Virtual Threats That Are All Too Real

Managing the cyber security of buildings will require a coordinated effort among stakeholders in the facilities industry.

By James McHale
From the August 2017 Issue

If the Three Little Pigs lived in a smart building, the big bad wolf would no doubt use a cyber attack to “blow the house down”. Rampant connectivity not only creates an indefensible number of entry points for attackers but can also provide access across building systems, meaning one small blow could bring the house down. The relative ease of mounting an attack means that smart buildings without adequate cyber security might as well be made of sticks and straw.

“Don’t ever question if you will be hacked. You will be hacked,” proclaimed IoTium CEO, Ron Victor, during a recent Memoori webinar, before describing a test anyone can try. “Open up a server on AWS [Amazon Web Services] and just watch. Within two hours, 55,000 people will try and hack into that box for some reason, just because it’s available.”

Through cyber attack, assailants could tamper with HVAC systems, disable lighting, or even unlock doors, creating very real safety and security risks. Cyber attacks are also easier than ever to launch. Powerful hacking software is available freely to anyone with the skills and the will to use it. Even without the skills, malevolent individuals can simply hire mercenary hackers for relatively affordable prices.

Thieves, vigilantes, activists, or even disgruntled employees could use sophisticated software to severely disrupt buildings and enterprises. Despite this, facility managers, operations managers, IT departments, CEOs, and other stakeholders are still struggling to fully understand the nature of this complex and growing threat.

cyber security
(Source: Memoori)

A new report called “Cyber Security in Smart Commercial Buildings 2017 to 2021,” published by Memoori in June 2017, tackles these issues head on, advocating amongst other things a layered approach to security in smart buildings (see image at right).

The report estimates global revenues for smart building cyber security will reach $8.65 billion by 2021, up from an estimated $4.26 billion in 2016, which represents a healthy CAGR of over 15% during the forecast period. The United States represented almost half (47%) of global revenues for cyber security in smart commercial buildings in 2016 with just over $2 billion in annual revenues, and it will continue to dominate the overall picture through 2021.

“The lack of understanding and awareness of the nature of the threat is understandable, given the complex and varied set of cyber-threats we are faced with. The complexity of building, businesses, and IT systems, is often increasing faster than the stakeholders ability to prevent, detect, and respond to cyber attacks,” states the Memoori report.

The “bricks” in this cyber-fairy tale are not well defined. Smart buildings need to protect all assets from a wide variety of attacks, at all times, and keep up with the rapid evolution of cyber threats. Vendors in the cyber security space must strive to create a strong offering and then struggle to represent that service in a confusing and disjointed market.

“For vendors looking to offer products and services in the market, conveying the value proposition of cyber defense investments to decision-makers who lack a proper understanding of the nature of the risks can be challenging.

The market is also still highly fragmented, and many vendors have yet to establish defined propositions, making it hard for them to stand out from the crowd and establish a level of product or brand recognition,” we highlight.

Thankfully, there is a growing trend towards cyber security expertise in the smart building sector. This will have knock on effects; as cyber security takes greater priority in the industry it will also increase in value, lifting the whole sector. As it stands, however, smart building cyber security appears to be well behind in protecting buildings from the wide variety of threats that connectivity brings.

If we are to avoid a world where cyber attacks on smart buildings are commonplace, the issue must become a higher priority for buyers. For that, vendors must strive to excel and educate, while government should create better standards and cyber policing. The fight against escalating cyber crime cannot be won by any one group alone. We may not even be able to win the fight at all, but with a coordinated team effort we might at least manage it.

“As with nearly all these things, the responsibility is shared,” said David Emm, principal security researcher with Kaspersky Lab’s Global Research & Analysis Team, in a recent Memoori interview. “Take the example of a car; we expect car manufacturers to build in safety features. If you buy a car and it doesn’t have side-impact bars or airbags, you would start asking questions. There is also a regulatory requirement for them to include such features. However, there’s also an onus on us; not to drink and drive or drive tired, to understand the road signs and be able to physically control the car.”

The cyber security threat landscape is steadily growing in terms of sophistication, with new means to bypass implemented security measures. As threat actors evolve new tools and techniques to achieve their goals, all stakeholders in the business and the supply chain must work together to better understand the nature of the threat and keep pace with the changing nature of attacks.

cyber securityMcHale is managing director, owner, and founder of Memoori, a consultancy company based in Stockholm, Sweden providing independent market research, business intelligence, and advice on smart building technologies.

Do you have a comment? Share your thoughts in the Comments section below or send an e-mail to the Editor at

A BOMI-accredited session on Facility Management & Technology: A 360 Degree View will be held at the inaugural Facility Executive Live!, a new one-day conference presented by Facility Executive magazine on October 3rd in Chicago. Click here to learn more.