Cyber-attacks and corporate espionage are on the rise. The increasing adoption of the internet of things opens up the risk of organisations being hacked through their building management systems. Paul Djuric, operations manager at Urgent Technology, explains how the facilities manager can become the guardian of an organisation’s security and data.
The breadth of recent security breaches demonstrates that cyber-hacking is no longer the sole concern of the IT department: it is an assault on the entire organisation, from the most senior executives, to HR and facilities management.
The systems used to automate and maintain building controls can be used to provide vital data on a variety of areas to building managers and facilities managers, including health and safety compliance, use of space and maintenance information. They can be used to monitor service requirements: for example, the use of sensors that connect washrooms to smartphones or tablets, to enable cleaning and facilities staff to check remotely when maintenance might be required.
However, all this useful connectivity may come at a price. The richer the data, the more appealing an organisation becomes to either financially motivated or spiteful cyber criminals.
Unfortunately, devices and systems that use the power of the data at our fingertips often become the point of network compromise.
Weak Links
When poorly secured devices are networked, they create links to critical systems, such as fire alarms, HVAC and CCTV, where data can be harmed or stolen. Yet despite all these growing threats there is evidence that organisations are still doing little to protect their systems from cyber-attacks, and the built environment appears to be particularly vulnerable. A survey by the Electrical Contractors’ Association and Scottish electrical trade body SELECT, for instance, found that almost four in 10 clients (39%) did not take any steps to protect smart installations in buildings from cyber-threats.
Due to the evolution of information technology in the workplace, the responsibility for data security has tended to be viewed as the remit of the IT department. However, over the last few years the global economy has made increasingly large investments in the internet of things, with worldwide investment in hardware, software, services, and connectivity reaching approximately $737bn (£545bn) in 2016. The IoT is becoming firmly established in operations and the evolution of smart buildings.
Today’s smart buildings are equipped with a range of IoT devices which automate many of the facility management processes, including lighting, HVAC, lifts, escalators and security. Connected technology enables building and facilities managers to improve efficiency, and gives occupiers unprecedented levels of control over their surroundings. To address the cybersecurity risks which may affect organisations, the facilities department first needs to acknowledge that it has a crucial role to play.
As building management systems evolve into internet-enabled building automation systems, they are much more susceptible to possible cyber-threats. Technology which enables users to control all the elements of a building, including security equipment such as CCTV and door locks, is also more vulnerable to cyber-attack.
For all their impressive innovation, the IoT and connected devices increase the level of risk to an organisation. It’s important to establish a best practice strategy to secure data in the Cloud, protect data integrity while in transit over the public internet, and securely provision devices. This strategy should be developed and executed with the active participation of the various players involved with the manufacturing, development, and deployment of IoT devices and infrastructure.
Value of data
Facilities managers who are concerned that their systems are vulnerable should begin the cybersecurity process by lobbying those who are responsible for the safeguarding of information to commission a data assessment. This will help the organisation identify what critical information is stored, processed or transmitted, establish why the data might be an attractive target, and establish any regulatory compliance it must adhere to. Once the value of data is understood, facilities managers should encourage the same parties to commission a formal risk assessment to identify the possibilities of reducing any unnecessary storage and processing.
An efficient data risk assessment should be conducted that advocates the adoption of an information security standard and framework such as ISO 27001. This standard helps organisations respond to data risk by establishing a platform for implementing, operating, monitoring, reviewing and improving information security.
Both internal and external penetration tests on the network should be carried out. Though internal testing is a valuable tool, hiring an outside specialist to attempt to breach your network will identify security holes the in-house team may have missed. Consider establishing a group of “friendly hackers” that can assess aspects of cybersecurity within an organisation. The facilities management department should be part of this process, particularly for pinpointing all the physical aspects of cyber-crime: for example, helping to identify physical items that could cause a risk, such as lighting sensors and other foreign devices connected to the network infrastructure. It’s worth noting that some IoT devices are inexpensive and often even disposable items and may not have sufficient inbuilt network security.
Bad habits
Once a risk assessment has been carried out, the organisation must make sure that all the weakest links within the system are detected. A particular area of vulnerability is access by end users to any part of the network. Most people tend to be guilty of using the same password for multiple work devices, applications and accounts. And we’ve probably all logged on to a public Wi-Fi network and completed work tasks at some point. The majority of the workforce wouldn’t know that these two habits could compromise organisational security. That is why security training to educate staff on what behaviour could enable hackers to exploit the building automation system or networked systems should be a priority. The requirements for work-related passwords, for example, should be made more complex , with passwords unique to each individual, and also managed via a password management tool.
It is important to identify an organisation’s data entry points and take steps to secure them. These can be anything from emails to external memory devices such as USBs. At the very least, scanning incoming and outgoing email attachments for viruses and other threats, and implementing a secure file transfer solution, should be considered. As the recent NHS cyber breach demonstrated, Microsoft Office documents and PDFs are a common means of attack, with vulnerabilities detected in Office and Adobe Acrobat Reader on a regular basis. Patches are typically released very quickly, but if they are not applied immediately these vulnerabilities could be exploited.
The Cloud is another potential route for hackers, as much of the data on a modern BMS is cloud-based. Building management systems are designed to offer functionality rather than security. As a result, there is a concern that the cyber-protection solutions are less mature. This is why it is worthwhile for facilities managers to check with their BMS vendors that they have the most rigorous security protocols in place. Another important recommendation is to keep your building management system separate from the main corporate IT systems.
Take control
Cyber-threat is a major issue for every organisation, and with the advent of an ever more connected and digitised workplace, it is now a prime concern for the facilities and building management team. The facilities management department could become extremely vulnerable if these risks are misunderstood. However, this also represents an opportunity for the facilities manager to demonstrate their value to the business by becoming the guardian of an organisation’s security and data.
As digital technology becomes a big disrupter in buildings, there is an opportunity for facilities management to take control: otherwise they’ll risk losing out to the IT department. Facilities managers and their organisations face significant challenges in the future in combating the cyber-threats posed by the convergence of physical assets within a building with data, and the ill-effects that a cyber-attack could have on their organisation.
That is why a wide-ranging and active approach should be taken so that the facilities manager can reap the undoubted benefits of workplace digitalisation while keeping facilities safe from undue risks. In the future, facilities management and IT must always remain alert to the latest cyber-threats, and facilities managers must work with their software supply chain to help reduce the likelihood of data breaches.
Urgent Technology’s full white paper, Cyber-threat and the FM solution, can be downloaded at https://urgtech.com/cyber-threat-whitepaper/
Founded in 1997, with offices in the UK, US and Australia, Urgent Technology is the provider of eMaintenance+, a cloud-based facilities maintenance and asset management platform, used in over 30,000 sites in 27 countries.