passwords to better control device exposure on the internet.
'A single device with poor security can compromise a whole network, so being able to test and audit all new devices easily and reliably is essential'
Stakeholder engagement is crucial in ensuring a comprehensive and effective cybersecurity strategy. Unfortunately, competing organisational agendas can often lead to disjointed initiatives and separate funding arrangements.
To prevent this, it is important to have a cohesive strategy, so leadership teams should hold frequent conversations about cybersecurity. These should aim to prepare for potential threats and outline response plans.
Focus on outcomes – for example, how to deal with a specific situation such as a ransomware attack – and work towards a solution collectively.
Finally, to prioritise OT and IoT cybersecurity effectively, make sure there is sufficient funding available. This can help to avoid the costs of dealing with a cyber-attack after it occurs, which can be considerably higher than implementing preventative measures.
Maintaining constant cybersecurity awareness for all employees and contractors working in a building is critical, because employees who are unaware can unintentionally leave your systems open to hacking.
Appoint an internal champion, literate in both IT, OT and IoT-related systems, to oversee cybersecurity throughout the building life cycle and invest in continuous staff training and awareness programmes.
It can also be helpful to create dedicated training for employees who are responsible for managing and operating the building, and provide clear guidance on who to contact with questions about cyber issues.
In the past, responsibility for OT and IoT cybersecurity often lay with individual service providers. However, we are increasingly seeing owners take a more holistic approach to securing their systems and network, as well as exercising more responsibility for the data in the building.
To help them do so, building owners can engage an OT and IoT cybersecurity expert to create a tailored, end-to-end strategy and implement it effectively.
As we embrace the future of the built environment, cybersecurity should be an essential component of all smart buildings.
Only by implementing a robust OT and IoT cybersecurity policy and fostering a culture of security can building owners safeguard their assets, occupants and reputation.
This can help establish a solid foundation that adds value for building occupiers. Let us build environments that are not only smart but safe.
12 December | 08:30–17:30 GMT | London
Discover the Future of Commercial Property at the RICS UK Commercial Property Conference 2023!
Join us as we navigate the economic challenges that lie ahead for the commercial property sector, as highlighted in the RICS report released in March 2023.
Seize this opportunity to network with fellow professionals and industry experts to explore these challenges as well as groundbreaking innovations.