We bring an unmatched combination of industry specific expertise, deep intellectual capital, and global experience to the range of risks you face.
Our consulting, brokerage, and claims advocacy services leverage data, technology, and analytics to help you better quantify and manage risk.
Smart buildings consist of computer control system networks supported by IoT devices. We discuss the potential areas of risks that these systems may face and the potential considerations.
Risk Partner, Marsh Advisory UK, Consulting Solutions
The connectivity of people, workplaces and assets are becoming more commonplace in today’s society. Smart buildings and intelligent buildings consist of “computer control system networks” supported by Internet of Things (IoT) devices, such as sensors and actuators. These devices connect to, manage, or overview standalone building automation systems for elevators; heating, ventilation, and air-conditioning (HVAC); access control; security; fire protection; and lighting. In some instances, they control these various building systems directly.
Data from these sensors can be used to provide a holistic overview of the building usage in various areas at different times of the day, month, and season, ultimately optimising energy usage and operational efficiency.
Aside from energy efficiency, there are a number of factors driving the growing automation of the building environment. These include providing insights and analytics on usage (by who, when, and how much), improving building resource utilisation and preventative maintenance, minimising operational costs, and improving tenants’ wellbeing and satisfaction, making the property more desirable.
Furthermore, with growing emphasis on sustainability, smart buildings directly support an organisation’s climate and environmental, social and governance (ESG) initiatives and goals.
Currently, over half of the world’s cities have a smart city roadmap. While according to Mckinsey buildings produce 6% of global emissions, a smarter building can contribute to a smart city’s goal to reduce carbon footprint. This would improve energy efficiency and enhance citizens’ lifestyles, as well as, support an organisation’s ESG initiatives and goals.
Like any new and emerging technology, additional risk considerations need to be identified and assessed. Cisco states that by 2025, more than 75% of new construction will be smart or intelligent buildings; these do not include the current portfolio of building stock with these technologies already fitted. Hence, the risk of cyber security breaches of connected control system infrastructure is a very real area of concern.
Consider the example in November 2016 where two buildings in Lappeenranta, Finland, lost heating for at least two days. This was due to a Distributed Denial of Service (DDoS) attack, which disabled the computers that were controlling heating in the buildings. In Germany, October 2021, a building-automation engineering firm also experienced a cyberattack. It locked them out of the system and rendered three-quarters of several hundred devices in the building non-operational, affecting the lighting, motion detectors, and window shutter controllers. The office building devices were restored after weeks of resorting to manual controls. The hackers had infiltrated the building automation system (BAS) through an unsecure user datagram protocol (UDP) port on the public internet.
According to Kaspersky’s 2019 report, almost 40% of the computer systems used to control smart buildings were subject to some form of malicious attack in the first half of 2019. In most cases, computers that control BAS were compromised.
There are some building automation standards, such as KNX, LonWorks, and BACnet. BACnet, first introduced in 1995 and established as an internal ISO standard in 2003, is a highly utilised standard for smart building system design, with more than 60% market share of the building automation system sector. KNX and LonWorks are open standards for smart building protocols permitting control of various building elements.
However, these building automation standards and protocols were developed without security in mind. KNX, for example, recognised this issue and, in 2021, released their KNX Secure initiative. This includes security checklist, a guide for manufacturers and installers, and a product security certification process that includes AES-128 encryption. BACnet standard was amended to BACnet Secure Connect (BACnet/SC) in 2020 to include device authentication (widely accepted international security standard X.509 certificates and public key infrastructure (PKI), cybersecurity and encryption framework that protects data transmissions), encrypted communications (based on TLS 1.3), and WebSockets protocol using secure TCP for Internet interaction.
Some areas of risk and issues with these building control systems include the following:
Furthermore, an additional area of consideration for property owners is regulatory change for public protection against the risks associated with such technologies. Penalties for failure in regulatory compliance include the UK Government’s 2021 The Product Security and Telecommunications Infrastructure (PSTI) Bill to better protect consumer IoT devices from hackers; the 2020 California IoT Bill; European Union’s General Data Protection Regulation (GDPR); and the UK General Data Protection Regulation (UK GDPR), to name but a few.
So, what are the considerations for a property or building owner with regard to their building control system?
Due to the rapidly changing technology environment, coupled with the rapid use of BAS technologies, organisations should consult with their advisers during the design of a construction project using BAS systems. This could ensure that cyber security risk controls have been identified and implemented. For those property owners with BAS control systems already installed, review the current architecture, the potential risks to be mitigated, and create a roadmap to get there.
Marsh McLennan is the leader in risk, strategy and people, helping clients navigate a dynamic environment through four global businesses.