Javier RincónGwenaelle Cheramy, Regional General Manager – BMS Europe for Trend Control Systems/Honeywell Building Automation, explains why the UK’s status as the world’s third most targeted country for cyberattacks demands a more proactive approach to securing Building Energy Management Systems (BEMS).
for vigilance among business and facility managers in the UK,
In December 2023, it was revealed that Sellafield, the UK’s most hazardous nuclear site, was the victim of a long-running series of cyberattacks. Breaches could be traced back as far as 2015, according to an article by The Guardian.
However, it proved difficult to determine whether all malware was removed from the site’s IT networks and embedded systems. This gave hackers unprecedented access to confidential data related to the site’s most sensitive operations and equipment.i
Many facilities managers and business owners may look at the case of Sellafield and think that their own facilities would not make a valuable target to hackers. This is not the case; the UK is the third most targeted country in the world for cyberattacks,ii and 39 per cent of UK businesses — of all sizes — reported cyberattacks in 2022.iii
Today, it is critical that facilities managers and systems integrators implement proactive security measures to safeguard buildings against cyberattacks and prioritise the reliable and secure operation of building systems in the face of ever-changing technological challenges.
As infrastructure within the built environment becomes more digital, the integration of Internet of Things (IoT) devices and online connectivity introduces vulnerabilities. Today, it is critical that facilities managers and systems integrators implement proactive security measures to safeguard buildings against cyberattacks and prioritise the reliable and secure operation of building systems in the face of ever-changing technological challenges.
The rise of smart buildings
Smart building technologies have had a transformative impact on the built environment. The integration of smart devices and connected technologies has significantly enhanced the operational efficiency and user experience within buildings and continues to do so.
Automated climate control, intelligent lighting systems, and advanced access control systems contribute to a more comfortable and sustainable working environment. Additionally, these smart technologies allow for data-driven decision-making, helping to optimise energy usage and overall building performance. Despite these positive impacts, the increasing connectivity within smart buildings poses substantial challenges, particularly in terms of cybersecurity.
The more interconnected these systems become, the greater the number of potential entry points for cyber threats. As such, facilities managers must acknowledge the evolving risks of the digital landscape and take a proactive approach to cybersecurity.
Implementing robust security measures, such as encryption protocols, regular system updates, and thorough network monitoring, becomes imperative to protect entire buildings against potential breaches. Balancing the benefits of smart building technology with stringent security measures is crucial for enabling long-term resilience and more reliability of modern built environments.
A cyberattack on interconnected devices often begins with exploiting vulnerabilities in one or more entry points within a network.
Vulnerabilities in interconnected systems
With the growing interconnectivity of devices, the attack surface for malicious actors expands, presenting a multitude of vulnerabilities that can be exploited. Interconnected building systems such as heating, ventilation, and air conditioning (HVAC), security cameras, and access control systems create a complex network where a breach in one system can potentially compromise the entire infrastructure of a building. As such, unauthorised access becomes a looming risk, with malicious actors identifying weaknesses in interconnected systems to gain entry to secure areas, resulting in serious safety concerns.
A cyberattack on interconnected devices often begins with exploiting vulnerabilities in one or more entry points within a network. Malicious actors may target weak passwords, unsecured communication channels, or outdated software to gain unauthorised access. Once inside, they can navigate through the network, escalating privileges and compromising multiple devices.
This type of attack can cause serious issues for businesses. If hackers gain access to a BEMS or a commercial facility through a compromised entry point such as an internet-connected alarm system, they could then manipulate critical building equipment. For example, hackers could target HVAC systems to adjust building temperatures to unsafe levels.
Similarly, vulnerable smart building systems can provide a backdoor to a company’s IT network. If a building controller or HVAC system is using the same Wi-Fi network as office computers or other networked equipment, it’s possible that hackers can gain access to the data stored on those other devices.
With this in mind, it is imperative that facilities managers and system integrators prioritise the security of a buildings interconnected devices, but this is no easy task.
Designing robust security frameworks
Due to the complexity and diversity of interconnected systems, ensuring robust security can be challenging. The number of devices, each with its own software and security protocols, creates a varied environment where vulnerabilities can arise quickly. This is why frequent firmware updates and patches are important in maintaining security, but these updates are often neglected due to systems usually continuing to operate as normal.
There are several steps that facilities managers can take to implement a comprehensive security strategy. Utilising authentication mechanisms, such as biometric access controls or smart card systems, adds an extra layer of protection against unauthorised access. For connected systems, encryption is essential to protect sensitive data. In a scenario where data is intercepted, end-to-end encryption keeps data indecipherable to unauthorised personnel.
Lastly, and equally crucial, is the education of employees within an organisation. Training programmes can also foster a security-conscious culture, instilling awareness of potential threats and promoting responsible usage of interconnected devices. Although operational technology (OT) cybersecurity practices are slightly different than standard IT cybersecurity, the fundamentals of the training are transferable. The National Cyber Security Centre (NCSC) has several programmes available to help businesses improve cyber awareness among staff.iv
A secure and connected future
However, the linchpin of a comprehensive security strategy ultimately lies in the technology itself. Facilities managers must prioritise solutions with embedded and robust security features. This includes regularly updating software to patch vulnerabilities as well as incorporating security-by-design principles during the development phase. By integrating security measures at the core of the technology, facility managers can establish a resilient foundation for safeguarding interconnected devices within their infrastructure.
Trend Controls’ IQ5 building controller is one example of building system that is designed with security at its core. The controller has been developed following ISA 62443-4-1 certified development life cycle processes, employing industry-leading communication and data encryption technologies to enable a secure defence against unauthorised access. Each controller uses strong authentication measures that only allow authorised personnel to access data from the controller or any of the 300 I/O points.
Of course, the key to ongoing security is keeping system software and firmware updated to maintain protection against the most recent flaws. Controller systems like IQ5 are supported by a wide range of vendors across the UK and Europe, helping support facilities managers so they are never far from expert support and service.
This is just one example of how building technologies are incorporating security features that help improve the safety of the future of the built environment. While there are several steps that can be taken and the interconnected web of devices can be complex, facilities managers that plan security into their systems can have an increased peace of mind in the age of smart buildings.
Sources
i The Guardian, UK nuclear revelations: how bad could they get and could they affect the US and Europe?, Published: December 6th 2023 [Accessed: 2nd May 2024]
ii UK Government, Science, Innovation and Technology Committee, How resilient is UK Critical National Infrastructure to cyber-attack?, Published: October 24th 2023 [Accessed: 15th January, 2024]
iii UK Government Department for Digital, Culture, Media & Sport, Cyber Security Breaches Survey 2022, Published: July 11th, 2022 [Accessed: 15th January, 2024]
iv National Cyber Security Centre, NCSC Certified Training, Published: 26th March 2019 [Reviewed 30th November 2023] [Accessed: December 6 2023]
