Cyber Security Resilience for Critical Building Infrastructure


In 2013, 40 million Target store customers had their credentials stolen when cyber attackers hacked the POS systems via a computer from the popular retailer’s HVAC vendor. While some wondered why an HVAC vendor would have access to Target’s payment system network, those familiar with smart building technology know it’s common for large retailers to have their energy consumption and store temperatures monitored to save on costs, meaning the vendor has access to the network.

As more organizations invest in IoT-enabled energy management solutions, the Target incident serves as a reminder that the threat of a cyber-attack still represents a significant risk and makes building infrastructure cybersecurity more important and valuable than ever.

Can You Trust Your Smart Building?

Over the years, the digital transformation has resulted in a seismic shift in technologies including, mainframe, client-server, and cloud computing. Today it can be argued the most significant change is coming from IoT, or the Internet of Things, which is altering how society experiences the world around it. IoT will be the center of the smart cities people live in and the smart buildings they occupy. It will also increase the likelihood of cyber-attacks.

Commercial and residential buildings are now both using building automation systems to reduce energy consumption and maintenance costs. Safety systems, such as HVAC, lighting, CCTV systems, and fire and security alarms, are used for ensuring the well-being of occupants.

IoT applications in smart buildings offer many benefits:

  • Energy and water usage savings.

  • Reduction in costs and carbon footprint.

  • Safer working conditions and security for occupants.

  • Improved customer service levels.

  • Optimization of physical, space, and human resources.

  • Reduced maintenance costs.

All these benefits require an increasing networking of systems through the internet which, unfortunately, increases the risk of cyber-attacks. Acknowledging these threats and putting safeguards in place to secure a building’s systems ensures operations run smoothly.

Cyber Protection for All

Experts predict that by 2020 there will be nearly 31 billion IoT devices deployed in buildings and other critical structures. By 2025, that number will grow to over 75 billion. While this smart technology will bring significant comfort and convenience to building occupants, there will also be increased vulnerabilities and attack vectors by bad guys using their skills to find devices and probe for vulnerabilities not yet identified or known. For example, hackers who can gain access to a BBMD (BACnet broadcast management device) can now fully command and control a system without needing to crack a username and password.

Other vulnerabilities include:

  • Smart building software and firmware, gateway, and web services exposures.

  • Inconsistent processes for software and firmware patches and updates.

  • Introduction of insecure devices such as CCTV equipment.

  • Lack of sufficient cybersecurity best practice training.

  • Limited or non-existent physical protections to restrict device access.

  • Poor security processes such as default passwords and multiple uses of the same password across systems.

Using a mix of technical and non-technical means, owners, contractors, designers, facility managers, HVAC installers, engineers, architects, and other smart building stakeholders all have a role in making it safe to connect in the era of IoT.

The Bottom Line

Research suggests the IoT will have a significant impact on the building, construction, HVAC, and other related industries. That means we can no longer look at cyber-attacks as being aimed at the company or user level. Instead, the battle must be fought against bad actors who could potentially shut down entire buildings, shopping or living precincts, power grids, a city, or in a worst-case scenario, a country. The good news is that understanding the risks makes it possible to implement measures that protect people and assets.

Matt Witkowski