Some of the most exciting emerging technologies related to building control systems improve operational efficiency and effectiveness using artificial intelligence. The advent of smart and intelligent buildings takes this even further to optimize people’s experience within the built environment. Many great benefits from these technologies are possible, but there are also a lot of potential cybersecurity risks.
Early building control systems were not traditionally built with security of the system in mind. They were self-contained systems, nearly impervious to external access, and it would take a physical breach to compromise them. That was then. This is now.
The convergence of operational and information technology
More and more, operation technology (OT) systems are connected to each other and to other systems, becoming part of the larger information technology (IT) infrastructure. The main reason why they are interconnected and connected to business systems is for functionality and intelligence. It generally starts with a business reason to remotely monitor a system. Maybe you want the ability to see what is happening in a system at home during off hours, so you can decide if it needs immediate response or if it can wait. Or maybe you have a portfolio of different sites and locations, and you want to monitor them from a central location.
In addition to the functional reasons, companies realized that they could use information from these systems to improve operations. As the systems grew more intelligent within the building, and different systems could start talking to each other, we now have this intelligent building platform. You can pull actionable data, build dashboards using information from a variety of systems, and make strategic operational decisions. Adjustments to building systems that make even a small energy efficiency improvement can yield significant savings to a company with a large footprint.
Unfortunately, many people will build a connection between a building or operational control system and, for example, a remote access IT system, but fail to consider the potential security ramifications involved. The oversight is understandable. Historically, building controls were not seen as highly valuable targets largely because the capabilities and interconnected controls were limited. Perhaps a malicious actor would be able to gain access and turn the lights off. Annoying sure, but hardly worth expending resources to stop a practical joker when the resources could be used to fortify more obvious mission critical systems.
Cyberattacks: When IT and OT lead to Oh No!
As IT and OT systems become increasingly intertwined, it is clear a unified approach to security is needed. But who should take charge? According to an ASIS survey, the biggest obstacle slowing organizations to adapt to combined systems revolve around people issues. Physical security departments are often set in a history of siloed traditions and functions. Personnel are often hesitant to give up or share control of what they consider to be core competencies including people management, intelligence, and investigations. IT professionals can be equally rooted in their own routines built around the latest technology, system innovations, and cyberthreats. Loss of authority, status, control, or staff are equally feared by both groups.
Where the responsibility for securing OT vs. IT systems lies is in a state of flux. Traditionally OT rested in facilities, not IT. The operations folks do not want to be burdened by IT controls. Similarly, IT folks recognized that these systems are different animals, and they do not want the responsibility of securing systems that sit outside the traditional IT framework and thus do not have various IT protections and protocols built in. This is probably another reason this is such a high risk for an organization. Companies are beginning to understand that both OT and IT systems need to be managed holistically under the umbrella of risk management.
When “Phishing” becomes “Fishing” and other surprising vulnerabilities
You may already be aware of “phishing” attacks in which bad actors send fraudulent emails purporting to be from reputable sources to trick individuals into revealing passwords, credit card numbers, or other personal information. The phrase took on new meaning a few years ago when hackers were able to worm their way into an unnamed Las Vegas casino database through a “smart” thermometer in an internet connected, high-tech fish aquarium. The security breach gave them access to 10 gigabytes of information from a “high roller” database that they successfully uploaded to the cloud.
The unusual heist highlights the vulnerability of Internet of Things (IoT) devices. According to IOT Analytics, the number of connected IoT gadgets is expected to grow 18 percent this year to 14.4 billion devices globally. It is a booming forecast despite some slight downward revisions due to supply chain and chip shortage issues. The trend also spotlights the increased vulnerabilities property owners and cybersecurity professionals will face.
The biggest security concerns will continue to be external cyberattacks and traditional issues like data theft, but new threats loom with the expansion of IoT. Denial-of-Service attacks against IoT networks (or even “denial-of-sleep” attacks that drain batteries of connected devices by preventing them from powering down) are expected to be on the rise as well as a growing black market selling fake sensor and other forms of data.
For the built environment, a greater emphasis on protecting systems that control and monitor facility operations is needed. Reliability and integrity of those systems is one thing, but these systems have the potential to impact occupant’s health and safety. Everything from major power stations to personal medical devices could be at risk. The almost constant collection of information by IoT devices about our individual environments and circumstances could also have a serious impact on how business and personal decisions are made. Fortunately, we are starting to see better protection measures, although there is still a long way to go.
What is the best way to protect facilities from cyberattacks?
