Bulletins | June 30, 2016

Are smart buildings security smart?

As more offices become ‘smart buildings’ which are fit for tomorrow’s city, those businesses who have opted to utilise technology must think beyond the presence of traditional security guards in reception areas to maintain the physical security of the building and the well-being of those inside it. The security of the technology systems in place within the building and the data stored electronically within the building must also be addressed.

Smart buildings have an important part to play in the ever changing nature of office space as businesses look to cut costs and increase efficiency wherever possible.  By utilising thousands of sensors integrated into buildings themselves to create a fully connected digital framework, every aspect of the building, from its microclimate to its filing system can be managed centrally by a building management system. The data protection issues surrounding smart buildings are well versed, but perhaps less well rehearsed and arguably of considerable concern to businesses utilising such technology is the cybersecurity risk posed by such systems.

Back in 2013 two Sydney based cybersecurity experts hacked Google’s building management system. Whilst nothing malicious was intended during the Google hack, the same year a US state government facility fell victim to a real hack. Three years on and experts are concerned that it remains alarmingly easy to hack into a building with potentially dire consequences. Imagine a paperless office, with all employees access passwords changed by a hacker or the electricity supply overridden and off, making it impossible to work on a computer. Imagine a care home with the heating system overridden, making it far too hot in summer, or far too cold in winter to the detriment of the health of its residents. In the 2013 hack of a US state government facility, the building accessed was made to feel unusually warm. In this way, once a building has been hacked, it can effectively be taken hostage and held to ransom until demands are met.

When building management systems are integrated into the workplace (as is often the case), the system is no longer separate from a business’ standard IT network. The standard IT network usually contains sensitive business information of one form or another. Where systems are integrated in this way, once access has been gained to one element of the system, the hacker will tend to have access to anything stored on the system. When millions of customer credit card details were stolen from US retailer Target, the source of the attack was eventually traced back to the heating system. Whilst the link between the two might seem slightly bizarre, the Target hack demonstrates only too clearly that where building management systems are linked to the IT network, a hack into the building management system can give access to extremely sensitive information with relative ease.

No physical security guard can prevent a cyber-attack in the same way in which a physical break in might be prevented, not least because very few security guards will come from an IT background and it is often difficult to detect a hack until it is too late.  Despite this, security is often not considered the most important criterion for businesses selecting a building management system. Instead, technology functionality is often prioritised over and above security. Anyone who works with a computer on a day to day basis knows only too well the frustrations of poor IT functionality, which is often the reason why functionality is prioritised. However, a day in the office where no one is able to log on due to mass password changes or a theft of sensitive information via a hack is likely to be far more damaging to a business than selecting a slightly slower or slightly temperamental, but more secure building management system. As such, priorities relating to selecting technology for smart buildings ought to be re-evaluated and security elevated to the utmost importance when it comes to selecting a building management system.

Cyber security experts recommend that smart building management systems are kept entirely separate from standard IT networks, for the simple reasons that it is virtually impossible to ensure that the codes behind building management systems are hacker-proof. Had Target kept their customer data on a different system to that which was used to manage their building, it might have been better protected when the heating system was infiltrated.  Not so long ago extracting sensitive commercial information through a heating system might have had a place in a sci-fi movie, but today it is the reality of the risks associated with the technology that we are utilising to continue to improve efficiency and reduce costs.

In the same way that an individual wouldn’t leave their front door open when leaving home, businesses should take great care when adopting building management systems to ensure that their building remains as cybersecure as possible.