Cybersecurity is the technology and practices that are designed to protect building data and equipment from attack, damage or unauthorized access. It is dangerous to make the assumption that smart technology and building automation automatically include security elements.
Building Automation and Cybersecurity
On new construction projects, incorporating smart building technology into the overall building management plan is an easier task than incorporating it into legacy systems as upgrades and equipment replacement is required. Since developers have been designing building control systems to work with existing operational technology of the building and this technology is often implemented by personnel that are not IT and cybersecurity experts, these legacy automation systems are leaving buildings vulnerable. Building automation is going through a transformation. As soon as one product is implemented, the next version of it is on the market with improved features. As soon as one cyber threat is recognized and addressed, attackers devise new ways to breach company systems.
Building owner-operators are taking advantage of the huge opportunities to reduce energy and operational costs, as well as increase occupant comfort, that smart technology and the IoT offer. Lower cost sensors are being implemented to gather as much data as possible and these sensors can be a vulnerability due to their connectivity. Digitizing legacy systems can also increase cyber risk.
Increasing dependence on smart technology has resulted in highly sophisticated cyber-attacks. OT systems that are interconnected can allow hackers access through HVAC systems or other OT systems to the company’s sensitive data. Strategies to protect against these ever changing threats must be active and ongoing. They should include early detection of changes in endpoint devices and abnormal communications.
Cyber Threats to Smart Buildings
Cyber threats come in three major forms, privilege misuse, malware injection, and insecure protocol exploits. Cybersecurity experts develop products to detect and defend against these common attacks. Traditional IT and cybersecurity experts often lack the technical knowledge of building OT systems and requirements. Third party suppliers are available that specialize in OT-level cybersecurity. Providers offer a wide range of services that span from initial assessment to operational lifecycle services.
On the other hand, building control systems that are being managed by facility employees that are not cybersecurity experts can create risk to systems such as HVAC, elevator, lighting, parking and access control. These risks can affect the building’s life safety program, equipment replacement projects, data management, branding and compliance requirements. The speed with which attackers are finding vulnerabilities and developing intrusions suggests that a dedicated, knowledgeable partner that has expertise in OT cybersecurity and personnel to be available all day, everyday, would give companies the best advantage against an attack.
Adoption of smart building tech should be carefully planned. It is just as important to be aware of the latest standards and best practices as it is to select the right products and software. Personnel turnover and operational efficiency also suggest building managers should partner with providers that have the expertise and experience to provide risk management continuously without interruption while guiding managers to solutions that will work best in their building.
With information technology (IT) teams and operational technology (OT) teams beginning to cooperate and merge within organizations, gaps that existed in security due to their separation can be protected against. Hackers have the ability to access company data centers through weakly protected HVAC systems or other smart tech systems if managers do not include them in the overall security plan. All of the gathered data must be locked down as soon as it is received for the protection of occupants and the company.
The key to the successful merging of the IT and OT teams will be a well thought out organizational plan created at the top levels and enforced within the whole organization. Often a third party provider, such as Albireo Energy, is involved to assist in the design and implementation of an overall plan. Albireo has solutions and services that span a building’s lifecycle that can keep a building’s operation at the cutting edge of smart technology while being cost effective and secure. Albireo’s team of experts is available to managers at all times to assist with the implementation and daily operation of security policies and measures.
Smart Building Partner
Albireo Energy will conduct site audits to pinpoint the current state of the building’s systems and cybersecurity. On new projects, Albireo will perform commissioning services on the installation of equipment. Albireo can monitor systems and assist with compliance requirements.
Successful cybersecurity in smart buildings is not something to take for granted. The connectivity of every new piece of tech that is added in the building must be examined and accounted for in the overall cybersecurity plan. If it connects to the company data base, it is a vein that can lead an attacker into the whole system. Every company is vulnerable and even small cyber attacks are disruptive, so act now and assess your cybersecurity for the good of your whole organization.
Quick Cybersecurity Solutions
Here are some practices that are easy to implement and can be some protection as you develop your cybersecurity plan.
Create strict password/ID policies. Since passwords can be the weak link that allow hackers access, it is important to take the time to enforce rules regarding password complexity, unique passwords per user, and regular requirements around changing passwords.
Be sure to keep up with software updates. Software developers create updates in reaction to learned breaches to the existing program. Neglecting to update can leave your data vulnerable to attack. It is recommended to create back-up before the update to guard against glitches.
WiFi networks should be encrypted and password protected. Web filters can be used to restrict access to non-secure websites for the protection of company data and as a safety measure.
Install anti-virus, anti-spyware and Firewall apps to protect your systems. Keep abreast of the latest email scams and spread the word throughout the organization to prevent hacking from that direction.