Cybersecurity – Are Smart Buildings and its Data Vulnerable to Malware Attacks?
As more and more of a building’s functions are automated and controlled via smart technology systems, has cybersecurity been an afterthought?
In Boris Johnson’s recent announcement of a £16.5bn increase to defence spending, he stated that a substantial amount of this will be spent on cybersecurity defences.
When it comes to property and smart building systems, a huge amount of data is collected about the building and the people who use it. What are the vulnerabilities of such systems and how can they be overcome?
ThisWeekinFM spoke to Mike Gillespie, Managing Director and Co-Founder of security consultancy Advent IM about this issue. Gillespie is an experienced, senior information security and data protection practitioner. Having been a member of the CSCIS Global Cybersecurity Select Committee for some time, he is now the Vice President of C3i Group on cybersecurity, cybercrime and cyber intelligence.
He also serves as a cyber spokesperson for the International Institute of Risk and Safety Management (IIRSM) and also as the Cyber Security Lead Adviser for the UK government’s Surveillance Camera Commissioner.
Smart Buildings and Health and Safety
Some buildings are born smart, others have smartness thrust upon them. Many buildings fall into that latter category…
There is a whole industry growing up around web-enabling systems that were never meant to be internet-facing, sometimes because of a legitimate need, such as the need manage them more efficiently or frequently over multiple sites. The need to do this however, is not always supported by appropriate cybersecurity controls that are designed and implemented effectively, to enable that system to be safely and securely managed whilst achieving the functional needs. Even less focus is placed up on the longevity of resilience in this area.
It is accepted and expected that a building, new or in use, should comply with a wide range of regulatory requirements to be considered suitable and safe. There are a variety of standards that are employed for this, across health and safety, social inclusivity and the environment too. But there is nothing that says the systems that are integrated into a building, operating over cyberspace, systems that could potentially make both the building and its inhabitants vulnerable, should be robust and secure. Nothing that compels designers, engineers, architects, builders or users to embed and maintain a level of cybersecurity that is anywhere approaching the level of requirements that need to be fulfilled for health and safety, despite the fact these systems could in fact impact health and safety.
Cybersecurity Seen as an “Inconvenience”
Indeed, in the smart building world, cybersecurity is seen as a bit of an inconvenience, at best it is considered a nice to have not a need to have which is a lost opportunity. At worst, it is considered something to avoid at all costs, which is tantamount to cutting corners with electrical or fabric safety… When it is considered, it is frequently an after-thought, and again this is a wasted opportunity to do it brilliantly and with an eye on the horizon. A bit like building a five-storey office block then deciding you want to put a lift in afterwards.
Modern building systems, by their very nature, generate data, lots of data. Not fully considering the management of the information lifecycle as part of a smart building strategy often also means losing the ability to use, manage, share and exploit this information as a critical asset.
Furthermore, some of this is actually personal data, and provision for its collection, management, storage and deletion should be compliant with The Data Protection Act (2018). It is vital therefore that smart buildings are considered from the perspective of Data Protection by design, Data Protection by default.
Whether it is personal data or not, the cybersecurity of smart systems MUST become a functional requirement because, as the risk from nefarious actors in cyberspace increases, their ability to do actual harm to people and assets increases with it. Assuming that data generated by a smart building system is not going to be of interest to someone is unwise. We have no idea what information may be useful to various threat actors, or what data they may be able to aggregate various sources into to make something useful to them. So, data creation, management and retention policies for the data these systems generate need to be in place to decide what stays, what goes and what needs to be protected.
Whilst you could take some interpretation of SABRE to cover information security, this is nowhere near adequate for a smart building:
- S Sources of information and also collaboration – where is information being generated, does it need protection, storage or deletion. What professionals are available to collaborate with to ensure cybersecurity is embedded in building systems?
- M Malware can and does attack any internet-facing system. If you have a web-enabled system, then you do do cybersecurity.
- A Availability. Who needs access to what and when? Don’t take a risk-averse attitude to cybersecurity, remember that security function is not to prevent all access, it is to protect valuable, necessary or sensitive information assets in an appropriate manner.
- R Resilience and Risk reduction. Security’s role is to reduce and manage risk. The threat landscape changes constantly so risk may change in quite a volatile manner. Having an agile approach to cyber risk is vital. Is your cyber strategy able to cope with this whilst horizon scanning too?
- T Threat assessments should always consider and cover cybersecurity threats if you have an asset that could be impacted form cyberspace. The days of Physical security in one camp and cyber in another are over.