Tuesday, April 16, 2024
HomeNewsletterWhat’s Lurking in Your Building’s Cyber Closet?

What’s Lurking in Your Building’s Cyber Closet?

Modern Buildings Drive Convenience and Service

Today’s building infrastructure consists of differentiated interconnected networks of systems that are designed to support and serve a variety of tasks. Domain areas include but are not limited to heating, ventilation, air-conditioning, and air quality management (HVAC-AQ), lighting, security, energy management, personnel presence, broadband networking, and facility systems management. Most or all of these are generally aggregated into a common operations, administration, and management platform called a Building Automation System (BAS). Connected to the BAS are paired systems that provide specialized capabilities. Advanced examples may include digital display technologies such as wirelessly-enabled stanchions, interactive monitors, electronic glass, thermal imaging scanners, regenerative power systems, and Internet of Things (IoT) sensors. It is readily apparent that today’s buildings may be likened to a collage of interlaced digital systems that are integrated into its physical construction materials resembling a vast network node that interfaces to multiple local, regional, and even geographic systems. Enabling applications ostentatiously from cloud-based services drives different capabilities, creating extremely powerful capabilities for building owners, operators, and tenets, depending on their use cases. In this vein, healthcare and hospitality services resemble differentiated services based on the needs of their different stakeholders, prioritizing certain functional areas of a building in different, but more generally, common ways. For example, consider the use case of self-rooming. In a healthcare setting, it empowers the patient to navigate the facility to their designated destination, alerting healthcare workers about their progress. In a hospitality setting, it similarly may be used by patrons to find their designated room, alerting hotel workers about patron preferences and expectations upon arrival.

Better Convenience Drives Intrinsic Challenges to Respond to New Threats

Past and present approaches to building access and service use management focus on the “physical”. Take security, for instance. Best practices include the use of physical barriers and/or end-points combined with localized electronic measures. Examples may include strong security doors, keylocks, key entry systems, (automated) gates, security cameras, and RFID tag systems. More modern BAS systems add to this list building power conditioning, HVAC-AQ, and lighting automation to deal not only with man-made threats, but also untoward events from nature, herself – hurricanes, wildfires, tornadoes, and others.

In a benign environment, absent of malicious intent, such systems work exceedingly well. While BAS adheres to different standards, they are standards nonetheless, and that opens up opportunities for adventurous actors to leverage potential weaknesses and flaws in BAS to extract gains. Simply put, as digital building solution technologies become more sophisticated to support a greater diversity of tenants and their activities, it becomes necessary to pay closer attention to cybersecurity. Many will read of ransomware targeting specific systems – perhaps a hospital system or an individual’s computer. As yourself this: what is a building management owner to do if their connected building is intentionally instructed to rapid cycle its HVAC-AQ system so that it destroys itself? Or face shut down of all power to building elevators, leaving tenants stranded between floors? Or more insidiously, need to address seemingly low-energy efficiencies that have suddenly materialized due to malfeasance in the building’s energy control systems?

Fortuitously, there are cybersecurity solutions that can tackle many of these issues, and newer ones that use Artificial Intelligence (AI) to look at abnormal patterns of behaviors in systems are proving to be quite effective based on emerging findings. However, this is only part of the solution to the problem.

So, What’s the Harm in an APP, Anyway?

Building owners offer a suite of different tenant mobility services, ranging from near field, to mid field, and far field. A good way to think of it is an alphabet soup of wireless services including Blue Tooth Low Energy (BLE), WiFi, and Cellular. Each may provide a pathway for an unscrupulous actor to execute malicious behaviors and abhorrent policy controls on select individual, group, or BAS infrastructure depending upon how each of these are architected and managed. How might an APP on a smartphone potentially impact a logically and physically independent BAS? It is not as hard as one may believe.

Consider current media news reports about APPs from certain parts of the world that were allegedly collecting user information, and then sending that information elsewhere. The convenience of APP-based interfaces to BAS by tenants and/or property managers requires special scrutiny. Furthermore, such unauthorized sharing of information can be detrimental merely on a relational basis. Such APPs can be weaponized as probes to effect harm to privacy, security, as well as confidentiality of tenant activities. For example, identification of patrons who may possibly be high-value targets. Electronic warfare by using innocuous IoT sensors to identify private activities and drawing related inferences (re-constructing speech from window vibrations and occupancy sensors), and so forth. Suppose a building owner requires that its regular patron use an APP to prove their identity: how do they know that the patron’s hosting device is free from such spyware? Or, that the digital stanchion in the lobby that collects and counts people walking by, and that is controlled by a licensed 3rd-party operator isn’t sending information somewhere else without that operator’s knowledge? Or even more pointedly, that an interactive stanchion provides digital content without being co-opted with suggestive messaging for alternative means.

Keeping Apace of Bandits

High-level technology giants have acknowledged that unauthorized activities in APPs is a growing societal problem, and they are undertaking strenuous efforts to combat these issues. Beyond today’s quarantine (i.e., self-distancing) requirements and other “return to work” initiatives, it is crucial that building owners understand the critical importance of creating a digital work environment that is secure and private for not only their interests – building infrastructure – but also for that of their clients. Simply put, AI-run systems that gather sensory information and core analytics from BAS, APPs, patron facial recognition system, and IoT (especially those associated with behaviors) has the potential for bandits to conduct mass surveillance and effect willful damage. In an era of digital activities, the stakes are high, indeed.

The Balancing Act

Delivering a modern experience for building patrons and using digital systems to create a trusted and secure environment are solid strategies for today’s building owners and operators. Both begin with understanding cybersecurity choices and governing activities around facility utilization and access, including how to address possible incursions from unwitting agents via device APPs and/or remote IoT sensors. It is no longer sufficient to use arcane locks and their digital analogs such as digital “turn-styles”. Fortuitously, AI-based BAS is able to identify and provide a control-tower perspective of building activities from various persons. Additionally, there are specialized techniques to harden critical building infrastructure, and specialized organizations can provide monitoring services to address up-front business challenges associated with investment in such monitoring systems. The greatest challenge is balancing personal and/or tenant choices as it relates to the use and distribution of APPs, for example, vs. access to building resources and/or use of building sensors. The reality is that there is no “cookie-cutter” approach, and while a property management firm may request that patrons use only certain permissioned APPs when on-premises, that is not something that is likely to realistically succeed. With growing use of augmented reality (AR) systems and demand side pressures for high-performing networks (think, 5G), taking a measured approach grounded in cybersecurity best practices is not only reasonable, but prudent. This calls for a new role in 21st-Century property management: that of a Chief Cybersecurity Officer.

- Advertisement -
- Advertisment -spot_img

Industry News

- Advertisement -