Cyber Security A real consideration for smart buildings

xchanging.com/blog/2015/07/01/cyber-security-real-consideration-smart-buildings

I was pleased to attend Realcomm in San Antonio, TX a couple of weeks ago. Xchanging was a Gold Sponsor of
the event, focused on bringing innovation to the Commercial Real Estate industry. One of the key takeaways from
the conference was Cyber Security and its importance to the smart building. Security should be an integral part of
the design of intelligent buildings and not an afterthought.

The emergence of smart buildings has become a mainstream concept with a keen focus on making buildings more
energy ecient, proactively responsive to conditions and above all, more secure. Building security is being driven
and managed by a diverse set of point IT solutions and web technologies. Security is moving from a tight internal
building management system to federated, open application system that is integrated and accessible outside the
buildings.

However, the threat levels to such systems have increased. Many of the web enabled devices that constitute such
systems have very little in-built security, making them highly vulnerable to external attacks. This is also due to the
transition of vendors building operations technologies (in isolation) that are not compatible with the enterprise grade
security both in technologies and in processes.

Cyber security has been mastered by IT companies that provide omni-channel access to the functions in a secure
fashion. These same practices needs to be embedded by the smart building device providers and operators to
ensure the limitations do not cause disruption and safety incidents. A proper procedure is required to manage
access control. In May 2010, a disgruntled employee was able to hack the electrical system of Marina Bay Sands
(one of the agship casinos in Singapore), from his home and cause a power disruption. This was possible due to
lack of process being put in place to immediately stop his access rights the moment he was red. A simple mistake
of such nature can result in a disaster. This generally does not happen in a typical enterprise IT organisation.

In Australia, two researchers, Billy Rios and Terry McCorkle, from an IT security company called Cylance were able
to bypass Googles relatively high level of authentication of their building management systems in Australia. The
primary reason they were able to hack in to Googles building was due to the failure to upgrade the systems and
keeping them up to date. Lax security is not just a technology issue but also a process issue.

Web based, weakly protected building management systems pose a new threat that enables malicious attackers to
break into not just the buildings, but also other business systems connected with the building on the same network.

Cyber Security implementation for smart buildings is potentially targeted to mitigate a range of new risks associated

1/3
with aspects of personnel, technology and operations.

The human element risk is essentially one of the highest ranked risks. Whether deliberate or accidental,
someone can by-pass the security process, which can result in potentially catastrophic outcomes. One of the
key elements of cyber security is to deal with these exceptions and make sure such risks are identied and
properly managed before they have an impact. This requires a good provisioning process where roles and
authorisation are tightly managed.
On the technology level, making sure that security patching and system updates are done periodically and
system logs are analysed appropriately to detect any intrusions into the systems. Also protection against
malware injection and viruses are key in mitigating any impending attacks.
At the operations level, it is crucial that everyone who has access to the system is clearly tied to the specic
identity or user name and an audit is enforced electronically. Also, restricting the number of personnel who
can remotely access and control these systems is vital. All ex-employees should be immediately blocked
from access to any systems. It is not uncommon to hear that an ex-employees security access is often still
valid weeks after they have left the company.

The drivers for intelligent buildings necessitates that systems integration introduces new and novel risks into the
building environment, some arising from the integration of legacy systems and others as a result of cyber-attacks
through remote access. Intelligent buildings are a new and evolving area and there is a heightened need for building
owners, occupiers and operators to understand the cost being smart. It is incumbent on building owners to make
sure that the relevant cyber security processes are in place and adhered to by the operators. Having a clear
understanding of security processes and measures, and following the process rigorously is the rst step in
successfully dealing with cyber-attacks,

The following are some basic recommendations to handle cyber security, but smart buildings can get a head start
using these steps, that can make a big dierence in the current situation (From 2015 IOActive):

Create a simple checklist for a regular review on cyber security measures and processes.
Check for proper encryption, authentication and authorization levels and make sure the systems can be
easily updated.
Ask all vendors to provide all security documentation. Make sure Service Level Agreements include on-time
patching of vulnerabilities and 24/7 response in case of incidents.
Fix security issues as soon as they are discovered. A smart building can continuously be under attack if
issues are not xed as soon as possible.
Create specic Emergency Response Teams that can deal with cyber security incidents, vulnerability
reporting and patching, coordination, information sharing, and so on.
Implement and make known to the maintenance crew/personnel secondary services/procedures in case of
cyber-attacks, and dene formal communication channels.
Implement fail safe and manual overrides on all system services. Dont depend solely on the smart
technology.
Restrict access in some way to public data. Request registration and approval for using it, and track and
monitor access and usage.
Regularly run penetration tests on all city systems and networks.
Finally, prepare for the worst and create a threat model for everything.

By Subramanian Gopalaratnam,

2/3
Global Head of Innovation & Technology for Xchanging

3/3