Smart buildings are becoming more vulnerable to cybersecurity attacks, and property owners and landlords aren’t doing enough to defend themselves.
The property sector experienced 368 cyber incidents and 338 breaches last year, making it one of the riskiest industries for exposure to sensitive information, according to a new study by UK-based firm Merchant Machine.
While industries such as IT, finance, and other professional services are better at preventing breaches, the property, healthcare, and retail sectors are less capable at countering breaches, according to data collected by the study.
Photo courtesy of Merchant Machine
For property owners and landlords, data hacks and security breaches threaten more than just valuable digital assets: they put physical infrastructure and tenant safety and satisfaction at risk.
As smart buildings become increasingly centered around The Internet of Things (IoT) connectivity and occupant interactivity, human-to-machine interfaces are sharing information more broadly with the building staff, which now includes not just IT members, but also building engineers, facility managers, and even the C-suite.
These new interfaces dramatically increase access points, provide a gateway to sensitive data, and create new vulnerabilities for the building automation system.
The massive increase in the use of IoT enabled devices and cooperation with third-party platforms has widened the surface area for cyber-attacks in smart buildings, making threat detection less straightforward and more challenging to remedy.
Sandy Jacolow, Chief Information Officer at Meridian Capital Group and a widely-respected expert on cybersecurity for real estate explains, “Real Estate owners, managers, and developers must incorporate vigilant cyber security prevention with every decision. The business disruption from an attack could be devastating to brand and reputation.”
Cyber-risk scenarios in smart buildings include the shutting down of heating or cooling in pharmaceutical or food processing plants, manipulating HVAC systems in office buildings, creating significant business disruption and lost productivity for tenants, and shutting down power management functions for data centers.
The worst-case scenario is an intruder gaining unauthorized access to an internet-connected physical security system to enable kinetic attacks or causing damage, injury, or even death solely through the exploitation of vulnerable information systems and processes.
Hospitals and medical patients are at greater risk for kinetic cyber-attacks, as in the case of former U.S. Vice President Dick Cheney, who revealed during an interview that he had his implantable heart device’s Bluetooth capabilities disabled to prevent possible hacking attempts during his tenure in office.
While kinetic cyber-attacks are uncommon, the expanding Internet of Things is connecting an ever-greater number of gadgets and systems to the web, and the possibility of these kinds of physical cyber-attacks is increasing.
Here are some critical steps property owners can take to plan for cyber-attacks, outlined in a recent report by Booze Allen Hamilton.
- Consider Security Requirements
Include security solutions as part of all specification processes. When working with vendors and technical partners, prioritize security as an integral part of any connected smart building solution. Define how you want the vendor to integrate with your existing network, preferably leveraging a separate network segment for building automation systems. Try to use system retrofits as opportunities to include the latest security protocols.
- Assess Security Vendors
Set a consistent assessment framework to evaluate security vendors and their solutions. Select companies with secure design and coding practices. Choose vendors with a mature vulnerability management program to ensure that product vulnerabilities can be discovered, remedied, and patched promptly.
- Build in Security
Understand vendor recommendations for how to securely deploy building automation systems and work with your IT department to follow those guidelines. Make sure to add additional controls over and above vendor recommendations based on your compliance and risk needs.
- Update Regularly
Maintain a software subscription service and preventive service agreement with your integrator. Keeping your systems updated with the latest software revisions is critical to maintaining a smart cyber building. Ensure that your IT team understands how long the vendor will provide security updates and support for the systems, and ensure you have an exit strategy for a replacement before a system’s end of life.
- Test, Monitor, and Respond
Develop and implement an assessment framework that will identify security maturity across all domains in your ecosystem. Diligently and regularly stress-test your assumptions and technical vulnerabilities. Continuously monitor for indicators of an incident. Triage and escalate issues based on a predetermined set of trigger criteria.
While the actions listed above are far from exhaustive, they can be a good starting point for developing your cybersecurity strategy.
Keep in mind that most experts agree that it’s impossible to eliminate the threat of cyber-attacks completely, but property owners and landlords who prioritize cybersecurity will help reduce their risk of cyber hacks.