Search this Site

Balancing “Smart Buildings” and Cyber Security

By Michael Kerwin, RCDD, CCS, DCCA
May 7, 2020

Today’s building technology market messages proclaim the popular refrains of improved energy efficiency, enhanced occupant comfort, and higher worker productivity through “Smart Intelligent Buildings.”  What are the promises, realities, and risks inherent in this direction?

One web search for “Smart Intelligent Buildings” provided over 37 million results in under a second.  The promises include, “harnessing the power of data to improve building operations 1,” enhance experience, increase productivity, lower costs and reduce risks for new buildings 2,” “smart building technologies today enable more intuitive, agile workspaces and put occupants in control. 3.”

Many discussions quickly identify the Internet of Things, (IoT), as the best way to implement this new integration, allowing sensors, systems, and buildings to share data over the internet.  Some advocate the connection of sensors, systems, and devices directly to the cloud, integrating with cloud AI applications.    

Many of us remember feeling shock at the revelation of the 2013 cyber security breach at Target where hackers used the credentials of an HVAC supplier to access the Target network, and then moved across the network to access the Point of Sale system, stealing information from 40 million credit cards and 70 million customers records.

We seem to have become somewhat desensitized to stories of cyber security breaches, but notable 2020 cyber breaches already include Zoom, Marriott, T-Mobile, J.Crew, Carnival Cruise Lines, Walgreens, and MGM.  The frequency and size of current data breaches should cause concern about the highly touted building technology messages recommending the connection of everything to the internet and having cloud applications decide how to set, manage, and control building systems.  Further confusing this discussion, the smart building messages suggest that artificial intelligence, (AI), will do the heavy lifting, analyzing the data and making decisions about building comfort beyond what people seem able to do on their own.

Implementing a smart building IoT solution approach to building system integration and control, without clear IT security governance and input, is extremely risky. Client’s intellectual property, safety, and continuity of operations may all be at risk without proper cyber security and network design.  For example, sensor manufacturers can capture video streams of meetings and analyze them to count the people in a meeting room, providing room occupancy/use data for “space optimization” planning.  There are claims of anonymizing the data locally to prevent personal and meeting related information from escaping, but with recent hacks of video collaboration systems, what assurances of data privacy really exists.

The project design process and team structure do not usually seek or encourage active participation by the client’s IT leadership. IT participation is often limited to sharing requirements for data cabling standards and requesting larger wiring/equipment rooms.  Building systems ranging from lighting control, HVAC systems, security, fire alarm, power systems, are designed with control systems and information sharing, based on historical standards, client/designer preferences, cost factors, and schedule/cost driven requirements.  Discussions of system integration, data analytics, and feedback through system integration are often in response to market-messages and not on client-specific potential benefits.  Project requirements infrequently require cyber security governance in the implementation of these systems.

IT infrastructure and application companies, seeking new markets and revenue streams, are pushing hard for the adoption of IoT solutions which, not surprisingly, require more network cabling, hardware, and systems. The lack of documented relevant client use-cases, and project-specific business risk analysis means that the exposures associated with this data capture and sharing is not being assessed and managed at the right level within client companies.  There are building related systems and information that should not be on the same network segments, should not have data shared, and some that should not be connected to the internet.  The selection of building systems, data automation /integration, and IT governance need to be integrated to ensure client security and safety in an ongoing manner.

Perhaps a new way of thinking about how to leverage building systems information should focus more on selective assessment of actual problems to be solved, conditions to be enhanced, and security to be maintained. Opposed to the exciting, but unfounded, idea of connecting everything to the internet.

1 -

2 -

3 -