Over the decades, there have been a number of seismic shifts in technology; mainframe computing, client server, and cloud computing easily comes to mind. However, the most all-encompassing with the inherent potential to change society as we know it has to be The Internet of Things A seismic technology shift that will not only change the world as we know it, but perhaps more importantly, how we experience it. IoT will be at the core of the smart cities we live in, the smart buildings we occupy, even in the smart bodies we inhabit.
While fundamentally changing how build environments are designed and operated this shift will expose buildings and all those associated with them to the increased likelihood of cyber attacks.
Industry forecasts the IoT market will grow from an installed base of 15.4 billion devices in 2015 to 30.7 billion devices in 2020 and 75.4 billion in 2025. Many of these devices will be deployed in buildings, public works and critical infrastructure. These smart technologies will establish an urban landscape that is all connected, all sharing, all knowing and imbued with functionality that can provide unprecedented levels of comfort and convenience. The convergence of Smart Technologies and the built environment will improve the operation and capabilities of buildings, but will also lead to increased vulnerabilities and attack vectors not previously encountered within design engineering and urban planning. Research suggests the impact on the building and construction industry will be significant. No longer are we looking at cyber attacks targeting at the company or user level; we now have attack vectors that can potential shutdown a shopping precinct, a power grid, a major city, perhaps even a nation.
A hotel under siege – a lesson in commercial paralysis
One of the top European hotels, became the target of cyber criminals. They managed to hack into the luxurious 4-star hotel’s electronic key system, rendering it useless. While the hotel guests were unable to move in and out of their hotel rooms, the cyber attackers demanded a ransom of over EUR 1500 in Bitcoin from hotel management. The security breach also managed to compromise the hotel’s reservation and cash desk systems, bringing the entire operation to a halt. Justifying the Hotel’s decision to pay the ransom, the managing director stated, “The hotel was totally booked with 180 guests. We had no other choice. Neither Police nor Insurance companies can help you in these circumstances.”
Emerging attack vectors
These types of attacks can no longer be considered rare occurrences. The ability for cybercriminals to monetise their efforts has seen an increase in attacks directed at hospitals, universities, private businesses and even law enforcement infrastructure.
Cybercriminals are focusing on building design and operational functionality to develop new attack vectors. A collision of building connectivity can allow an attacker access to Point-of-Sale systems via the HVAC network. The convergence of Information and Operational technology has seen the once isolated environment of “operational technology” connected to the IP network. This by default connects it to the Internet. Building management systems are now a conduit to an array of interconnected building and business services. A cyber attack that illustrates these emerging cyberattack vectors is the Target attack. Target POS systems were compromised by a computer from Target’s HVAC vendor. The stolen credentials of the HVAC vendor enabled access to Target’s application dedicated to vendors. Through a series of hacking activities, the breach resulted in 40 million shopper credit and debit cards being compromised.
More than just a question of financial loss
The cost of compromise and disruption extends far beyond financial considerations. As governments and institutions provide integrated smart technology services to their communities and citizens the cost of a breach can become community crippling, and potentially life threatening. Consider the hospitals that provide real-time, monitoring of patient vital signs. Should they be compromised, the impact would be devastating. Or the reliance on accurate and readily accessible electronic medical records. Any significant compromise could render the entire medical facility and its patient service offerings out of action. Effectively, offline.
As our critical infrastructure moves away from its traditionally isolated and thus protected model to a more networked, always on, and therefore accessible operating model. Needless to say the increased risk exposure is obvious.
The very nature of this convenient, data rich connectivity provides enormous possibilities to the community. However, it makes our society and its citizen potentially vulnerable to attacks driven by an array of motivations. These can, and will be monetary, or political in nature. Initiated by individuals or state sponsored. Ideologically driven, or simply more illegal activity by organized crime syndicates.
It is incumbent upon our government leaders, visionary urban planners and strategic community leaders to ensure society is not only provided access to all that the smart world will bring, but also protected from it.
