Who is responsible for managing the cyber risks of a smart building? “The short answer: anyone who controls access,” explained Robert Morrish, Haventec CEO, during his presentation on cyber security at the Smart Building Summit 2017.
Held at Sydney University 28-29 November 2017, the Smart Building Summit brought together senior executives from Commercial Real Estate, Facilities Management, developers and construction companies, architecture and design firms and IoT to discover new strategies and hear new trends supporting smart buildings.
All access points need proper security
“Access points are the major security risks if they are not properly secured,” noted Morrish. “They can be used to attack building services, steal personally identifiable information that puts tenants and their clients at risk, as well as expose valuable intellectual property such as strategic plans and financial information.”
“Wi-Fi networks that allow simple login and/or guest login are the most vulnerable. Any WiFi network provided for casual users should only allow monitored and white-listed access to general internet services and not allow access to sensitive systems.”
Morrish identified three main cyber security focus areas for smart building owners and managers:
- Citizens and guests
- Building systems
- Critical infrastructure
“Corporate databases containing Personally Identifiable Information (PII) are especially attractive targets,” warned Morrish. “These databases are often linked to web-based transaction gateways and CRM systems; and extra risks appear when real estate owners’ IT networks are connected to their tenants’.”
Building systems can potentially be hacked to launch attacks on tenants, said Morrish, describing how remote attacks on climate control and access systems might cause physical harm or hold people hostage by locking them in.
Similarly, attackers might circumvent access and surveillance systems to enter restricted areas, or damage communication, evacuation and fire protection infrastructure.
A Grant Thornton October 2017 report ‘The hidden cost of smart buildings: Understanding cyber risk for asset managers and owners’ also warns:
“If a building shuts down due to its security and systems being compromised, whether it be exposure of tenant data, break down of power supply, or restricting access to the building — the reputational damage could put the continuity of the asset owner’s organisation at risk.”
Protecting privacy is a challenge for all industries
“Public trust in any organisation is instantly eroded when its supposedly ‘secure’ digital and physical environments are breached, exposing personal customer data,” stated Morrish in a May 2017 update from Haventec on Australia’s Data Breach Notification Regulation.
“The personal cost to each individual might vary incident by incident, but ultimately it amounts to significant reputational damage for the organisation that allowed the breach to happen.”
“The published research on breaches of sensitive data indicates that most companies are not aware they have been breached and become aware of a breach months after it has occurred. The best stance is to assume that breaches will happen – and address the challenge now.”
Rex Kelly, Associate Director at property management firm JLL agreed cyber security needs to be a major priority for the industry. In a post to his peers shared during the event he shared key points from Morrish’s presentation and added a direct challenge: “Smart Buildings: Are you ready?“.