As with many areas of application today, smart buildings rely on connectivity. Consumers, and indeed employees, are increasingly demanding flexibility, ease of access and convenience, not to mention delivery of services and content across a range of devices. Buildings like the Edge in Amsterdam, where you connect to the building’s services through a smartphone app, have been labelled as the future of smart buildings. Indeed, the Edge has been billed by Bloomberg as the “smartest building in the world” and it is likely that buildings like this will become the norm rather than the exception.
However, while the benefits of this connectivity are clear for the businesses and workers that inhabit smart buildings – flexible working options, energy efficiency and a nice working environment to name but a few – this connectivity also increases the attack surface for the software in the building.
Let’s take a step back and look at the security of businesses in general first. They know that it’s crucial to have a cybersecurity strategy in place to protect their intellectual property (IP) and sensitive data. However, a security strategy will only be effective if tailored to the threats that an organization faces, and this is seldom the case.
The problem is that the pace of change in business models has not been matched by the evolution of organizations’ approaches to security. The myriad of connected and Internet of Things (IoT) devices used by employees are generally provisioned outside of a company’s IT security perimeter, and have often been shipped with no security built-in. This connectivity can therefore assist in the spread of malware, ransomware and other threats, and without proper security the same applies to the connectivity provided by smart buildings.
The hacker business model
The bottom line is that as the proliferation of IoT and connected spaces continues, it is likely to gain the attention of hackers that are looking to profit. Many attacks originate from organized crime groups that are looking to cybercrime as their next big, and perhaps easiest, payday. Therefore, the motivation to launch an attack will often come down to the total available market (TAM), vs. the investment required to hack it. Subsequently, the first target for any attack is always going to be the least secure device (particularly pertinent in IoT) or system, many of which will be unsecured consumer devices, connected to a smart building.
When it comes to securing the smart building, it’s important to understand what hackers are after and how they gain access, despite security measures that are already in place. It is also important to disrupt a hacker's business model by making it difficult to exploit vulnerabilities from IoT services and connectivity that exist in the infrastructure. It’s not about making yourself un-hackable, as this is pretty much impossible, but it’s about making yourself unattractive as an attack target.
With this in mind, security teams within a smart building must implement an ever-evolving defense in depth approach to cybersecurity, continually raising the security bar against the latest attack vectors. This approach needs to involve many interacting layers of security being implemented throughout the ecosystem, rather than just a simple perimeter defense or hardware-only security approach. Then the approach must be “rinse-and-repeat” with an ongoing security strategy that revisits hacker threats and ensures that security measures address the risks to your business.
Smart buildings are the workplaces and connected spaces of the future, but to truly realize the benefits for both businesses and consumers alike, the risks and vulnerabilities brought about by this increased connectivity must be mitigated effectively. Therefore, ownership of security must be taken and the importance of a multi-layered cybersecurity strategy in disrupting a hacker's business model, cannot be underestimated.