For many years, people’s idea of cyber security would probably be a good password and virus checker. While this is still fundamental, most applied security measures focus on looking for a ‘known’ threat — they are not looking for the unknown or adaptive threats we now commonly face. Personal protection, such as in online banking, has often been the focus of media attention, but in this information-connected aged, the threat to buildings and estates from hackers grows increasingly real, not only as targets in and of themselves, but also as an easy access route into a business’s broader IT network.
So, what could a hacker do to an information-connected building?
- Override the lift controls?
- Elevate access control privileges?
- Delete CCTV footage?
- Turn critical things off?
- De-activate security systems?
- Obtain staff details?
Take control of information systems: signage, public address, telephone or from a business perspective:
- Override security controls to steal intellectual property;
- Be a nuisance and drive up energy bills;
- Be a nuisance and break building systems;
- Disrupting business by turning the power off;
- Causing panic / endangering life – threatening duty of care to staff and visitors.
Sadly, these aren’t just hypothetical scenarios. In 2013, attackers managed to enter the American retail company Target’s network by stealing the credentials of a third-party HVAC vendor and the lack of security protocols to monitor activity allowed them to take customers’ data, including 40m credit cards and debit cards. The same year, researchers found that Google’s building management system (BMS) at its Australian office was connected to the internet without the latest software patch installed. Researchers obtained the administrative password and accessed the BMS.
Clearly, the threat of cyber attacks on buildings and infrastructure is very real – the threat further increased as the era of separate building systems such as BMS, security and lighting control comes to an end. New designs are replacing siloed systems with a network of interconnected systems. Corporate real estate directors and managers can now have a real-time view of the assets they are managing, along with an insight into how space is being used. This is enabled through devices and different building systems communicating information with each other – the ‘information age of buildings’.
Of course, these interconnected systems have many benefits for both occupants and building managers. However, they also raise new challenges in the control of information and subsequently the cyber security of buildings and estates.
For example, modern building systems will now hold personal information to locate, identify and provide options to building occupants such as elevator or parking access. In the information age of buildings, real estate directors/managers need far greater visibility of what information they have, where it flows, who can see it, how it is stored and monitored. If data protection and retention is not appropriately considered, real estate directors/managers may find that their building systems could be a weak point for a cyber or cyber-physical attack.
New legislation such as general data protection regulations (GDPR) being introduced across Europe (including the UK) in 2018 will include updated definitions of personal information and will apply to companies operating in the European Union. The UK Information Commissioner’s Office (ICO) has indicated that GDPR will apply to buildings, including location tracking and sensor technology.
Buildings can be considered easy targets for organised criminals who wish to research an organisation as part of a targeted attack. For example, an access control system could provide the name, photo, location, department, privilege and potentially biometric information of a member of staff. Such a breach of personal information, if not discovered and notified, could lead to large fines for the organisation.
Therefore, real estate directors/managers will need to be more proactive in their approach and adopt ‘privacy first’ or ‘privacy by design’ principles that will be a requirement of updated legislation.
To compound matters, buildings are becoming ‘borderless’. Like IT systems, buildings can be connected to the internet or to a corporate network, accessed via smartphone apps, and managed by multiple third parties.
Benefits such as remote management are enabled by borderless design but, to do this, real estate directors/managers need to ask questions of their third-party building management companies. Security vetting of these companies is required, particularly as transfer of building management does not transfer cyber security and information security risk. There is a real risk of third parties being a weak link either through remote management/data breach of their operations or via service engineers with infected laptops connecting to building systems as part of maintenance. In the case of Target’s data breach, the HVAC vendor’s credentials stolen represented the weak link.
The IT world is well versed in dealing with systems that only exist in a virtual world. The real estate world is used to seeing and touching, where design concepts are translated into tangible things. However, to adequately identify risk, real estate professionals need to appreciate that there is now a blurring of the lines between physical security and cyber security. Both disciplines should be considered at the same time.
To mitigate these risks to a business, real estate directors, managers and their advisers need to consider the three pillars of information security: confidentiality, integrity and availability.
Corporate real estate also needs to work with IT to answer some key questions of building and workplace designers, procurement approaches, management and maintenance:
- In a traditional model of multiple designers, packaged procurement and multiple sub-contractors, who has overall responsibility for design, installation, commissioning and maintenance?
- How do I go about assessing information security risk for my organisation?
- When I have assessed risk, how do I define administration, technical and physical controls for security?
- Do I need to draft new policy for my organisation and what training needs to be put in place?
- Once installed, who is going to manage, monitor and change system(s) to the new business needs?
Find out more about Cundall’s IT and audio visual consultancy services here – www.cundall.com/Services/IT-and-audio-visual.aspx