Is your Building Protected from Cyber Threats?

September 28, 2021

Cyber security incidents reported against both government and private organisations continue to increase in both frequency and severity.

State-sponsored actors and criminals are attempting to exploit businesses by accessing sensitive information through increasingly sophisticated techniques.

“Intelligent” Buildings are frequently connected to the Internet to enable operators to take advantage of key benefits such as remote monitoring, management and analytics.

Building Services Technology platforms often provide entry points to other critical inter-connected business systems for these malicious actors.

Figure 1: Cyber security incidents, by sector (1 July 2019 to 30 June 2020)

What are the Key Threats to Building Owners?

The entry point into a building ecosystem is frequently not the end target of a cyber-attack.

Building Services Technologies and networks are often less scrutinised from a security perspective than other business technologies.
Building Services Technologies and networks are considered “soft touch” entry points into building ecosystems.
With the uptake of converged networks combining multiple building services onto a single network, the implications are increased with the potential of multiple systems becoming compromised in the event of a cyber-attack.

The serious risks associated with insufficient cyber defences in commercial buildings are well understood.

Failure or shutdown of building services limiting or restricting their operation
Degraded or compromised building security, access control and CCTV
Corruption of databases and loss of historical performance data
Loss of data used for building performance ratings such as NABERS
Potential losses through disruptions to business operations
Potential loss of valuable intellectual property (IP)
Productivity losses
Extortion attempts using ransomware
Breaches of privacy and loss of personally identifiable information (PII)
Reputational damage

Typical Pitfalls

In the past, Building Services Technologies used protocols that were proprietary in nature. This provided an entry barrier for malicious actors. Emerging technologies have resulted in an increased risk due to:

Building Services Technologies commonly specified to use open hardware, software, and communication protocols
Open protocol solutions frequently contain known vulnerabilities that malicious actors will attempt to exploit.
Cyber Security of specified systems is not commonly a key consideration during a building’s design phase.
Many networks are not designed and/or managed by IT specialists.

Most cyber security incidents involve elements of human error.

Human error can reduce the effectiveness of otherwise sound security protocols and lowers the technical abilities required to access Intelligent Buildings.
Insufficient password protection is frequently seen in intelligent buildings
Cyber-security is frequently sacrificed for operational and administrative convenience.

Entry Points:

Many Building owners and Facility Management staff are unaware of the risks from Building Services Technologies’ interconnectivity and remote accessibility of Building Services Technologies.

Outdated Operating systems, application software and firmware dramatically increase the likelihood of malicious entry.
Poorly configured Remote Access policies are common, where management of these policies is not performed centrally.

Intelligent buildings will have multiple points of entry for malicious actors to attempt to exploit.

Remotely accessible HVAC, BMS and Power monitoring systems.
Access Control and CCTV system
Energy analytics platforms
Third-party applications installed on Servers and Client workstations
Incorrectly configured or poorly managed converged Networks
Cloud hosted applications connecting into Intelligent building services
BYOD policies can allow users to bypass in-place security protocols

How can Building Owners Minimise the Risks of Cyber-Attack?

The consequences of these attacks are ever increasing as information systems become more central to business and society. The incidence and severity of cyber-attacks can be reduced by:

Centralising management of IT software and hardware required for Building Services Technologies
Centralising ownership and management of networking hardware to encourage the use of converged networks.
Conducting periodic security reviews across all Building Services Technologies platforms.
Improving baseline security protocols implemented across all Building Services Technologies
Enforcing the installation of secure products and services
Ensuring that proven disaster recovery procedures are in place and regularly tested for all key systems
Making informed purchasing decisions
Taking steps to grow the cyber awareness skills of the operational staff
Engaging specialist external help and support when needed
Reporting all cyber-crime to the correct authority