CRE cybersecurity series: The main risk with connected buildings

Imagine a world where your ATM, your smart phone, your coffee shop or your airline were no longer connected to the internet. Do you know anyone who would want to go back to that world? Of course not! The benefits of instant communication, real-time weather and scheduling updates, financial transactions and e-commerce are far too valuable to just give up.

From the way the media portrays the dangers of IoT, it seems there’s only one legitimate way to protect your buildings from cybersecurity breaches – don’t connect to the internet. No internet means no smart sensor technology in your buildings however, cutting them off from almost all the benefits associated with a successful smart building journey. These include improved occupant comfort, the use of analytics for predictive maintenance and new revenue models, and cutting costs through improved building performance and process efficiency. Moreover, the mass adoption of smart building and IoT technology is already well underway in CRE; does this hardline approach really warrant being left behind by industry competitors, all for the sake of better cybersecurity?

CRE cybersecurity issues are often pre-existing

The reality is that maintaining buildings offline was never really an effective way to protect them against data leaks, network breaches or remote tampering. The risk doesn’t lie in the smart building technology of the present and near future, but in the past three decades of outsourced maintenance and obsolete technology.

Unfortunately, it’s impossible to know how secure both smart and non-smart buildings are without a strategic and comprehensive site audit. This is for two reasons.

  1. Unsupervised contractors or even internal staff may have compromised your CRE cybersecurity without your knowledge. Any of your building management devices could have been plugged into an unencrypted internet connection without the permission of the FM team or management. Until recently, it has been commonplace for these connections to be simple, unencrypted and exposed to the internet often without a standardized process for logging these details for future site teams. In particular, BACnet devices plugged into an unprotected connection can allow outside parties to upload new unit configurations and even firmware, leaving the door wide open to data leaks and unit functionality tampering.
  2. Your internet-connected FM software, such as a BMS, may not be up to date. Software updates both enhance the user experience with new features and safeguard against new types of malware. Therefore, with any software being used to manage buildings, it’s absolutely crucial that software developers regularly dispatch security updates, and that FM staff know to install them.

The first steps to airtight CRE cybersecurity

Smart buildings and IoT technology aren’t entirely to blame for the recent onslaught of CRE cybersecurity breaches, as these vulnerabilities are often pre-existing and undetected. If you’re not sure how vulnerable your organization is to cyberattacks, the first step should be to consider a comprehensive site audit of your building network and all systems. To find out how progressing your smart building journey can deliver airtight portfolio cybersecurity, check out part 2 of our ‘CRE cybersecurity’ series.

For the latest technology and CRE cybersecurity news and tips, sign up for Switch Automation’s e-newsletter.

Sign up