Avoidance is not an option to prevent cyber threats in smart buildings

While IoT and the converge of Operational and IT tech has fundamentally changed the built environments area, it also brings an exposure to susceptibilities and cyber threats and the need for interoperable IoT network and secure framework.


All the cyber security issues return to the risk management. Landscape of the cyber security risks is evolving towards the point that risks that were once considered unlikely occur now regularity and we cannot be confident that all the critical systems, such as smart buildings, will work under attack from a sophisticated and well-resourced opponent. Despite of the fact that organizations have made significant security improvements, they have not kept pace with todays determined adversaries.

Currently smart buildings are increasingly enabled by Internet of Things (IoT) and made functional by the ongoing convergence of operational technology (OT) systems and information technology (IT) systems in buildings. This has fundamentally changed how built environments are being used and operated, and have thrown open an otherwise closed-loop building architecture into one that necessitates the open access and control of many operators and service providers. This fundamental change also exposes buildings and all associated with them to susceptibilities and risks of cyber threats brings a growing security need to support this area.

It is obvious that a new approach of engineering-in information and cyber security that is driven by knowledge of vulnerabilities, threats, assets, potential attack impacts, and the motives and targets of potential adversaries is required because the traditional reactive approach to information security strategy is no longer effective, nor is it defensible.

The IoT technology has overtaken the adaptation ability of the IoT policy, legal, and regulatory structures, leaving no clear security framework to follow. This has led most companies and manufacturers to take their own approach when designing IoT devices, causing interoperability issues in the integrated network of smart building.

In order to tackle these issues:

• harmonization of IoT security regulations,
• awareness for the need for IoT cybersecurity,
• consensus for interoperability across the IoT ecosystem,
• secure IoT product lifecycle management,
• liability among IoT stakeholders,
• avoidance of functionalities at the expense of security controls and
• use of security design principles to form the foundation for engineering-in trustworthy secure smart building systems

are required. Hence, we can see that the avoidance is not an option but setting up satisfactory security controls for smart buildings is a system level design problem and it requires a combination of hardware, software, communications, physical, personnel, and administrative safeguards for comprehensive security.

Tapio Frantti

Lead Cyber Security Consultant, Netox Oy