How smart buildings can tackle rising cybersecurity challenges
Smarter buildings bring risks as well as benefits, making cybersecurity a critical issue for landlords in the digital age.
As buildings get smarter, cybersecurity is becoming a growing challenge to protect connected building systems – and the people inside - from online threats.
In 2017, a Las Vegas casino was hacked – via an internet-connected thermometer in a lobby fish tank that gave hackers access to the casino database containing high-rollers’ personal information.
Such data breaches, which use internet-connected devices as a gateway to main networks, could become increasingly common as buildings incorporate technology such as smart heating, ventilation and air-conditioning (HVAC), motion sensors and other connected equipment that automate building operations.
An emerging risk is siegeware, software that can hijack control of smart HVAC, lighting or security systems, preventing occupiers from using – or even leaving – a building, bringing business to a standstill unless landlords or occupiers pay a ransom.
“Smart buildings rely on data, and with data the new currency of our world, if smart buildings are not properly secured, there are certainly people out there willing to exploit them,” says Akshay Thakur, Regional Director, Smart Buildings Programme, EMEA at JLL.
To secure a smart building
By 2024, the global market for smart building products is expected to be over ten times larger than it was in 2016. While IoT devices such as smart lightbulbs or air quality sensors can help building owners and tenants optimise operations for cost and time savings, if not well-secured, they can also be easy targets for hackers.
“Anything that has the ability to connect to the internet is at risk of cyber-attack,” says Rakesh Chauhan, Director, Smart Buildings Programme, EMEA at JLL. “As the use of IoT devices continues to increase, especially in the building environment, this creates an exponential increase in the risk to organisations.”
One critical shift is for companies to approach smart building security like enterprise network security, where new devices entering the network are strictly vetted and installed with multiple levels of protection against cyber threats.
For example, the end-to-end security employed for corporate data must be similarly applied to a building’s smart elements so that each technology – such as doors, alarms, office equipment – is not only secure as an individual product, but secured when communicating with other aspects of the building.
“Although proptech companies are all building levels of security into their products, the biggest issue is that there is no system-level security practice that’s being employed widely,” says Thakur.
The role of IT
To maintain a smart building’s security, facilities management apps could support landlords and tenants in vetting vendors and technicians for cybersecurity practices. Equally smart buildings may need to employ ‘cybersecurity guards’ to continuously monitor the building network for unusual activity that might signify a hack or data theft.
“Cybersecurity must be designed and implemented into initial building plans, with building owners ensuring that ongoing maintenance mechanisms are adhered to,” says Chauhan.
This includes regular software updates for all smart aspects of the building, including the antivirus and firewall protection. Furthermore, employee or visitor access to smart building features should be authenticated, authorised and monitored through a central system. Tiered levels of authorisation can also limit the number of devices with access to various smart features, reducing the points that could be targeted by attackers.
Steep costs of unsecured buildings
While the immediate impact of a smart building breach is likely to be felt by tenants targeted by siegeware or data hacks, landlords can be liable for largescale compensation for the disruption to trading and damage to brand reputations of companies within their buildings.
After a hack of the Marriott hotel group exposed over 300 million customers’ data, for example, a class action lawsuit was levelled at its cybersecurity provider Accenture.
“The breach of a smart building can result in monetary costs such as government fines, but it also extends to brand impact for organisations, especially those that are tech-driven or data-driven,” says Thakur. “If customers lose trust, that can have a long-term effect on their core business.”
The damage of a breach can also go far beyond the affected companies. Botnet malware, which turns control of a device over to third party, can hijack poorly secured smart building elements and use them to bring down websites by flooding the sites with connection requests.
In 2016, the Mirai botnet attack took down several major sites, causing widespread internet outage for a few days in the US, and a variant has since re-emerged targeting projectors and other business-focused devices.
Staying ahead of building hackers
With buildings set to incorporate more connected elements in the coming years, clear regulations and guidelines are needed for how landlords, developers and tenants are responsible for the security of various technologies throughout the building.
“Education about cybersecurity in buildings is an important factor across real estate. Technology is now embedded in the building environment and mitigating cybersecurity risks must become part of their management processes,” says Chauhan.
At the same time, standards for IoT device security would help the development of system-wide cybersecurity for smart buildings by ensuring that all connected devices can communicate securely. Governmental codes of practices such as the UK’s Secure by Design can also support developers and manufacturers in creating secure products – and buildings.
“In IT, there are numerous standards, whitepapers, and design guides from vendors that provide governance and detailed instructions for the secure deployment of technology,” Thakur says. “These proven IT practices must now be adopted in real estate.”