Feature: cybersecurity in the built environment
Smart building management systems (BMS) that leverage the power of the Internet of Things to collect and analyse environmental data are becoming increasingly popular as more and more organisations look to connected technologies to improve the management of their buildings. In fact, a Global Industry Analysis, Trends, Market Size and Forecasts to 2024 report published by Infinium Global Research estimated the global market for BMS will reach up to $154.8 billion, with a compound annual growth rate of 14.1 per cent by 2025.
A BMS is crucial to managing demand for energy in a cost-effective way. By offering remote management of heating, ventilation and air conditioning, a BMS saves maintenance staff having to spend time visiting each building or room to shut down, switch on or adjust temperature levels or air conditioning. It also improves reporting and information management leading to quality, informed decision-making, better performance and a reduction in energy use, thereby saving money.
Advances in building technology mean BMS are invariably linked to all manner of other services and the internet. These advancements in technology and the ever-increasing reliance on automation and remote operations is exposing these systems to possible cyber-breaches and full on attacks. Although increasingly experts have started to alert building owners and managers that such systems are vulnerable to external attack, most BMS are typically not designed with cyber security in mind.
According to PwC UK’s Cyber Security Partner, Sean Sutton, building management systems are often deployed by a combined facilities management and IT projects team and where required with additional support from BMS vendors. Depending on the maturity of the organisations' project delivery methodology there may be standard security checkpoints built into the project requirements definition, design, build or validate phases. If this is not the case, the inclusion of security will rest with the experience of the project delivery team and will rely on recognising potential cyber risks and applying appropriate risk mitigation as part of a project Risks, Assumptions, Issues and Dependencies.
“Once a BMS is in production the day to day operations responsibility will nearly always be with a facilities management team, however responsibility for cyber risks can be unclear and often falls between the role and responsibilities of facilities and cyber teams,” Sutton says.
According to Terry Edwards, Senior Vice President at insurance broker Marsh Commercial: “Heating, lighting and security in most buildings is generally not being developed with technology designed to be connected into cross-building IT networks. In fact, designers and decision-makers in charge of facilities or smart building systems often consider the risks of cyber security to be irrelevant and non-critical,” he says.
“Equipment failures are not new and these incidents have already been reported hundreds of times and redundancy techniques used by specialists in operational safety are effective methods for managing these risks but they do not cover the risks of cyber-attacks,” he adds.
Integrating a BMS into your IT infrastructure
In a recent global corporate survey by Verdantix, 88% of respondents rated improving cyber security for building operational systems as a priority over the next 12 months. In its global real estate asset manager survey, 54% of respondents rated cybersecurity risks as either a very significant or significant source of risk for their clients’ portfolios over the next five years. These studies demonstrate the urgency at which businesses need to consider security when purchasing a BMS.
PwC believes facility directors should work alongside IT executives to run vulnerability assessments on internet-connected operational systems such as BMS or HVAC before purchase. When it comes to integrating a new BMS into an organisation’s infrastructure, Sutton says there are four immediate concerns that need to be addressed. “My biggest concerns are failure to conduct a cyber risk assessment, not engaging with a cyber team for input, the integration of non-IT managed devices and connection to BMS IoT devices via insecure means which could breach the gap between an easy to attack remote device and a corporate network,” he says.
It goes without saying that implementing a good BMS cybersecurity solution provides crucial benefits that reduce the risk from the ever-expanding cyber threat landscape. Sutton says through deploying these systems in the last 12 months the key things he’s become aware of are connecting BMS to IT networks without appropriate logical separation and control, implementing BMS IoT in a way that introduces unknown vulnerabilities, failing to integrate BMS monitoring into a centralised security operations centre (SOC) and not developing threat use cases that can leverage physical data (e.g. badge entry to the office) with logical data (e.g. a user accessing their device from a remote location). “Threat use cases like this can assist with identifying unusual or improbable behaviours that could indicate a cyber breach,” he says.
Edwards says the advantages of Incident Command Technology (ICT), Incident Command Systems (ICS) and BMS installations and for future smart systems are undeniable and nobody would think twice about going back on this system. Using new technology from the conventional IT world means we have to come to terms with the constraints that come with it.
“Retroactively dealing with these issues can be costly and complex especially if they have not been factored into protocols at design phase. This is also the case for older assets that were built at a time when cyber security awareness and the ability to transfer and manage these risks was limited,” he says.
There is no doubt that BMS have revolutionised the facilities management landscape. Yet with these great benefits also come the dangers in exposing these systems to possible cyber-breaches and full on attacks. With better relationships between teams and security knowledge to deploy the relevant security measures needed, the risk of attacks can be mitigated.