Introduction

Buildings such as office blocks and sports stadiums are becoming more intelligent. According to an IET briefing1 there is no agreed definition of an intelligent building, but the common theme is the integration of technologies. This integration of technologies results in the blurring of boundaries between building owners, operators and occupiers. One example is where RFID tokens are used to retrieve documents from communal printers.

The IET briefing identifies four groups of technologies that may be integrated:

  • Infrastructure: This includes sensors, cabling, IP network, WiFi, RFID, plant rooms and server rooms.
  • Building Systems: Also known as Industrial Control Systems (ICS). This group includes technologies such as HVAC controls, Access control, Lighting control, Fire alarm, water management and stand-by generators.
  • Information and Communications Technologies (IT) Systems: Office automation (email and internet), Multi-media (voice, video), Telephony and IP-based applications such as RFID tracking of assets.
  • Business systems: This final group is only relevant where integrated with building systems such as used in Supply Chain Management. Business systems include Enterprise Resource Planning, Customer Relationship Management, Integrated command-and-control centre and Integrated helpdesks.

Threats to Business

Intelligent buildings pose threats to businesses that may not have been accounted for in existing risk assessments. The systems within the buildings exist across several businesses and as such may require modifications to existing policies and contracts.

Increased integration and sophistication does not just threaten IT equipment. ICS attacks impact the physical world. A famous ICS attack is the use of the Stuxnet virus to physically affect centrifuges in Iran2. On a lesser scale it is feasible that a ICS attack could decrease the temperature in an office or affect a building’s access system. Several jurisdictions have laws defining acceptable working temperatures for employees, for example many workplaces in Ontario shall not be less than 18oC3. An ICS attack on a building’s access system could lock employees out of the office, or perhaps worse could leave the office doors open when the staff have gone home.

ICS vs IT

According to the US National Institute of Standards and Technology4:

Widely available, low-cost Internet Protocol (IP) devices are now replacing proprietary solutions, which increases the possibility of cyber security vulnerabilities and incidents... This integration supports new IT capabilities, but it provides significantly less isolation for ICS from the outside world than predecessor systems, creating a greater need to secure these systems.

A handbook5 developed under the support of Air Force Joint Test Program Office identifies several differences between ICS and ICT:

  • ICS allows the physical world to be impacted.
  • ICS are linked to systems such as power, lighting and heating and as such downtimes are more significant than for IT systems.
  • IT tends to turn over in three years or less while ICS can be on a 20-year cycle. The long refresh cycle of ICS results in hardware, software, and operating systems no longer supported by vendors. The impacts of lack of support include:
    • woefully stale malware detection programs
    • operating systems that cannot handle newer (and more efficient/effective) software programs, and
    • hardware that may be on the verge of catastrophic failure with no backup or failover equipment available.

Comment

Policies may need to be reviewed in light of the increasing integration of technologies in buildings. Contracts may need to account for access to and modification of ICS within an occupants office space. Regulatory issues may arise such as compliance with Privacy Acts. In order for businesses to assess and react to the risks associated with intelligent buildings a multi-disciplinary approach may be beneficial. This approach would include the services of management consultants to evaluate the present situation and recommend changes to current practices. Legal services would be required for any contractual modifications arising from the recommended changes. Cyber security insurance may be obtained. Upon the occurrence of a cyber security event insurance and legal services will likely be required.


1 IET Standards, "Resilience and Cyber Security of Technology in the Built Environment" (2013), online: http://www.cpni.gov.uk/documents/publications/2013/2013063-resilience_cyber_security_technology_built_environment.pdf?epslanguage=en-gb.

2 Emily Chung, “Stuxnet nuclear sabotage malware’s evolution revealed”, CBC (26 Feb 2013), online: http://www.cbc.ca/news/technology/stuxnet-nuclear-sabotage-malware-s-evolution-revealed-1.1401570.

3 Occupational Health and Safety Act, RRO 1990, O Reg 851, s129.

4 Stouffer K, Falco J & Scarfone K, “Guide to Industrial Control Systems (ICS) Security” (June 2011), online: http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf.

5 “Handbook for self-assessing security vulnerabilities & risks of industrial control systems on DOD installations” (19 December 2012).

Author

Scott Widdowson
 

Expertise

Cybersecurity