Buildings might not be the first thing that comes to mind as potential cyber-crime targets. But where there is an internet connection, there is cyber risk, and today’s smart buildings, connected to user devices, control systems, and public infrastructure, in the pursuit of greater efficiency, are not immune.
In the last couple of decades, building systems have become more energy efficient and more sustainable. This transformation has often involved installing building automation systems in a bid to reduce energy wastage, control a building’s heating, ventilation and air conditioning, lighting and other system with minimal human control.
In turn, powering building automation systems usually requires stuffing buildings to the gills with IoT (Internet of Things) and AI (artificial intelligence) technologies such as sensors and internet-connected data transmitters; almost every facet of building functions in such buildings are connected to each other in some way.
A 2017 report by analyst house ABI Research estimates that by 2020, more than 8 million building management systems globally will incorporate some form of IoT technology; the actual number may turn out even higher. But even as the discussion around smart and sustainable cities and buildings races ahead, the cybersecurity discussion is lagging, say engineers and real estate professionals.
“The Deepwater Horizon spill is a great analogy,” says Matthew Clifford, head of energy and sustainability services—Asia Pacific at real estate and investment management firm JLL. “That spill was devastating because the deep-water drilling technology had outpaced clean-up technology.”
“With buildings, the development of smart technology has outpaced security measures,” says Clifford.
A little-considered risk with big potential
While Singapore has been lucky to suffer only very minor cyberattacks on its buildings to date, incidents in other parts of the world highlight how disastrous a lapse in a building’s cybersecurity can be.
In Austria, hackers attacked the electronic key system of a four-star hotel in 2017, locking guests out of their rooms and leaving the hotel unable to create new keys until a ransom was paid. In the US that same year, a casino lost 10GB of data siphoned out through an internet-connected fish tank. In late 2017, the Triton malware sparked global alarm by causing actual physical damage to industrial systems.
Derek Teo, leader, special verticals and key account management at Johnson Controls, notes: “Data theft is one thing. With physical infrastructure, we are also looking at the ability of malicious parties to control a building from the outside.”
“In the worst case scenario, someone could get into a hospital’s controls and turn off the power to the operating theatres. Or they could take over a warehouse and disable the chillers,” says Teo. “The attackers might target just one tenant, but everyone in the building will be hit.”
Cybersecurity firms have been warning of vulnerabilities in smart buildings for several years, with some firms even predicting that building automation systems will become the next entry point for major ransomware attacks.
If you are a bank, and someone hacks into your building’s functions, even if they do something simple like causing your elevators to stall, what are your clients going to think? Will they still feel safe with you?
Matthew Clifford, head of energy and sustainability services—Asia Pacific, JLL
One chink in a building system’s armour is the layering of new technology over older or unsuitable frameworks, say researchers and engineers.
Joe Poon, managing director of Surbana Jurong’s smart city solutions division, explains: “The biggest cybersecurity challenge facing buildings becoming smart is the tension between new, IoT-based systems and the old networks, built on a system called SCADA.”
SCADA—supervisory control and data acquisition—systems are a form of centralised control more commonly associated with industrial automation.
“The old SCADA networks were mostly designed without consideration of cybersecurity as the risk of cybersecurity breaches were low back then, says Poon.
“But new smart building systems must still capture data from these old systems and transmit it over the internet, exposing buildings with active old SCADA systems to cybersecurity threats which they were never designed to handle,” he adds.
Right alongside technological vulnerabilities is the issue of user complacency. For instance, Teo says that the Johnson Controls teams have encountered clients who, accustomed to using an isolated server that is not at risk because it is not connected to the internet, remain indifferent or even resistant to implementing cybersecurity measures even after the building management system is upgraded and connected to the internet, or even shifted to the cloud entirely.
“Awareness is low and some of them are conservative about change,” says Teo. “Cost is the main factor that makes them resistant.”
Teo adds that while some companies might have a strong IT department or robust cybersecurity policies, all that can be voided by a lack of awareness at the facility management level.
Many building and construction companies in Singapore appear unwilling to speak about cybersecurity—though it is unclear if the reticence is due to security concerns or a lack of focus on the issue. The overwhelming majority of real estate firms approached by Eco-Business declined to comment.
Where do we start?
Ideally, say industry experts, cybersecurity should be built in from day one. For new buildings, it needs to be integrated into the planning and design stages, while in older buildings undergoing retrofit, existing systems must be revisited and given the same rigorous consideration as the new technologies being added.
And although this may represent added costs, building owners need to be forward-thinking about the issue, warn cybersecurity advocates.
“There are two ways of looking at cost,” says JLL’s Clifford. “One: the upfront costs of building cybersecurity in from day one, and designing your building with digital safety measures in mind.”
“Two: the reputational cost of a breach,” Clifford says. “If you are a bank, and someone hacks into your building’s functions, even if they do something simple like causing your elevators to stall, what are your clients going to think? Will they still feel safe with you?”
More importantly, people—building managers, operators and end users—have to be on board with the idea of keeping buildings secure, says Clifford, pointing out that research shows that the most effective cybersecurity breaches start with human error.
Johnson Controls’ Teo says that awareness among facility managers can be improved. His team provides training to customers to keep them informed on the latest cybersecurity trends and threats from an IoT perspective, highlighting gaps, possible consequences, and ways to mitigate risk.
Surbana’s Poon recommends starting with comprehensive security policies on data access and usage, and then building cybersecurity plans around those. But, he cautions, security policies are ultimately constrained by the practical need to keep systems useable.
“There will be a trade-off between security and convenience for end users,” he says.
Converging a building’s facility network as well as enterprise and IT systems will inevitably increase security vulnerabilities, remarks Teo, with challenges stemming from different communication protocols and unclear priorities among different stakeholders.
“But these can all be surmounted by working closely with building stakeholders and trusted vendors throughout planning, implementation, testing and even maintenance. A thorough understanding of the different use cases is very important,” he says.
Ultimately, cybersecurity for today’s sustainable buildings may come down to treating building automation systems with the same abundance of caution shown to any other internet-connected network.
“It pays to be careful,” Clifford says. “If you are going to bring in large volumes of technology, then don’t be naïve about the potential negatives.”
He adds: “Have a plan, make sure you understand the risks, have the proper controls, and ensure that they work. Doing this the right way isn’t hard.”
Thanks for reading to the end of this story!
We would be grateful if you would consider joining as a member of The EB Circle. This helps to keep our stories and resources free for all, and it also supports independent journalism dedicated to sustainable development. For a small donation of S$60 a year, your help would make such a big difference.