7 ways to boost cyber resilience in the smart building industry

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Henning Sandfort, Chief Executive Officer, Building Products, Smart Infrastructure, Siemens AG & Alina Matyukhina, Cybersecurity Manager, Smart Infrastructure, Siemens AG

• Smart buildings are an important tool in bringing down energy consumption.
• The technology smart buildings use is vulnerable to cybercrime, so the sector needs to improve its cybersecurity.
• This involves getting processes in place to ensure that cybersecurity is a priority throughout the lifecycle of all the products used in smart buildings.

In order to deal with problems such as increased population and climate change, we will need smart infrastructure that operates efficiently and saves energy. In the European Union, for example, 40% of energy consumption is attributable to existing buildings. Smart buildings offer one way to bring consumption levels down, but in order to do this the sector needs to improve its cybersecurity.

A smart building uses automated processes to control operations such as heating, ventilation, air conditioning, lighting and security. Many smart buildings rely on Internet of Things (IoT) technology, which means they have sensors to collect data and software to manage it in order to minimize energy use and environmental impact.The demand for this building type will increase significantly in the coming years. According to recent studies, the global smart building market is forecasted to grow to $127.09 billion by 2027, with a compound annual growth rate of 12.5%.

The sector must address the security challenges presented by smart buildings. Studies have shown that 57% of IoT devices are vulnerable to medium or high-severity attacks. Cyberattacks have already harmed several businesses, including critical infrastructure such as hospitals, data centers, and hotels.

To protect against cybercrime, smart building companies should follow the following 7 principles.

1) Governance

Companies need adequate security know-how. They need to be clear about roles and responsibilities in this area, and to develop a clear set of security messages about how incidents should be dealt with. Each team should ensure that its product, solution, or service has adequate built-in cybersecurity. Companies need to support customers in maintaining cybersecurity over the entire lifecycle of the product or building.

2) Secure supply chain

Companies should require partners throughout the supply chain to meet reasonable levels of security before establishing business agreements. They should integrate their security requirements into their terms and conditions and assess suppliers to find potential protection leaks. They also need a process to identify and manage the security risks of all externally sourced components. This can be done using an automated tool to monitor and track vulnerabilities.

3) Cybersecurity in product development

Companies should include cybersecurity in the initial design of products. This process could start with defining a cybersecurity target for each product based on market needs. It is more cost-effective to address security early in the lifecycle of a product, than it is to fix problems later on.

Security experts should perform threat and risk assessments throughout the lifecycle of the product, in order to identify and mitigate potential risks. This should start early in the product development process and should be repeated for every significant update. Before releasing a new product, companies should ask independent third-party organizations to test it for potential vulnerabilities.

4) Internal and external cybersecurity awareness

People are at the heart of a successful and effective cybersecurity strategy. Investing in continuous training and awareness will help safeguard organizations against cyberattacks. Employees who are involved in security-related processes should be adequately trained, and there should be clear guidance about who to contact with internal questions or problems.

Companies in the smart building sector also need to share information and work together to keep each other updated of new threats as well as best practices.

5) Vulnerability and incident handling

Any suspected incident should be treated as real until proven to be a false alarm. Every company needs a guide setting out how security incidents should be resolved in a timely manner. They must ensure that they’ve done everything possible to mitigate the risk of a breach.

It is vital that companies are transparent about incidents, informing customers and other required stakeholders when they find vulnerabilities. In the event of a problem, corporate communications are as important as fixing the technical defect, because cyberattacks may damage a business’ reputation and erode the customer’s trust.

What is the World Economic Forum doing on cybersecurity

The World Economic Forum’s Centre for Cybersecurity is leading the global response to address systemic cybersecurity challenges and improve digital trust. We are an independent and impartial global platform committed to fostering international dialogues and collaboration on cybersecurity in the public and private sectors. We bridge the gap between cybersecurity experts and decision makers at the highest levels to reinforce the importance of cybersecurity as a key strategic priority. World Economic Forum | Centre for Cybersecurity

Our community has three key priorities:

Strengthening Global Cooperation – to increase global cooperation between public and private stakeholders to foster a collective response to cybercrime and address key security challenges posed by barriers to cooperation.

Understanding Future Networks and Technology – to identify cybersecurity challenges and opportunities posed by new technologies, and accelerate forward-looking solutions.

Building Cyber Resilience – to develop and amplify scalable solutions to accelerate the adoption of best practices and increase cyber resilience.

Initiatives include building a partnership to address the global cyber enforcement gap through improving the efficiency and effectiveness of public-private collaboration in cybercrime investigations; equipping business decision makers and cybersecurity leaders with the tools necessary to govern cyber risks, protect business assets and investments from the impact of cyber-attacks; and enhancing cyber resilience across key industry sectors such as electricity, aviation and oil & gas. We also promote mission aligned initiatives championed by our partner organizations.

The Forum is also a signatory of the Paris Call for Trust and Security in Cyberspace which aims to ensure digital peace and security which encourages signatories to protect individuals and infrastructure, to protect intellectual property, to cooperate in defense, and refrain from doing harm.

For more information, please contact us.

6) Risk-based asset management

The development environment of the product is one of the most critical assets of a company and needs to be protected. It is important to ensure that the product has not been altered or disclosed in any way during the development process. For example, a developer may unintentionally download a malicious program which could lead to an infection being distributed as part of a product. It is vital to perform the asset classification as well as protection and to repeat it on a regular basis. Critical assets should be identified and classified, and protection measures defined for each asset.

7) Compliance with cybersecurity standards

Owners need to comply with latest cybersecurity regulations and make cybersecurity a part of tender specifications. There are three key cybersecurity standards for the smart building industry: two international (IEC 62443, ISO 27001) and one EU-level (European NIS Directive). Building operators benefit from the precise definition of requirements, the implementation of standardized processes and from the availability of documentation related to each respective standard. Nevertheless, no supplier can create IT security alone: building operators, system integrators, planners and owners are a crucial part of it.