Smart buildings leverage automated processes to control infrastructure such as physical security (e.g. video surveillance and access control), lighting and HVAC. Many smart buildings rely on network-connected devices and other Internet of Things (IoT) technology in which sensors and software collect data to manage these systems.
Facility managers must address the cybersecurity challenges presented by smart buildings. Studies have shown that 57% of IoT devices are vulnerable to medium or high-severity attacks. Cyberattacks across the globe routinely harm businesses and organizations of all types, including critical infrastructure, hospitals, data centers and hotels.
The demand for this building type will increase significantly in the coming years. According to a recent study, the global smart building market is forecast to grow from $80.6 billion in 2022 to $328.6 billion by 2029, exhibiting a compound annual growth rate (CAGR) of 22.2% during the forecast period.
The World Economic Forum (WEF), an international non-governmental and lobbying organization, released the following seven principles that smart building facility managers can leverage to protect against cybercrime.
Governance — Companies need adequate security know-how. They need to be clear about roles and responsibilities in this area, and to develop a clear set of security messages about how incidents should be dealt with. Each team should ensure that its product, solution, or service has adequate built-in cybersecurity. Companies need to support customers in maintaining cybersecurity over the entire lifecycle of the product or building.
Secure supply chain — Companies should require partners throughout the supply chain to meet reasonable levels of security before establishing business agreements. They should integrate their security requirements into their terms and conditions and assess suppliers to find potential protection leaks. They also need a process to identify and manage the security risks of all externally sourced components. This can be done using an automated tool to monitor and track vulnerabilities.
Cybersecurity in product development — Companies should include cybersecurity in the initial design of products. This process could start with defining a cybersecurity target for each product based on market needs. It is more cost-effective to address security early in the lifecycle of a product, than it is to fix problems later on.
Security experts should perform threat and risk assessments throughout the lifecycle of the product, in order to identify and mitigate potential risks. This should start early in the product development process and should be repeated for every significant update. Before releasing a new product, companies should ask independent third-party organizations to test it for potential vulnerabilities.
Internal and external cybersecurity awareness — People are at the heart of a successful and effective cybersecurity strategy. Investing in continuous training and awareness will help safeguard organizations against cyberattacks. Employees who are involved in security-related processes should be adequately trained, and there should be clear guidance about who to contact with internal questions or problems.
Companies in the smart building sector also need to share information and work together to keep each other updated of new threats as well as best practices.
Vulnerability and incident handling — Any suspected incident should be treated as real until proven to be a false alarm. Every company needs a guide setting out how security incidents should be resolved in a timely manner. They must ensure that they’ve done everything possible to mitigate the risk of a breach.
It will be imperative that organizations make it their mission to maintain transparency about cyberattacks. Customers and other key stakeholders must be informed about cyber incidents and vulnerabilities. When an incident is discovered, corporate communications will be vital to resolving the technical exposure while minimizing damage to the organizations’ reputation and customer trust.