A typical office environment looks significantly different from a few years ago (and no, this is not another “effects of the pandemic” story). In this case the difference-maker is building automation, which has become more widely embraced for managing commercial buildings as organizations and property owners realize the benefits of centrally controlling and managing independent systems within a facility.

This trend has also led to the rise of the “smart building,” bringing with it an even wider array of potential business benefits in terms of productivity, employee convenience and efficiency.

It’s a space worth watching. The global smart buildings market is expected to grow from $72.6 billion in 2021 to $121.6 billion by 2026, according to the analyst firm Markets and Markets.

But operating a smart building can also open the door to increased risks of cybersecurity attacks – unless the right policies, and organizational mindset, are in place.

What Makes a Building “Smart”?

Commonly used building automation functions and management systems include lighting control, access control, building access control, people movers (escalators, walkways, elevators), fire control/suppression systems, physical security systems including cameras and HVAC.

While each of these can operate independently, many building management systems are integrating, while still segmenting, these disparate functions into a centralized, distributed network.

The smart building concept complements traditional building management systems through a combination of connected devices, sensors and software to monitor and control building infrastructure, analyze usage data, and generate insights on people traffic and usage patterns.

For example, a smart building’s HVAC systems can be programmed to pre-defined temperature levels based on previous patterns of occupancy levels at certain times of the day or year. Specific elevator banks can be turned on or off according to known daily employee traffic patterns.

Having this degree of control over building systems can result in significant cost savings, increased energy efficiency and a more comfortable working environment. However, the increased productivity and efficiency gained in a “smart office” can also create equal amounts of cybersecurity threats.

Configuring a physical network that connects all these subsystems means the controllers in these systems’ sensors are now inter-connected. Adding more devices with more connectivity increases an organization’s attack surface exponentially.

Security Not a Priority … Until It Is

Even with the rising number of recent high-profile cyber-attacks, unfortunately, cybersecurity still remains an afterthought for many organizations. In the case of smart buildings, security must be a consideration from day one of any building project, whether it’s a new construction or a facility upgrade.

It works best as a collaborative effort between building managers, facility engineers and the IT/security teams of each tenant organization.

The building owner may offer a base level of services: power, lighting control, people movers, or HVAC. But the tenants manage their own networks. This creates an interesting division of responsibilities that closely resembles a supply chain service model where the success of each party is dependent on the activities of the other.

It’s also important to view smart building security in a bi-directional manner, as the smart facility might not be the ultimate focus of a threat. Instead, it could simply be the easiest entry point into an organization, allowing an adversary to then pivot toward the high-value business functions that are their real targets.

If a cyber-criminal wants to bring down a financial services firm’s data center, then what’s a better way than attacking the chiller that cools the data center?

“If you don’t know what you have, you can’t secure it …”

The first step toward effective cybersecurity in any facility, smart or otherwise, should be a risk assessment. An organization first needs to understand its current security posture before defining a practical security roadmap. Other steps can include:

  • Network segmentation to limit or prevent access to specific connected resources and devices
    Extended Detection and Response (EDR) platforms on host agents
  • Network threat detection tools to monitor a network’s traffic and the industrial devices connected to it.
  • A macro security zone concept to securely manage each subsystem, critical to understanding how an adversary may be traversing different business functions.


A Smart and Secure Future

The future of the smart building is bright, as more modern building system designs are incorporating security as a primary consideration. The top vendors in this space (Honeywell, Johnson Controls, among others) are developing cloud-based systems and apps that add new features, stronger capabilities and great user customization to existing smart building systems.

One ongoing challenge is the lack of clearly defined standards specifically designed for building management systems. One organization, BuildingCyberSecurity.org is attempting to act as a standard-bearing consortium, but they are championing the IEC62443 standard, which is more designed for industrial automation systems. There are other groups working to standardize and drive innovation but they’re all disparate efforts with no one centralized voice.

At the same time, many organizations, for example some financial institutions, are fully embracing technology and innovation with their facility control and building management systems. They’ve unlocked the key to efficiently managing a fleet of buildings while delivering value in terms of true situational awareness from a cybersecurity operations perspective to their tenants (their own branches.)

There is no one-size-fits-all approach to designing, managing and securing a smart building. It must be scalable and on pace with individual growth plans, matching an organization’s business, employee profile, customer base and market.

Roger Hill leads the Operational Technology (OT) and Product Security practice at Kudelski Security. He works with organizations interested in designing, building, and operating secure OT/ICS environments and meeting the challenge of IT/OT convergence. For additional resources, download our whitepaper: The Great IT Convergence eBook

Was this article helpful?