7 ways to boost cyber resilience in the smart building industry

In order to deal with problems such as increased population and climate change, we will need smart infrastructure that operates efficiently and saves energy. In the European Union, for example, 40% of energy consumption is attributable to existing buildings. Smart buildings offer one way to bring consumption levels down, but in order to do this the sector needs to improve its cybersecurity.

A smart building uses automated processes to control operations such as heating, ventilation, air conditioning, lighting and security. Many smart buildings rely on Internet of Things (IoT) technology, which means they have sensors to collect data and software to manage it in order to minimize energy use and environmental impact.The demand for this building type will increase significantly in the coming years. According to recent studies, the global smart building market is forecasted to grow to $127.09 billion by 2027, with a compound annual growth rate of 12.5%.

The sector must address the security challenges presented by smart buildings. Studies have shown that 57% of IoT devices are vulnerable to medium or high-severity attacks. Cyberattacks have already harmed several businesses, including critical infrastructure such as hospitals, data centers, and hotels.

To protect against cybercrime, smart building companies should follow the following 7 principles.

1) Governance

Companies need adequate security know-how. They need to be clear about roles and responsibilities in this area, and to develop a clear set of security messages about how incidents should be dealt with. Each team should ensure that its product, solution, or service has adequate built-in cybersecurity. Companies need to support customers in maintaining cybersecurity over the entire lifecycle of the product or building.

2) Secure supply chain

Companies should require partners throughout the supply chain to meet reasonable levels of security before establishing business agreements. They should integrate their security requirements into their terms and conditions and assess suppliers to find potential protection leaks. They also need a process to identify and manage the security risks of all externally sourced components. This can be done using an automated tool to monitor and track vulnerabilities.

3) Cybersecurity in product development

Companies should include cybersecurity in the initial design of products. This process could start with defining a cybersecurity target for each product based on market needs. It is more cost-effective to address security early in the lifecycle of a product, than it is to fix problems later on.

Security experts should perform threat and risk assessments throughout the lifecycle of the product, in order to identify and mitigate potential risks. This should start early in the product development process and should be repeated for every significant update. Before releasing a new product, companies should ask independent third-party organizations to test it for potential vulnerabilities.

4) Internal and external cybersecurity awareness

People are at the heart of a successful and effective cybersecurity strategy. Investing in continuous training and awareness will help safeguard organizations against cyberattacks. Employees who are involved in security-related processes should be adequately trained, and there should be clear guidance about who to contact with internal questions or problems.

Companies in the smart building sector also need to share information and work together to keep each other updated of new threats as well as best practices.

5) Vulnerability and incident handling

Any suspected incident should be treated as real until proven to be a false alarm. Every company needs a guide setting out how security incidents should be resolved in a timely manner. They must ensure that they’ve done everything possible to mitigate the risk of a breach.

It is vital that companies are transparent about incidents, informing customers and other required stakeholders when they find vulnerabilities. In the event of a problem, corporate communications are as important as fixing the technical defect, because cyberattacks may damage a business' reputation and erode the customer's trust.

6) Risk-based asset management

The development environment of the product is one of the most critical assets of a company and needs to be protected. It is important to ensure that the product has not been altered or disclosed in any way during the development process. For example, a developer may unintentionally download a malicious program which could lead to an infection being distributed as part of a product. It is vital to perform the asset classification as well as protection and to repeat it on a regular basis. Critical assets should be identified and classified, and protection measures defined for each asset.

7) Compliance with cybersecurity standards

Owners need to comply with latest cybersecurity regulations and make cybersecurity a part of tender specifications. There are three key cybersecurity standards for the smart building industry: two international (IEC 62443, ISO 27001) and one EU-level (European NIS Directive). Building operators benefit from the precise definition of requirements, the implementation of standardized processes and from the availability of documentation related to each respective standard. Nevertheless, no supplier can create IT security alone: building operators, system integrators, planners and owners are a crucial part of it.

By following these principles, the buildings sector will be able to protect not just its products, but also its economic success. Cybersecurity plays an important role in the manufacturing process and will become an integral part of every future business strategy. As more technology enters the market, we need to ensure the protection of tomorrow’s smart buildings.