The integration of building and business systems within so-called ‘intelligent buildings’ will create a range of new potential risks.
The authors of the Sector Insight report ‘Intelligent Buildings: Understanding and managing the security risks’ warn that third parties gaining unauthorised access to IP-based building management systems could disable or take control of building systems, with the result that continued occupation might no longer be safe, due to physical damage (fire or flooding, say) or other life-threatening actions.
People in intelligent buildings might bypass security controls or operate systems incorrectly by accident or design, the report suggests. Integration of previously disparate systems can magnify the impact of errors or omissions, and while intelligent buildings’ systems integration brings together IT and facilities management teams, they may have different priorities, cultures, and reporting chains – all of which could “inhibit an effective response to incidents or faults”.
“Intelligent buildings are potentially mission-critical environments,” says IET cyber-security lead Hugh Boyes, one of the report’s authors. “From a technology perspective, integration may introduce new failure modes, where building systems can interfere with business systems and vice versa. It is normal, for instance, for enterprise computers to run the latest anti-virus software and be regularly patched. This may not be true for the building management systems or computers used for safety-critical systems.” This could lead to vulnerabilities from malware introduced via network connections or from infected media, Boyes added.
The training and knowledge of facilities management should be commensurate with the sophistication of the systems integration and the impact that system failure will have, the report recommends. It also calls for cross-training of some IT and support staff to facilitate collaboration during incidents and fault diagnosis, and adds: “The operations team need to collect feedback from building users to understand whether the building is supporting or hindering them. This is important as users will often seek to bypass controls if they feel they hinder rather than support the user.”
Read the IET’s report - ‘Intelligent Buildings: Understanding and managing the security risks.’