Security
GHOST IN THE MACHINE
As today’s buildings become increasingly smart, are we at greater threat from malicious hackers? Andrew Brister looks at the risks and what can be done to combat them Illustration Noma Bar
I
s your client’s building safe from attack? Not content with bringing websites down, malicious hackers are finding a new, often all-too-easy way to wreak havoc: through building management systems and controls. Recent attacks on Google’s Australian office and US retail chain Target are said to have originated in the firms’ building control systems, highlighting the scale of the problem. In the case of Target, hackers went on to compromise credit card details of an estimated 40 million customers. Closer integration of building management systems with a company’s IT network is leaving companies open to attack. “End users don’t want to manage several separate networks for their building and building controls, they want one, converged IP network [through which all computer systems, data, voice and video, wired and wireless networks run],”says Chris Topham, head of marketing at IT and building controls specialist Abtec Network Systems. “This makes a lot of sense to almost everyone in the building supply chain. With a converged IP network the end user is able to run the corporate system [data, email, voice networks] alongside building controls – lighting, HVAC [heating, ventilation and air-conditioning], security access – on one physical network. This saves on costs, as there are fewer components to purchase, less things to power and it’s easier to manage.” 42
RICS A SI A .ORG
There are often good reasons why you would need remote access to these networks. The increasing drive for ever-more efficient buildings has led facilities management firms to provide 24/7 health check services and remote monitoring of HVAC units, lighting controls or energy metering devices. Contractors can harvest important data on energy use and peak times of use, for example, without setting foot in the building. These services are going to increase exponentially with the “Internet of Things” – as manufacturers offer more and more in-built IP connectivity in everything from lamps and chillers through to vending machines and door locks. Cyber attacks can take many forms, including, but not limited to: hacking into the building management system to change temperature settings – this could be critical in a data centre, for example; disabling alarm systems and CCTV cameras to gain access and stop the recording of a theft; gaining access to remote monitoring systems to manipulate data from energy use meters; introducing malware into the network to cause business disruption. As buildings become smarter, so grows the risk of exposure to such practices. Hugh Boyes is cyber security lead at the UK’s Institution of Engineering and Technology (IET) and author of its Resilience and Cyber Security of Technology in the Built Environment briefing (box, opposite).“This
is not yet on the same scale as the hacking of websites, but it has the potential,” he says. “As well as malicious outsiders, you have to be aware of the inside threat, for example a disgruntled ex-contractor who still has access to the system. They could take down a data centre, for example, with loss of business and reputational damage.” “This affects everyone in the building supply chain – architects, contractors and end users will all have their reputations damaged,” concurs Topham. “What it highlights is that our industry’s attitude to security matters needs to change.” Boyes argues that whenever upgrades or new investment are planned, a strategic review of emerging or upgraded threats should inform the requirements and design brief: “Assuring the continuity of intent through the construction phase may require investment in competent resources.” Martin Williams, project engineer at consultant Grontmij, agrees: “You need to specify firewalls between the physical connection that sits between the outside world and internal systems, and the design specification needs to be locked down and followed through tendering to the main contractor and on to specialists. You should ensure that all of the information associated with discrete systems such as CCTV and access control is self-contained, as far as is possible, and only goes out to the internet with the appropriate information and appropriate address.” Williams believes not enough consultants are capable of making that specification in the first place and that “there are only a select bunch of people available to the marketplace to carry out the installation and configure it appropriately.”
T
his applies to facilities management as well. “You need to carry out due diligence on your contractors’ IT security arrangements if you are considering remote access to HVAC systems, for example,” says Stan Mitchell, CEO of Key Facilities Management. “If you are using a supplier who is not overtly aware of the security issues, and you’ve allowed them access to your systems, you’ve just enhanced your risk. You need to bring in the specialists that have the right degree of awareness to come up with appropriate solutions.” It will only take one or two high-profile cases for clients to sit up and take note of the risks from cyber threats. If the building industry cannot deliver solutions, they will turn to those in the IT sector that can. RICS has revised its guidance on security for property managers. Go to bit.ly/rics-security