Last week we covered latest developments for business cyber management– namely the long-awaited release of the Federal government’s Cyber Security Strategy 2023-2030, and ASIC’s stark warning over business’s alarming lack of adequate cyber defence strategies and systems at a time when data breaches have risen 23% in the previous financial year alone. This week we examine the rapidly increasing cybersecurity challenges for CRE stakeholders posed by smart buildings.

Imagine sitting in your office when suddenly your computer screen goes black, the air conditioning and lights fail, and when you run to leave, the elevators and doors won’t operate. Not that we want to put you off returning to work as the New Year gets underway, but this movie-like scenario is now a real-life possibility in real life as more of us find ourselves working in the ultra-modern surrounds of technologically advanced smart buildings.

A growing threat

In the past, the number of cyberattacks on commercial property sectors were on the low side and generally restricted to phishing and malware attacks.

But smart, or intelligent, buildings as they are known, have reversed that situation for good.

Why? Because these technologically advanced structures present rich pickings for cybercriminals. Also known as bad or threat actors, these criminals both relish the challenge to illegally shut down a smart building and then follow through with demands for hefty ransom sums in return for control. With the number of smart buildings increasing up to 30% globally per annum, the desire to avoid such nightmarish situations is forcing landlords, building managers and tenants to prioritise smart building cybersecurity management.

Danger Central

Smart buildings are run by Intelligent Building Management Systems (IBMS). While there are many different types of IBMS, they all provide the same function, acting as the central decision point to which all building data and information flows for processing and analysis. IBMS then automatically adjust a building’s devices for optimal performance in every area from operational requirements to tenant working environments.

But these timesaving technologically advanced systems have quickly become a double-edged sword. On one hand, IBMS provide a raft of cost-saving benefits, their popularity for occupiers and landlords alike driven by the ease with which they deliver greater energy-efficiency, less maintenance, and such employee-pleasing factors as perfect indoor temperatures, air quality and lighting.

Yet for a cybercriminal this capability is a goose holding an enormously tempting golden egg. An IBMS stores vast amounts of critical and sensitive information linking multiple systems and devices. These range from scanners, movement sensors, energy management systems, HVAC control, access controls, smart lighting products, Wi-Fi networks, wireless peripherals, card-key access mechanisms, power supplies and more, all of which are used to analyse movements, occupancy, and system functionality. Control of this centralised system is what cybercriminals desire. As one cybersecurity expert says, “Smart buildings are giant IoT (Internet of Things) devices begging to get hacked.”

The trouble is, they already are: a client survey by global cybersecurity provider Kaspersky found almost four in 10 - or close to 39 per cent - of 40,000 smart buildings using its software had been hit by malicious cyber-attacks. Almost all these attacks aimed to infect the computers running the smart buildings’ automation systems to gain control.

How to beef up security

This looming vulnerability has created a growing market for enhancing smart building cybersecurity via a combination of advanced encryption, cloud-based solutions, artificial intelligence (AI), machine learning (ML) algorithms. The goal is to achieve real-time threat detection and response to increase the speed of identifying, then mitigating, potential cyber-attacks on a smart building. As John McDonagh, Engineering Operations Director of CBRE Property Management points out, “Cybersecurity threats interrupt everything related to that building. In addition to shutting down building hardware such as water supplies and elevators, hackers can manipulate systems to create emergency scenarios.”

CBRE advises that the first step in creating a robust smart building cybersecurity plan is performing a thorough audit and assessment of all systems and creating an inventory of all systems and technologies to compile an asset register. Without an asset register, it is “extremely difficult” to secure any property and mitigate intrusions, CBRE warns. “Building an asset register… is a bare minimum requirement for commercial real estate landlords,” says Nick Wright, CBRE Property Management Global Head of Digital Solutions.

Other measures strongly advised by CBRE experts include creating regular scheduled testing and risk assessments of all smart systems; developing solid plans for addressing when to replace older hardware and software especially when older legacy devices are in use; and raising awareness company-wide of cybersecurity risks by providing education and training around best practice for every employee and manager.

Future shock

But wait, there’s more: the complexity of providing cybersecurity in smart buildings is only set to rise. This will be largely driven by companies mandating stricter corporate governance policies and reporting requirements due to ASIC’s increased scrutiny and very real threat of enforcing heavy financial penalties - potentially running into the millions of dollars - for failure to adequately protect against data breaches. CBRE warns landlords will also need to listen and act on the needs of their various tenants. “With some tenants wishing to capture and store data in the cloud and others wanting to do so on networks they control, this will increase challenges on landlords such as requiring them to provide separate networks and Wi-Fi signals within individual buildings,” Mr Wright says.