By multiple accounts, it’s become apparent that cyber-crime pays.

From fiscal year 2011 to fiscal year 2014, the number of cyber incidents involving industrial control systems, including building and access control systems, rose from 140 incidents to 243 incidents, a 74 per cent jump.

One international law enforcement agency estimates that victims of these threats lose about $400 billion each year, making it a bigger criminal enterprise than the global trade in marijuana, cocaine, and heroin combined. Another report reaches the same conclusion, estimating that the cost of malicious cyber activity worldwide is anywhere from $300 billion to $1 trillion.

Fortunately, there are vast possibilities available to those who adopt new smart-building technologies. From healthier and more productive workplaces to easier multi-site management and measureable cost-savings delivered through various efficiencies, the benefits are numerous.

Given the conflicting issues of risk and reward, it’s worth having an honest conversation about cyber threats to building management systems and how to mitigate them so that our build environment can reap the rewards of modern technology without a downside.

Recognising new threat vectors

The recent convergence of informational technology (IT) and operational technology (OT) – the software and hardware of our buildings – has delivered incredible advancements in efficiency, productivity, automation and functionality, such as remote operations, to our built environment.

We see this in building and access control systems, which are computers that monitor and control building systems such as air conditioning, electrical power, electronic card reading, elevators, fire alarms and fire suppression, heating, lighting, ventilation, video surveillance and more.

Industry reports suggest that the IoT market will grow from an installed base of 15.4 billion devices in 2015 to 30.7 billion devices in 2020 and 75.4 billion in 2025. As these systems are increasingly connected to other information systems, and to the internet, within our facilities, we need to be wary of them as new avenues for attack by malicious actors. For an example, as we head into the busiest retail period of the year, consider how these security implications play out in major retail facilities.

In a recent, highly publicised attack against retail giant Target – which has nearly 1,800 department stores across the US – criminals were able to steal 40 million payment card numbers over a 19-day period. This breach occurred because Target had provided an outside HVAC supply company external network access. This then allowed hackers a path from which to launch an attack against more critical systems within the Target network.

Today, there are numerous ways malicious actors can breach an organisations IT/OT systems, including phishing, spear phishing, advance persistent threats (APT), malware, key loggers, USB key drops, Pwnie plugs, and pineapples – representing just some of the more common techniques used.

With so many techniques and now, more avenues of attack to consider, how does the modern enterprise effectively protect themselves?

Applying defence in depth and in breadth for reliable security

To help mitigate risk, first and foremost new builds or plans need to take stock of cyber risk as it’s designed into soon-to-be connected buildings. This will help with proactive security planning and allow experts to manage risk by deploying defences, maintaining ongoing monitoring of those systems for unusual activity and intrusions, and ultimately respond to incidents in a timely manner.

Going further, ‘defence in depth’ is an information security strategy which integrates people, technology, and operations in order to establish penetration barriers across multiple protection layers in support of the critical missions of an organisation. Though normally associated with information technology (IT) security, defence in depth should also be applied to operations technology (OT) systems.

Defence in depth involves the deployment of a multi-layered approach to defence, requiring security implementation across various systems at different levels. An example of this layered protection approach would include the management of risk at various levels, including use of a firewall, IDS, NAC, implementation of permissions, application whitelisting, installation of antivirus software, regularly updated systems, user training to minimise accidental breach, and regular backups to mitigate damage in the event of an attack. By dividing the responsibilities of defence across multiple layers, this system decreases the risk of compromise based on failure at any one point and provides an opportunity to detect the intrusion. In short, if one layer of defence turns out to be inadequate, another layer of defence is in place to prevent full breach.

The challenge for those operating existing buildings is to understand what systems and security measures are already in place, and then how to build and deploy defence in depth strategies with minimal impact on operations.

There’s no question that parts of your cybersecurity defence plans are best left to the experts, but if you’re responsible for the OT, what do you need to do today to help protect your building? Let’s start with the basics:

User control and passwords

Enforce strict user and password control. Only the people that need user access to systems should have it, and they should only have access to the functions they need. No passwords should be left as a default setting and passwords should not be easily guessed.

Patches and updates

Breaches often exploit a known vulnerability. Keeping your operating system patched repels these attacks. Anti-virus software and anti-malware should be installed and regularly updated.

External connections

Your external connections should be limited, firewall protected, pass through a DMZ and implemented with dual factor authentication. A regular review to close open ports or remove unneeded services should be conducted.


Buildings are predictable in their operation, so changes in patterns are easy to spot. Monitoring data networks to detect unusual activity allows you to identify, and then quickly deal with an attack or breach.

Application whitelisting

Run only programs that are needed to support the building systems. Preventing other software from running will stop malware from taking control of the building systems, allowing attackers to get a foothold in your system.

Incident response

Have a plan in case something goes wrong. You’ll turn to your IT experts to contain the IT breach, but you need a plan to restore services to the building. The plan needs to be tested, and your team need to be comfortable and practised in implementing it.


Cybercriminals know the easiest way to attack a system is to get a legitimate user to do it for them. Social engineering cybercriminals employ tricks such as phishing emails, sharing clickbait links that lead to scams or malware, or simply leaving an infected USB drive lying around in the hope that someone plugs it in. Ongoing training of staff and subcontractors is needed.

The work involved in maintaining robust defence in depth is ongoing. As attacks become more common and more sophisticated, systems and processes need to be continually reviewed. Vigilance and due diligence should include a disciplined maintenance of building systems with the latest updates. Training of end users, employees and subcontractors should occur on a regular basis. Ultimately, this investment reduces the risk of incidents that could result in loss of equipment functionality, revenue or reputation.