Cyber threats to building automation and control systems
This article originally appeared as a BSRIA blog post Should Building Managers worry about scary movies? written by BSRIA's Henry Lawson and published in January 2015.
Building managers thinking of films to see this winter may give some thought to a previously little known comedy largely set in North Korea.
The successful cyber-attacks on Sony, one of the world's best known corporations, and which lives and breathes digital technology, resulted in the release of reams of sensitive information, and led Sony to delay the opening of the film. All this may on the face of it have little to do with the nuts and bolts of building automation, but it does fire another warning shot across the industry's bows.
We have known for some time that buildings are vulnerable to cyber-attack. Not only can they be major targets in themselves, but they often offer an easy “back door” into an organisation's wider IT network. The successful attack on Target stores in the USA gained access via the company's HVAC system which in turn allowed them into the more lucrative customer data records. BSRIA research shows that, in the USA for example, over 90% of all larger buildings (i.e. those with more than half a million square feet of space – or c. 50,000 m2) have some kind of building automation and control system (BACS), and many are to some degree at risk.
What is striking is that in so many successful attacks on buildings or infrastructure the problem had less to do with the cyber-protection systems in place than with the way in which they were being maintained and operated. At Target, alerts were generated but not acted on until after much of the damage was done. The earlier attack on Google's Australian offices in Sydney were linked to the fact that an older version of the Tridium platform was still in use.
Many organisations lack effective processes and procedures, which in turn is linked to the fact that, even within the same organisation, building services and IT tend still to work in separate, parallel worlds.
All of this is compounded by the fact that BACS systems increasingly have at least one foot in the Cloud, and often several. Almost all major suppliers of BACS and Building Energy Management Systems (BEMS) offer at least the option of cloud based analytics, and the ability to access and manage multiple buildings remotely is seen as almost a “must-have” – outside of industries which have traditionally been hypersensitive about security. The cloud brings huge technical, social and financial benefits, but also greatly increases risk, as does the general spread of IT based functionality through buildings and devices, a process that the 'internet of things' is set to expand exponentially.
Major suppliers of BACS systems are talking publically about ways of addressing the challenge, and companies like Lynxspring are establishing a reputation in this area. In the UK the Institute of Engineering and Technology (IET) issued a Code of Practice for Cyber Security in the Built Environment in November 2014.
Cyber-attacks tend to be motivated by political, ideological, or financial motives, or by a combination of mischief and malice. On all these scores, major buildings remain vulnerable especially when they are associated with prominent organisations, whether private or public.
In BSRIA's market briefing Threats / Opportunities for Building Automation Systems, we look further at the cyber threat and what is being done to counter it. The study also looks at other major trends that are changing the profile and prospects of building automation. These include the development of more intelligent HVAC systems, (whether Direct Expansion or VRF based), the growth of 'smart homes' solutions which are also snapping at the heels of the BACS market at the “lower end” of commercial buildings, the growing importance of building analytics and big data, and the rise of potential new global players, especially in countries like China and India.
We will be following these and other emerging trends. It should be as exciting anything that Hollywood has to offer, for rest assured: The cyber threat (and much else) is coming to a building near you soon.
--BSRIA
[edit] Related articles on Designing Buildings
- Artificial intelligence.
- Big data.
- Building Automation and Control System BACS.
- Building energy efficiency - is building automation the answer?
- Building energy management systems.
- Building energy management systems (BEMS) for data centres.
- Building management systems.
- Building Services Analytics - BG 75 2018.
- Commercial building automation market.
- Critical infrastructure is more vulnerable than ever. It doesn’t have to be that way.
- Cyber-security and phishing.
- Cyber security and engineering.
- Energy management and building controls.
- Engineering resilience to human threats.
- HVAC.
- Infrastructure and cyber attacks.
- Internet of things.
- Mitigating online risk.
- PAS 1192-5:2015 Specification for security-minded building information modelling, digital built environments and smart asset management.
- Security consultant.
- Smart buildings.
- Smart technology.
- UK organisations encouraged to review cyber security in response to situation in and around Ukraine.
[edit] External references
- Tech Crunch, Smart Building Technologies Could Expose Companies To A New Breed Of Cyber Attack. . 2014
- The Institute of Engineering and Technology (IET), Code of Practice for Cyber Security in the Built Environment. 2014
- BIM+_Cyber security threats trigger need for new PAS 1192-5, 12 November 2014.
- Threats / Opportunities for Building Automation Systems.
Featured articles and news
Deputy editor of AT, Tim Fraser, discusses the newly formed society with its current chair, Chris Halligan MCIAT.
Barratt Lo-E passivhaus standard homes planned enmasse
With an initial 728 Lo-E homes across two sites and many more planned for the future.
Government urged to uphold Warm Homes commitment
ECA and industry bodies write to Government concerning its 13.2 billion Warm Homes manifesto commitment.
Places of Worship in Britain and Ireland, 1929-1990. Book review.
The emancipation of women in art.
CIOB Construction Manager of the Year 2025
Just one of the winners at the CIOB Awards 2025.
Call for independent National Grenfell oversight mechanism
MHCLG share findings of Building Safety Inquiry in letter to Secretary of State and Minister for Building Safety.
The Architectural Technology Awards
AT Awards now open for this the sixth decade of CIAT.
50th Golden anniversary ECA Edmundson awards
Deadline for submissions Friday 30 May 2025.
The benefits of precast, off-site foundation systems
Top ten benefits of this notable innovation.
Encouraging individuals to take action saving water at home, work, and in their communities.
Takes a community to support mental health and wellbeing
The why of becoming a Mental Health Instructor explained.
Mental health awareness week 13-18 May
The theme is communities, they can provide a sense of belonging, safety, support in hard times, and a sense purpose.
Mental health support on the rise but workers still struggling
CIOB Understanding Mental Health in the Built Environment 2025 shows.
Design and construction material libraries
Material, sample, product or detail libraries a key component of any architectural design practice.
Construction Products Reform Green Paper and Consultation
Still time to respond as consultation closes on 21 May 2025.
Resilient façade systems for smog reduction in Shanghai
A technical approach using computer simulation and analysis of solar radiation, wind patterns, and ventilation.
Comments