Security by design
Integrating building design and engineering into the development process
In an IoT world where a vending machine or Business Management System can potentially launch a cyber attack and disable your building’s critical services there is an imperative to address these likelihoods at all levels of the build design and deployment stages.
Builders, engineers and critical services specialists that do not factor in potential cyber risk threats as part of their design considerations expose their assets, their occupants and the public to unnecessary risk. The inclusion of smart technologies within building services and design considerations requires a collaborative approach to ensure security and privacy standards are maintained. This collaboration must extend to electrical and mechanical engineers, HVAC, fire safety, BMS, and audio-visual specialists. Some within the building industry may consider this collaboration unnecessary, overly cautious, possibly even an attempt at scare mongering. However, this is far from the case. Building industry clients are increasing becoming aware how their brand is exposed in an all connected, always on digital age. They are looking at build environments as critical “defence points” to their overall service offerings and strategic objectives. Increasingly, they are looking at designers and engineers to factor these concerns into their service offerings and solution submissions.
The next generation of cyber professional – the need for a new approach
Key to meeting smart building cyber challenges is a willingness from key players within the smart technology sectors to consider the cyber security issues that will inevitably impact upon their design decisions and solution offerings.
The first step is consideration. An acknowledgment that we are no longer working simply with bricks and mortar. Our buildings are information hubs, data collection points, interfaces to the human experience, representatives of who we are, and what we consider constitutes a modern, progressive society. With these design objectives comes a great deal of responsibility to protect and safeguard the wellbeing of the community. From maintaining end user trust at all levels of service engagement. To ensuring privacy is acknowledged not only as a legislative requirement, but seen as an individual’s human right and protected accordingly.
The next all-important step is fit for purpose cyber security education. The next generation of cyber security professionals will have to face an array of complicated and omnipresent cyber challenges never previously encountered, on an all-reaching, all-encompassing scale. Quite the challenge one would say.
Securing fort defences, the us and them, of security management has long gone. Unfortunately, many cyber education courses still think in these terms. Thereby, not providing a career path for the cyber professional of the future, nor providing the industry the upskilling required.
When everything is connected and listening, there are no longer any clearly identified demarcation lines. When cost efficiencies and facilitation of service adoption is all about easily accessible and consistent access, you need a new understanding of what effective security means within a smart cities context. A clear understanding of technical risk, business risk, and community standards.
The smart technology strategists are now demanding and the Cyber Industry needs to provide, qualified and skilled next generation cyber professionals that can provide security by design methodologies and practices within smart cities and critical infrastructure. Cyber professionals that understand the design engineering and development processes of urban development. The implications of converging IT and OT environments, and the evolving legislative requirements on privacy and data handling practices. Effectively, what is required is a new breed of cyber professional.
Cyber education services have been introduced in this area to meet industry requirements. One example is the SCCISP Campus, an educational initiative of the IoT Security Institute (IoTSI) an academic and industry association which provides services to the cyber security community. An example of which is the IoTSI Smart Cities and Critical Infrastructure Framework. Freely downloadable under a Creative Commons Licence.
At the SCCISP Campus, IoT Security certification courses are being now provided to empower the next generation of cyber professionals with the necessary skills and tools to address cyber challenges within a smart technology context. https://sccisp.org
Security Smart Cities and Critical Infrastructure from the design phase to build, requires extensive knowledge and preparation. This is a considerable growth sector for the cyber security industry and although the benefits are substantial; a broader, and more encompassing collaborative approach is required. In addition, to providing the necessary skills for cyber professionals working within this sector, it provides employers with an assurance the cyber security resources they have engaged are well equipped for the tasks at hand. All certified SCCISP can be validated via the SCCISP Register
The cyber security industry is establishing an evolving presence within the building industry which reflects these cyber security challenges and is a conduit for building cyber safe practices and risk-based mitigation strategies. The future of smart urban planning will usher in an era of creativity, functionality and convenience resulting in unprecedented opportunities. Key to this successful building services evolution will be the assurance that, private, public and corporate cyber safety is maintained and protected to community expectations.