Does the continued advancements in building automation software open up cybersecurity concerns for facility managers? When you arrive in the office, you may take certain things for granted – the lights will be on, the heat or air conditioning will be working and the building entry system will be up and running. These conveniences are connected through the internet, and with this automated functionality we could potentially be posing cyber security threats to the company every day.
In the past, the building automation systems, which include heat, lighting and air conditioning, were stand-alone systems, never meant to be connected to the public internet. Now, in the age of facility management software, these systems have joined the billions of other connected devices. Smart homes and offices represent 45% of total “connected things” in use in 2015.
There are obvious advantages to these modern “smart building” automation systems. Operators are able to control a building’s physical environment remotely while configuring automatic adjustments, lowering costs and adapting dynamically to occupants’ needs and building conditions
Broadly speaking, unauthorized access to a building could potentially result in financial, physical, and structural issues. For example, operational disruption could lead to a loss in employee productivity and service delivery; inappropriate changes to a building’s ventilation rate could negatively impact the health of occupants (i.e. “sick building syndrome”); and adjusting device settings beyond reasonable limits could damage equipment or the building itself. Without the appropriate security measures in place, systems are vulnerable to basic hacking techniques just like your computer.
Concerns regarding the potential risks associated with building automation can be addressed by employing several strategies. Cyber security practices should be integrated into training and deployment practices for building administrators while building operators should implement an array of technological safeguards including anti-virus protection software, firewalls, intrusion detection systems, online vulnerability map tools, passwords, secure communication utilities (i.e. virtual private networks), and user accounts.The building owners should develop contingency plans they are capable of executing in the event that a disruption in functionality occurs in order to maintain an acceptable level of service.
While the ability for hackers to control the lights and temperature of a building may not seem like it’s worth the effort, hackers are after much more. IT systems, such as critical servers, can be shut down or damaged by overheating. On the other end of the thermometer, if a heating system is shut down in the winter, it can lead to burst water pipes. Or, if building fire alarms are set off, the sprinkler system may be triggered.
The interconnection of individual building components and larger systems has relevant implications for national security. This issue is already on the Federal Government’s radar, as evidenced by a 2012 FBI Cyber Alert describing an unauthorized intrusion into the Industrial Control System (ICS) of an air conditioning company in New Jersey.The most immediate analog at the federal level involves the security of government-owned and operated buildings at home and abroad. Considering the likelihood that a U.S. embassy might contain or provide a means of accessing sensitive and privileged information, the presence of building automation at any one of these sites presents security challenges for the United States Government.
Seem far from reality?It’s not. A team of IBM ethical hackers were able to hack into a building automation system and gain the ability to tamper with various physical aspects of not just the building they originally compromised, but other buildings that were managed by the same system. Fortunately in this case, these security flaws were brought to the attention of the building operators and ultimately patched.
Gartner estimates 206.2 million connected devices are currently being used in commercial “smart buildings” – a number that is expected to grow to 648 million devices by 2017. It is worrisome, however, that in a recent survey of operators, only 29% indicated they had taken action or were in the process of taking action to improve cybersecurity for their systems.
Providing a sense of security in a world of increasingly automated systems requires finding a balance between human decision making and intelligent operation, flexibility and control, and freedom and privacy. Through careful training, diligent monitoring, and following best practices this balance can be attained. Building automation can help reduce our energy consumption and increase energy security makes striving for this balance all the more imperative. Building managers can take steps to provide network protections are implemented to guard against attacks.
It takes a cognizant effort from all involved parties to understand and implement protocols and procedures to lessen the risk of security threats that may come through an automated system.