Smart technologies that manage and self-regulate the built environment and its operations help businesses to enhance occupants’ convenience, reduce costs, and drive sustainability. As we’ll explore in this blog, it’s essential that cybersecurity isn’t just a coat of paint on top but is part of the design and embedded into the foundations.

There are lots of sound business reasons why an organisation would want to use more operational technology (OT) around its buildings. To pick one example, clean air in the workplace is an issue we’ve all become more attuned to since COVID-19, and it’s also part of a more general drive to improve the wellbeing of those working in enclosed spaces. So, smart air purifiers monitor for air quality in a room and will adjust their settings and speeds to suit. Health and safety regulations are another concern, and technology is often deployed to help with fire and safety systems, security and access control, and alarm management.

Sustainability is high on the agenda across all industries, and buildings are a major source of CO2 emissions. According to the Global Alliance for Buildings and Construction’s 2018 global status report, 28 per cent of global emissions by sector came from building operations, with a further 11 per cent coming from building materials and construction.

Working on a building

As a result, many facilities managers are urgently looking at ways of reducing their buildings’ carbon emissions through renewable energy, using sustainable materials, and installing smart technologies. So, for example, growing numbers of buildings now have smart lighting sensors that detect if someone walks into a room and will only switch the lights on at that point, which contributes towards reducing energy consumption. Likewise when it comes to heating enclosed spaces.

Other technologies you’re likely to find in offices and operational buildings like manufacturing facilities include: building management and energy management systems, HVAC, digital signage, Wi-Fi networks, and physical security systems such as CCTV cameras and physical access controls.

So what does this have to do with cybersecurity? In the words of the esteemed cybersecurity researcher Mikko Hypponen, “if it’s smart, it’s vulnerable”. (Also known as Hypponen’s Law.) The more devices there are on a network, the greater the risk of an intrusion or attack.

And with the IoT (Internet of Things) technology that smart buildings typically use, improvements to these systems have tended to focus on features, cost savings, or ease of use. OT cybersecurity is often a secondary concern – if it’s considered at all.

Buildings have eyes

Historically, many building management systems were under the remit of the facilities team that procures them and installs them. Because newer systems are ‘smart’, IoT devices, they’re connected to the network. Yet in many cases they’re ‘invisible’ to the organisation’s IT and security teams. They may not know these systems are on their networks, or even who has permission to access them.

Sometimes, these building automation systems are controlled and monitored onsite, other times remotely. Often, a business will contract this work to an external third party.

If the devices use shared accounts and default credentials, they probably have easily guessable passwords. If the network isn’t segmented properly, an attacker that exploits a weakness in the building management system could in theory be able to go to any other part of the network. This could result in a cybersecurity incident impacting the broader organisation beyond building management systems. Other potential OT cybersecurity risks include insecure remote access and network gateways, exposed web interfaces, lack of configuration management and a general overall lack of cyber resilience with the potential to negatively impact business continuity.

Another brick in the wall

For all these reasons, it can be valuable to have an external, independent advisor assess the security of your built environment. An objective review, carried out in line with internationally recognised standards and best practice such as ISA/IEC 62443 and ISO 27001, can gauge the current security posture of a facility or campus and set minimum requirements to improve security. The assessment can recommend OT cybersecurity suitable for managing industrial automation and control systems, advise on security management best practices, identify vulnerabilities, and make recommendations about appropriate user access management, as well as cloud security (since that’s where the data from the various smart sensors will invariably end up).

With this information, validated by an outside agency, organisations get an integrated view of security threats and can identify risks they might not have considered before. They can also spot potential security weaknesses among important third-party suppliers. Most of all, the organisation is better able to prevent, mitigate and respond to threats, and in so doing enable digital transformation, improve efficiencies, drive sustainability, and reduce its overall technology-related financial, operational, reputational and compliance-related business risk exposures.