"Smart" Cities and Buildings: The Emergence of the Cyber Safe Building

Last week, The Urban Developer ran a feature on the Internet of Things (IoT): How IoT technologies are adding value to commercial buildings. Smart commercial buildings are currently the highest users of IoT technology; and in a landscape where office vacancies are growing, simply providing a workspace in a great location is no longer sufficient.

Norman, Disney & Young – a global engineering consultancy and cyber security company – to offer an insight into emerging smart technologies and the associated cyber security risk facing the urban planning, construction and design engineering sectors.

Industry forecasts expect the IoT market will grow from an installed base of 15.4 billion devices in 2015 to 30.7 billion devices in 2020 and 75.4 billion in 2025. Many of these devices will be deployed in buildings, public works and critical infrastructure. Smart technologies will establish an urban landscape that is all-connected, all-sharing, all-knowing and imbued with a functionality that can provide unprecedented levels of comfort and convenience.

The convergence of smart technologies and the built environment will improve the operation and capabilities of buildings, but will also lead to increased vulnerabilities and attack vectors not previously encountered within design engineering and urban planning.

Research suggests the impact on the building and construction industry will be significant. No longer are we looking at cyber attacks targeting at the company or user level, we now have "attack vectors" that can potentially shutdown a shopping precinct, a power grid, a major city, perhaps even a nation. An attack vector is a path or means by which a hacker can gain access to a computer or network server in order to deliver a malicious outcome. Attack vectors enable hackers to exploit system vulnerabilities.

Anatomy of a Virus

Earlier this year, an Austrian hotel Romanantik Seehotel Jaegerwirt, was targeted by cyber criminals. The electronic key system at the 4-star hotel was infiltrated, rendering it useless. The hotel guests were unable to move in and out of their hotel rooms and the cyber attackers demanded a ransom of EUR 1500 in Bitcoin from hotel management. The security breach also managed to compromise the hotel’s reservation and cash desk systems, bringing the entire operation to a halt.

Justifying the hotel’s decision to pay the ransom, the managing director stated, “The hotel was totally booked with 180 guests. We had no other choice. Neither police nor insurance companies can help you in these circumstances.”

In another major breach – Global hotel chain InterContinental Hotels Group Plc said 1,200 of its franchised hotels in the United States – including the Holiday Inn and Crowne Plaza, were victims of a three-month cyber attack that sought to steal customer payment card data.

“The breach lasted [a month], InterContinental spokesman Neil Hirsch said on Wednesday. He declined to say if losses were covered by insurance or what financial impact the hacking might have on the hotels that were compromised, which also included Hotel Indigo, Candlewood Suites and Staybridge Suites properties.”

These attacks are no longer rare occurrences. The ability for cybercriminals to monetise their efforts has seen an increase in attacks directed at hospitals, universities, private businesses and even law enforcement infrastructure.

Cybercriminals are focusing on building design and operational functionality to develop new attack vectors. A collision of building connectivity can allow an attacker access to Point of Sale systems via the HVAC network. The convergence of information and operational technology – the software and hardware – has seen the once isolated environment of operational technology connected to the IP network. Building Management Systems (BMS) are now a conduit to an array of interconnected building and business services.

In 2013, Target Corp fell victim to a major breach of stolen customer data. Target POS systems were compromised by a computer from Target’s HVAC vendor. The stolen credentials of the HVAC vendor enabled access to Target’s application dedicated to vendors. Through a series of hacking activities, the breach resulted in 40 million shopper credit and debit cards being compromised.

Cyber Security by Design - Integrating building design and engineering into the development process

In an IoT world where a vending machine or BMS can potentially launch a cyber attack and disable your building’s critical services there is an imperative to address these risks at all levels of the build design and deployment stages. Builders, engineers and critical services specialists that do not factor in potential cyber risk threats as part of their design considerations expose their assets, their occupants and the public to unnecessary risk.

The inclusion of smart technologies within building services and design considerations requires a collaborative approach to ensure security and privacy standards are maintained. This collaboration must extend to electrical and mechanical engineers, HVAC, fire safety, BMS, and audio visual specialists. Building industry clients are increasing becoming aware how their brand is exposed in an all connected, always on digital age. Increasingly, they are looking at designers and engineers to factor these concerns into their service offerings and solution submissions.

The news is not all bad. Collaboration and engagement is the key.

At the risk of having presented a dooms-day scenario. It's important to add that the news is not all bad. Key to meeting these smart building cyber challenges is a willingness for key players within the building and construction industry to consider the cyber security issues that will inevitably impact upon their design decisions and solution offerings.

The incorporation of cyber security design frameworks and risk based analysis tools for building services needs to become part of the building industry professional’s toolkit. By no means does this require allied professions – the HVAC specialists or design engineers – become cyber security experts, but it does require the consideration of cyber security controls to be factored into their designs.

The cyber security industry is establishing a presence within the built environment which reflects these cyber security design concerns. The future of smart urban planning will usher in an era of creativity, functionality and convenience resulting in unprecedented opportunities. Key to this successful building services evolution will be the assurance that, private, public and corporate cyber safety is maintained and protected to community expectations.