As commercial buildings get ‘smarter,’ concerns rise over cybercrime
November 15, 2013, was the day that put cybercrime on the map in the U.S. commercial real estate world. In one of the largest data breaches on record, a team of hackers nabbed payment card records and personal information of nearly 110 million Target store customers worldwide.
The retail giant took a massive hit to its reputation, as well as its pocketbook. (Target reported a gross financial loss of $252 million related to the cybercrime.)
A little-known fact about the Target data breach that came to light months after the crime was how exactly the hackers gained access to the retail giant’s network: through the building systems infrastructure. The perpetrators swiped network credentials from an HVAC contractor who had performed refrigeration and HVAC work at one of the store locations. While the details remain sketchy—especially how an HVAC contractor’s credentials for access to building systems data provided a backdoor into Target’s payment system network—the case highlights the vulnerability of commercial real estate owners.
After years of talking about cyber security, owners and developers are starting to take action, and they’re leaning on their AEC partners for guidance and support. At a recent BD+C-hosted AEC industry roundtable in Chicago, several architects mentioned that cyber security is now a top concern of more than one of their major clients.
As buildings become “smarter” and increasingly connected—through advanced systems controls, communications protocols, building automation platforms, networked tenant devices, and Internet of Things technology—opportunistic hackers have countless avenues into a building’s network, to gain access to critical data or even take control of a building’s systems.
The number of installed IP-enabled, management-level HVAC controllers is expected to grow by 26% to 1.1 million worldwide by 2018. The vast majority of these systems—as much as 95%, according to building cyber security firm Intelligent Buildings—have insecure connections to the Internet. Two-thirds of controls vendors have remote access to clients’ building systems, and 92% of building systems computers are running outdated, insecure, or un-patched software. Most alarming: 40% of building control and monitoring systems have a potential backdoor to the corporate network, according to Intelligent Buildings data.
After years of talking about cyber security, owners and developers are starting to take action, and they’re leaning on their AEC partners for guidance and support. At a recent BD+C-hosted AEC industry roundtable in Chicago, several architects mentioned that cyber security is now a top concern of more than one of their major clients.
To date, there have been several confirmed and unconfirmed attacks on building systems, according to Fred Gordy, Intelligent Buildings’ Director of Cyber Security. They range from relatively innocuous cases (“lights have mysteriously turned off during entertainment and sporting events”) to potentially deadly episodes (“a German steel mill control system was hacked, and the alarms and operator overrides were disabled, resulting in a meltdown that poured molten steel in the building”). One confirmed case involved a hacker breaking into a generator control system and programming the generator to destroy itself. (Gordy says generators are especially easy targets because they are externally exposed and rarely under surveillance.)
If your clients haven’t yet reached out to inquire about cyber security, chances are it will happen soon, so you need to be prepared. Deloitte’s 2015 white paper on the topic is a good place to start.