We know by now that connected devices create a cybersecurity risk, yet we continue to connect devices. Big IoT hacks are widely reported, but we still demand smart buildings. Survey after survey shows that executives see cyberattacks as the biggest issue for the IoT, yet the same surveys show that the vast majority of companies will invest heavily in the IoT regardless. We know that cyberattacks can lead to massive financial and reputational damage, but we still purchase and integrate vulnerable technology. The obvious conclusion to draw from these truths is that cybersecurity is not that important, at least not to purchasing decisions.
“Before the IoT revolution, most buildings’ systems tended to be self-contained and therefore safe from hackers. This began to change with the introduction of remote management via permanently connected smart sensors,” says Nick Morgan, information security manager at property investor Derwent London. “In the past, it was an afterthought. You get Norton 360 and then you move on.”
Smart Buildings and the IoT are no longer new technology ecosystems, at least not in the context of understanding that there is a cybersecurity risk. We know by now that we cannot just install off-the-shelf anti-virus software and expect it to keep our buildings safe, but many building managers still neglect the need for sophisticated approaches to cybersecurity. Even when the vulnerabilities are exposed and the managers responsible are made aware, we still see buildings ignoring the issue and those trying to help them.
“I was able to contact someone [at WeWork when we discovered a vulnerability] and they quickly changed their systems, but often I can’t get any kind of response from people in this industry,” says Craig Young, principal security researcher at Tripwire, a provider of threat-detection software. “For instance, I know there’s a company in the construction-safety field that seems to be exposing its customers to a potential attack. After months of phone calls and emails, I’ve been unable to get the ear of anyone who cares.”
We know by now that any connected device, even the most unremarkable, can provide an entry point for hackers to much wider and more sensitive building systems. In 2018, hackers utilized weaknesses in a connected fish tank thermometer to gain access to confidential information on high-rollers in a Las Vegas casino database. Numerous attacks have been launched via connected printers, thermostats, even physical security devices such as surveillance cameras and digital locks. However, many buildings still install poorly secured devices, seemingly oblivious to the ramifications.
“All IoT devices present possible entry points for hackers. Letting any one of these go unprotected is the digital equivalent of leaving a small window open downstairs when you leave the premises,” says William Newton, president and MD of WiredScore, a firm providing digital infrastructure certification for buildings. “Everything that’s linked to your network – from lighting to the CCTV system to the elevators – needs to be subject to the same stringent security protocols as databases containing confidential information.”
Cybersecurity certification programs can help the building industry further highlight the most vulnerable devices and the facilities most at risk. While basic cybersecurity should be commonsense in the modern world, by clearly presenting the risk in a rating system that forces owners, managers, and occupants to understand when they are at greater risk than the majority of buildings, we can force positive change. This kind of open communication on cybersecurity risk also excuses buildings for slow or limited smart technology implementation on the grounds of cybersecurity. Stakeholders should accept that for strong cybersecurity we may need slow and gradual IoT implementation.
“We’re working hard to educate them as to why this area is so important and why it takes a long time to get a certain supplier on board or to get everything connected,” says Sally Jones, head of strategy, digital and technology at property firm British Land, that recently introduced WiredScore’s SmartScore rating - a topic discussed by Jules Barker from WiredScore and Joe Brown from Kingsett in our recent webinar. “This new benchmarking system is helping us to bridge the gap in our organization. We’re using it to communicate why cybersecurity is important and what it means to be a secure smart building.”
We all know by now that there is an IT skills gap in building operations, and we all know that operational technology (OT) staff are not well trained in the application of digital technology. In fact, we have been talking about these issues for the best part of a decade or more, yet recruitment and training still lag far behind the development of the technology. IT and OT departments still pass the buck to avoid responsibility when it comes to smart building cybersecurity problems, while owners and managers sometimes appear oblivious to the dangers such issues bring.
“Buildings are increasingly being run by computers that aren’t within the IT team’s remit. These are probably managed by a facilities director or property director, depending upon the size of the business. Indeed, they may even be managed by the landlord,” says Ed Cooke, CEO and managing partner at Conexus Law, who sees huge risk coming from the demarcation of responsibility for cybersecurity in many companies.
From exposed devices to unsecured infrastructure, and a lack of accountability, the smart buildings industry has created a paradise for hackers to steal information, maliciously control systems, and cripple entire networks, often with relative ease. How long can we blame our cybersecurity problems in buildings on the rapid proliferation of technology before we realize that we are the ones driving that digital transformation? How long can we complain about cyberattacks when we are the ones installing the door and leaving it open?
We all know by now that smart buildings present a cybersecurity risk but the more the smart buildings we create without addressing cybersecurity issues, the more we show that cybersecurity is not that important… and maybe it should be.