“How long can we complain about cyber attacks when we are the one installing the door and leaving it open?” This is a question posed by researchers Memoori in conjunction with the latest data on the growth of IoT in smart buildings. The report suggests that even though we are all well aware of the risks involved, and that we will complain bitterly when an attack is discovered, we are still actively buying connected technology for use within our buildings without properly considering the issue of cyber security.
Big IoT hacks are widely reported, but we still demand smart buildings. Survey after survey shows that executives see cyber attacks as the biggest issue for the IoT, yet the same surveys show that the vast majority of companies will invest heavily in the IoT regardless. We know that cyber attacks can lead to massive financial and reputational damage, but we still purchase and integrate vulnerable technology. The obvious conclusion to draw from these truths is that cyber security is not that important, at least not to purchasing decisions.
“Before the IoT revolution, most buildings’ systems tended to be self-contained and therefore safe from hackers. This began to change with the introduction of remote management via permanently connected smart sensors,” says Nick Morgan, information security manager at property investor Derwent London. “In the past, it was an afterthought. You get Norton 360 and then you move on.”
Lacking sophisticated approach
Smart Buildings and the IoT are no longer new technology ecosystems, at least not in the context of understanding that there is a cyber security risk. We know by now that we cannot just install off-the-shelf anti-virus software and expect it to keep our buildings safe, but, according to Memoori, many building managers still neglect the need for sophisticated approaches to cyber security. Even when the vulnerabilities are exposed and the managers responsible are made aware, we still see buildings ignoring the issue and those trying to help them.
“I was able to contact someone [at WeWork when we discovered a vulnerability] and they quickly changed their systems, but often I can’t get any kind of response from people in this industry,” says Craig Young, principal security researcher at Tripwire, a provider of threat-detection software. “For instance, I know there’s a company in the construction-safety field that seems to be exposing its customers to a potential attack. After months of phone calls and emails, I’ve been unable to get the ear of anyone who cares.”
Hackers will use any connected device
We know by now that any connected device, even the most unremarkable, can provide an entry point for hackers to much wider and more sensitive building systems. In 2018, hackers utilised weaknesses in a connected fish tank thermometer to gain access to confidential information on high-rollers in a Las Vegas casino database. Numerous attacks have been launched via connected printers, thermostats, even physical security devices such as surveillance cameras and digital locks. However, many buildings still install poorly secured devices, seemingly oblivious to the ramifications.
“All IoT devices present possible entry points for hackers. Letting any one of these go unprotected is the digital equivalent of leaving a small window open downstairs when you leave the premises,” says William Newton, president and MD of Wiredscore, a firm providing digital infrastructure certification for buildings. “Everything that’s linked to your network – from lighting to the CCTV system to the elevators – needs to be subject to the same stringent security protocols as databases containing confidential information.”
Cyber security certification programmes can help the building industry further highlight the most vulnerable devices and the facilities most at risk. While basic cybersecurity should be common sense in the modern world, by clearly presenting the risk in a rating system that forces owners, managers, and occupants to understand when they are at greater risk than the majority of buildings, we can force positive change. This kind of open communication on cyber security risk also excuses buildings for slow or limited smart technology implementation on the grounds of cyber security. Stakeholders should accept that for strong cyber security we may need a slow and gradual IoT implementation.
“We’re working hard to educate them as to why this area is so important and why it takes a long time to get a certain supplier on board or to get everything connected,” says Sally Jones, head of strategy, digital and technology at property firm British Land, that recently introduced Wiredscore’s Smartscore rating. “This new benchmarking system is helping us to bridge the gap in our organisation. We’re using it to communicate why cyber security is important and what it means to be a secure smart building.”
Recruitment and training is behind
We all know by now that there is an IT skills gap in building operations, and we all know that operational technology (OT) staff are not well trained in the application of digital technology. In fact, we have been talking about these issues for the best part of a decade or more, yet recruitment and training still lag far behind the development of the technology. IT and OT departments still pass the buck to avoid responsibility when it comes to smart building cyber security problems, while owners and managers sometimes appear oblivious to the dangers such issues bring.
“Buildings are increasingly being run by computers that aren’t within the IT team’s remit. These are probably managed by a facilities director or property director, depending upon the size of the business. Indeed, they may even be managed by the landlord,” says Ed Cooke, CEO and managing partner at Conexus Law, who sees huge risk coming from the demarcation of responsibility for cyber security in many companies.
Smart buildings are a paradise for hackers
From exposed devices to unsecured infrastructure, and a lack of accountability, the smart buildings industry has created a paradise for hackers to steal information, maliciously control systems, and cripple entire networks, often with relative ease. How long can we blame our cybersecurity problems in buildings on the rapid proliferation of technology before we realise that we are the ones driving that digital transformation? How long can we complain about cyber attacks when we are the ones installing the door and leaving it open?
We all know by now that smart buildings present a cyber security risk but the more the smart buildings we create without addressing cyber security issues, the more we show that cyber security is not that important… and maybe it should be.