Smart buildings need cyber-resilience built-in

Internet of Things (IoT) and machine learning are coming together to bring about a sea change in how we use buildings, at home and in the office.

Smart infrastructure makes domestic households more energy efficient and allows companies to optimize their real estate. Almost every large enterprise and government organization is currently working on smart infrastructure projects at some level.

It’s no surprise that the market for smart buildings is expected to increase four-fold by 2021.

The pursuit of greater efficiency and convenience, however, introduces new risks. Many IoT devices and management systems still run on legacy software and lack any kind of security standards. This makes them vulnerable to attacks by hackers.

The answer is to build-in cyber-resilience from the beginning starting with securing all connection points using virtual private networks (VPNs).

For some years now the way we work has been evolving. The traditional 9 to 5 office-based culture has given way to a more fluid, personalized way of working.

Increasing employee mobility means workers spend less and less time in the office leaving desks, meeting rooms and even whole floors empty for many hours at a time.

With the cost of real estate in many of the world’s biggest cities at a premium alongside falling occupancy rates organizations are under pressure to automate everything from hot-desking to car park management to make the best possible use of their office space. Meanwhile more and more residential dwellings are being fitted with smart devices so that heating, electricity, air conditioning, surveillance and other systems conserve energy and are easier to manage.

Industry observers agree that the smart building market is about to undergo a period of exponential growth, although the projections vary greatly.

Analysts Markets And Markets, for example, in their Smart Building Market report estimate growth rising from $7.42 billion today to $31.74 billion by 2022.

Another report – this time by Navigant Research - talks about a market for Europe alone of $83.5 billion in 2017 rising to $111.9 billion by 2026. Meanwhile manufacturer of IoT devices, ARM, estimates one trillion smart units will be built between 2017 and 2035.

The march of progress towards smarter building infrastructure, however, is not without risk.

The diverse range of IoT systems in smart buildings are still running old or unpatched software and frequently communicate using non-standard protocols. This makes detection of malicious activity or possible threats much harder.

At the same time, smart buildings make attractive targets for cyber-attackers. With a successful intrusion into the central control point or Building Automation System (BAS) it would be possible to stop elevators from working, turn up the heating, disconnect power supplies, hack into IP-connected cameras or create a botnet for launching DDoS attacks on other systems.

If the building belongs to a government department or financial institution a successful intrusion into the BAS could open up a gateway into the IT network as a whole.

Question marks over the security of IoT devices show are still largely unresolved.

U.S. Congress is debating the Cyber Shield Act of 2017 to help eliminate the most common vulnerabilities in IoT design.  However, the experts involved have many conflicting interests making it unlikely they will agree on a universal standard any time soon.

Moreover, the program is voluntary. Vendors will be free to choose whether or not to comply.

Leading manufacturers like ARM are also working on the problem. Their recently announced Platform Security Architecture (PSA) is a start at building security into IoT systems at the design stage.  PSA aims to encourage companies to build smart devices using ARM’s technology by doing a lot of the difficult security modelling for them.

According to ARM, one way to build in device protection is to prevent firmware tampering using strong, crypto-based boot architecture. Device management, too, needs to be architected along similar trusted lines.

Having built security in at device level the next stage is to ensure intelligent systems communicate with one another securely by default.

VPNs provide encrypted connections to allow proprietary data in smart buildings to be transferred privately across the public Internet between remote locations all over the world. Their flexibility means they can be readily scaled and adapted to meet any data exchange security requirements.

In summary, smart building projects are very much part of the here and now. In a few short years, they will have revolutionized how we all live.

Yet, despite obvious risks, universal security standards for intelligent devices and control systems in buildings are still some way off.

Moving forward it is imperative that the building industry and their clients start to specify they will only deploy smart systems that have security built in from the start. Certainly, there are encouraging signs that this is starting to happen.

At least when it comes to connectivity, a VPN is already one tried and tested technology capable of keeping smart device data from buildings private and security.