In many instances, IT is the gatekeeper to what IoT devices are allowed on a company’s network. Bringing IT and OT stakeholders together early in the project design development process – preferably during the Master Planning phases - can help avoid conflicts and eliminate implementation schedule delays. While it is common for organizations to put their intelligent building system and individual IoT components on the company’s enterprise network, it comes with inherent cybersecurity risk. If devices are not thoroughly vetted, tested, and approved by IT, chances are they will not be allowed to connect, potentially leading to missed expectations and lost operational opportunities.
Other IoT security tips include:
- Document your systems thoroughly. Too often a company doesn’t have accurate system information and you can’t manage what you don’t know.
- Perform cybersecurity testing of your systems on a routine basis. The systems themselves are not static and new vulnerabilities are discovered every day, so it is important to ensure you stay current.
- Follow a regular routine of software and firmware patches and updates to reduce risk exposure
- Follow a mandatory best practice of always changing the default username and password for any device connecting to the internet
- IoT devices should have unique passwords for each unit
- If a device cannot support password, software, or firmware updates, do not connect it to your system
Finally, being more integrated and interconnected does not necessarily mean your facility is more vulnerable. Having more IoT can actually make building automation systems (BAS) safer if the integration of devices drives more and better engagement between IT and facility management stakeholders about cybersecurity. Creating and following best practices can lead to better security, improved operations, reduced utility consumption, and increased occupant comfort, delivering on the promise of the intelligent building.
About the author:
Coleman Wolf, CPP, CISSP, Security Services Studio Leader with ESD, has over 20 years of experience in security management as a security designer and consultant. Coleman is an ASIS Certified Protection Professional (CPP), a Certified Information Systems Security Professional (CISSP), and is an active member of the ASIS Security Architecture and Engineering Council. He holds a Master of Science in Computer Information Systems from Northwestern University in Evanston, Illinois, and a Bachelor of Science in Electrical Engineering from the University of Michigan, Ann Arbor.
Related Stories
AEC Tech Innovation | May 12, 2023
Meet Diverge, Hensel Phelps' new ConTech investment company
Thai Nguyen, Director of Innovation with Hensel Phelps, discusses the construction giant's new startup investment platform, Diverge.
AEC Tech | May 9, 2023
4 insights on building product manufacturers getting ‘smart’
Overall, half of building product manufacturers plan to invest in one or more areas of technology in the next three years.
Sustainability | May 1, 2023
Increased focus on sustainability is good for business and attracting employees
A recent study, 2023 State of Design & Make by software developer Autodesk, contains some interesting takeaways for the design and construction industry. Respondents to a survey of industry leaders from the architecture, engineering, construction, product design, manufacturing, and entertainment spheres strongly support the idea that improving their organization’s sustainability practices is good for business.
AEC Tech | May 1, 2023
Utilizing computer vision, AI technology for visual jobsite tasks
Burns & McDonnell breaks down three ways computer vision can effectively assist workers on the job site, from project progress to safety measures.
AEC Tech Innovation | Apr 27, 2023
Does your firm use ChatGPT?
Is your firm having success utilizing ChatGPT (or other AI chat tools) on your building projects or as part of your business operations? If so, we want to hear from you.
Design Innovation Report | Apr 19, 2023
HDR uses artificial intelligence tools to help design a vital health clinic in India
Architects from HDR worked pro bono with iKure, a technology-centric healthcare provider, to build a healthcare clinic in rural India.
Resiliency | Apr 18, 2023
AI-simulated hurricanes could aid in designing more resilient buildings
Researchers at the National Institute of Standards and Technology (NIST) have devised a new method of digitally simulating hurricanes in an effort to create more resilient buildings. A recent study asserts that the simulations can accurately represent the trajectory and wind speeds of a collection of actual storms.
3D Printing | Apr 11, 2023
University of Michigan’s DART Laboratory unveils Shell Wall—a concrete wall that’s lightweight and freeform 3D printed
The University of Michigan’s DART Laboratory has unveiled a new product called Shell Wall—which the organization describes as the first lightweight, freeform 3D printed and structurally reinforced concrete wall. The innovative product leverages DART Laboratory’s research and development on the use of 3D-printing technology to build structures that require less concrete.
Smart Buildings | Apr 7, 2023
Carnegie Mellon University's research on advanced building sensors provokes heated controversy
A research project to test next-generation building sensors at Carnegie Mellon University provoked intense debate over the privacy implications of widespread deployment of the devices in a new 90,000-sf building. The light-switch-size devices, capable of measuring 12 types of data including motion and sound, were mounted in more than 300 locations throughout the building.
Architects | Apr 6, 2023
New tool from Perkins&Will will make public health data more accessible to designers and architects
Called PRECEDE, the dashboard is an open-source tool developed by Perkins&Will that draws on federal data to identify and assess community health priorities within the U.S. by location. The firm was recently awarded a $30,000 ASID Foundation Grant to enhance the tool.