Smart buildings have come a long way since building automation systems were first introduced decades ago. Innovations in sensors, digital tech, and the “internet of things” (IoT) have created connected buildings that are becoming standard fare today. That evolution in building tech is generating more operating efficiencies—and opening the door to bigger cyber security risks.
The networking of multiple engineering systems into a common platform goes back to the mid- to late 1980s. Initially, these systems were hard-wired, stand-alone systems confined to the building that they were operating. The internet now allows manufacturers to monitor performance, enhance systems, and push down software updates remotely. These days, there are more and more “end points” or IoT-addressable devices operating within buildings ranging from security cameras to access control to lighting systems.
Essentially, the innovation of new digital technology, along with the greater connectivity of devices, is multiplying the end points within buildings. “Any time you have a capital event where you are replacing a system, it is likely to be more software driven and incorporate more IP end points than you would have five to ten years ago,” says James Whalen, senior vice president and chief information officer at Boston Properties.
For example, the transition from fluorescent to LED lighting reached a point where the bulbs and fixtures can only deliver so much efficiency. The next stage of gaining efficiency and creating added value is through greater control, which is being achieved with digital systems, adds Ben Myers, sustainability manager at Boston Properties.
Each of those end points can increase vulnerabilities to cyber attacks if not properly protected, and the focus on managing cyber security has grown along with building innovation. A big wake-up call for the real estate industry was Target’s cyber-security breach in 2013. In that case, the breach actually came through an HVAC contractor using a project management site where the hacker was able to access that system and then pivot into other systems, ultimately harvesting credit card information from millions of Target customers.
“In the engineering operations world, the ability to manage and harness more data helps us be more efficient and has significant benefits related to sustainability and environmental controls,” says Michael A. Turzanski, managing director, engineering operations in investor services at Cushman & Wakefield. “But engineers often don’t think about the security aspect and what it means. Unsecure systems could cause a lot of damage and create inefficiencies in the tenant space.”
Buildings Face Bigger Cyber Threats
There are huge advantages to enabling building systems manufacturers and the service community that manages the devices to access real-time data on how these systems are performing. But anything that touches the internet is susceptible to a cyber-security breach. “One vulnerability can provide someone access to the entire platform and cause severe damage to the building and equipment. That is a very scary prospect,” says James M. Rosenbluth, director of global security and resilience at Cushman & Wakefield.
Oftentimes, the two biggest threats that arise with IoT devices are the ability of hackers to take control and manipulate systems and devices; or to use IoT device connectivity within building operations to gain access to proprietary information on the telecommunications network. “There is no lack of hostile actors who may wish to access these devices, and for any of a variety of purposes,” says Rosenbluth. There have been ample cases of cyber-security breaches conducted by lone-actor criminals, organized crime organizations, white-hat or black-hat hackers, or even kids with smartphones. “Many have the ability. The more important questions are whether they have the intent and, if so, to what purpose,” he says.
In some cases, hostile actors have extorted money from properties, either by threatening to take control of one or more systems or by actually doing so. For example, a hotel in Europe recently had to pay a ransom to a hostile party who had seized control of the hotel’s electronic locks and had locked out a large tour group that had just arrived in the hotel’s lobby, preventing them access to their rooms until the ransom was received, notes Rosenbluth.
Property owners and managers are increasingly weighing the advantages or business case for adding new tech against the potential cyber-security risks. “It’s important to know that cyber security isn’t just one thing. There are a few different ways in which we deal with security in buildings,” says Lindsay Baker, president of Comfy, an Oakland, California–based software solutions company. Some of the security issues that real estate faces are personal data protection, corporate data protection, building hacking, access control, and securing other company networks, she adds.
“What we have learned as a smart-building service provider is that when people start saying something about a security concern, we try to break that down to find out what they are really worried about and then we talk about solutions,” says Baker. If a company is worried about someone hacking a system to change the temperature in their boss’s office, that is a very different issue to address as compared to concerns about exposing the corporate network to massive security breaches, she says.
Safeguarding against Cyber-Security Risks
Managing cyber-security issues related to building systems is very similar to managing other corporate or enterprise systems. For example, companies often have sensitive financial or personal information that they are trying to protect from hackers. “The same mind-set needs to be brought to a building,” says Whalen.
Building operating systems are vulnerable to being compromised. Computers increasingly run a long list of building services. Those computers may need to have active patching and firewalls to protect against hackers. For example, if a system needs to be accessed by an outside contractor, that access has to be controlled by the same kinds of tools that govern the corporate environment, notes Whalen.
One approach is to apply an enterprise security program across systems. Companies also can apply “segmentation,” which puts systems into separate buckets using firewall technologies. So, if someone were to compromise one system, such as the HVAC system, the issue would be contained within that one segment. A hacker could not use access to the HVAC system as a jumping-off point to access other building or business systems such as lighting or corporate e-mail.
“When we walk into a new client situation and find that they have an infrastructure network that is separate from the corporate network, we have a celebration,” says Baker. That means the company has already taken the time to do something that many other companies are planning to do these days, which is to separate and insulate all the sensitive information on the corporate network, she says.
Those companies are already well down the path in understanding and managing potential cyber-security risks. “There are companies out there that do a great job with smart buildings that don’t have a separate infrastructure network, especially smaller companies, but it is really a great step to take if you can,” Baker says.
Companies can also control how remote contractors access a system with protocols such as two-factor authentication. In addition to an account name and password, authentication requires an extra step, such as an authentication code or personal identification number (PIN).
Identifying Weak Spots
Perhaps the biggest weak link in cyber security is also the most difficult to control—people. Companies can build a strong line of defense with firewalls and systems, but all it takes is for one person to click on a link in a phishing e-mail that opens a door somewhere, notes Whalen. It is important for companies to provide ongoing training sessions for employees and contractors, as well as simulated phishing attacks. “It is all about elevating awareness and keeping it in the forefront so that if someone does get something, they second-guess it,” says Whalen. That is especially important as hackers become increasingly sophisticated, he adds.
Another stumbling block is a lack of communication between real estate and IT. The real estate team may not know which IT people they should be talking to, or they don’t really know what process or requirements IT has for adding new tech, says Baker. In some cases, the real estate people may even be a little intimidated by the IT people, she notes. So, it is key for real estate and IT to be on the same page on protocols, processes, and approvals for applying new technologies, Baker adds.
It also is important to promote security awareness, such as the proper handling of credentials, roles, and responsibilities of each person in maintaining security, adds Turzanski. Another important step is to include IT and security individuals as part of the construction design team. “Automation experts and engineers are sometimes late to the conversation. This is an industry trend that needs to change,” he says. “If you involve the appropriate individuals as part of this team, you will address these security issues and help better prevent them from happening.”