Sleiman ... vital to protect smart buildings.

Smart buildings are rising in popularity in the GCC but they are also susceptible to cyberattacks. It is, therefore, imperative that preventive measures are taken to protect the buildings and tenants from any threat.

A comprehensive report, entitled ‘Cybersmart Buildings’, co-authored by Booz Allen Hamilton and Johnson Controls, emphasises that corporations and governments should be adequately prepared for potential cyber risks.

Smart buildings operate as a link between the physical and digital world and leverage data to optimise operations and lower facility costs, while increasing safety and sustainability. However, unlike cyber risks in other industries, smart buildings are not just susceptible to data breaches and IT interference, they are also vulnerable to disruptions that could impact several aspects of daily life, says the report.

Cyber threat actors have demonstrated capability and intent in hacking building automation systems, safety systems, and critical environmental technology. Smart system network designs must be secured, if integrated with IT systems and networks, to make sure internal systems are not exposed to new threat vectors from building automation systems. For example, hackers can exploit vulnerabilities in heating, ventilating and air conditioning (HVAC) systems as the entry point into a corporate network, or hack into IoT (The Internet of Things) devices to breach the privacy of residents, it adds.

The Telecommunications Regulatory Authority (TRA) of Bahrain issued Resolution No 5 this year to implement necessary cybersecurity measures and emergency planning procedures to prevent harmful disruption or damage to critical telecommunications infrastructure from cyber threats. IoT applications, 5G, and cloud computing are integrated into the national communications network and are also being introduced through automation and networking systems for smart homes and businesses.

In line with this, Mecos, a leader in building automation controls in Bahrain, announced a partnership with another global provider, Control4, to install systems in offices or homes that allow users to access and control surveillance systems, energy management systems, and real-time monitoring of critical alarms and alerts directly from a smart phone.

As the number of sensors and devices talking to each other increases and automated systems control more of our environment, it is no longer enough for a building to be smart – it must now be cybersmart. This entails a blended approach of risk-based planning, technology, working with the right partners, assessing old and new infrastructure, processes and capabilities across the building lifecycle, and people skills, says the report.

 

BUSINESS VALUE

Dr Adham Sleiman, vice-president of Booz Allen Hamilton, says: “There is tremendous business value in embracing building automation, including their cost savings, energy efficiency and the security and convenience they offer to their dwellers. Smart buildings are an essential component of a smart city, pushing the power of digital optimisation into offices and homes.

“Thus it is of paramount importance to protect smart building investments for all stakeholders. To achieve this, cross-functional cooperation between internal and external stakeholders is a must, including IT, cybersecurity and facility teams, external business partners and vendors. This will ensure that the truly transformative benefits of automation and connectivity can be protected so that smart buildings can achieve their full potential.”

Booz Allen Hamilton has created a core functions checklist to help assess and plan for threats throughout the smart building lifecycle phases:

• During acquisition, consider security requirements. Work with vendors and technical partners to prioritise security as an integral part of any smart building solution. Define how you want the vendor to integrate with your existing network. Be prepared to articulate the budget for security operations throughout the building lifecycle.

• During deployment, set a consistent assessment framework to evaluate security vendors and their solutions. Recognise that business imperatives like cost may supersede security concerns. So design a framework that evaluates the security implications and tradeoffs, but provides flexibility for add-on security controls.

• For operations and maintenance, build in security by understanding vendor recommendations for how to securely deploy building automation systems and work with your IT department to follow those guidelines. Furthermore, understand how to incorporate additional controls over and above vendor recommendations based on your compliance and risk needs.

Then test, monitor, and respond, while being aware of your risk. Maintain situational awareness on what’s connected. Develop and implement an assessment framework that will identify security maturity across all domains. Diligently and regularly stress-test your assumptions and technical vulnerabilities.

Merely having a compliance-focused approach of checking boxes is not enough. Wayne Loveless, principal of Booz Allen Hamilton, says: “As the world evolves to smart neighbourhoods and smart cities, potential challenges around cyber security will be inevitable. It is important to have a plan and be prepared to continually evolve. Cybersecurity isn’t a tax on the business, it is not simply an IT issue, and it certainly shouldn’t be a scare tactic. It is a business enabler and, when executed effectively, it is about insuring your investment and generating returns.”