Is your Building Protected from Cyber Threats?

September 28, 2021

Cyber security incidents reported against both government and private organisations continue to increase in both frequency and severity. 

State-sponsored actors and criminals are attempting to exploit businesses by accessing sensitive information through increasingly sophisticated techniques.

“Intelligent” Buildings are frequently connected to the Internet to enable operators to take advantage of key benefits such as remote monitoring, management and analytics.

Building Services Technology platforms often provide entry points to other critical inter-connected business systems for these malicious actors.

Figure 1: Cyber security incidents, by sector (1 July 2019 to 30 June 2020)

What are the Key Threats to Building Owners?

The entry point into a building ecosystem is frequently not the end target of a cyber-attack.

  • Building Services Technologies and networks are often less scrutinised from a security perspective than other business technologies.
  • Building Services Technologies and networks are considered “soft touch” entry points into building ecosystems.
  • With the uptake of converged networks combining multiple building services onto a single network, the implications are increased with the potential of multiple systems becoming compromised in the event of a cyber-attack.

The serious risks associated with insufficient cyber defences in commercial buildings are well understood.

  • Failure or shutdown of building services limiting or restricting their operation
  • Degraded or compromised building security, access control and CCTV
  • Corruption of databases and loss of historical performance data
  • Loss of data used for building performance ratings such as NABERS
  • Potential losses through disruptions to business operations
  • Potential loss of valuable intellectual property (IP)
  • Productivity losses
  • Extortion attempts using ransomware
  • Breaches of privacy and loss of personally identifiable information (PII)
  • Reputational damage
Typical Pitfalls

In the past, Building Services Technologies used protocols that were proprietary in nature. This provided an entry barrier for malicious actors. Emerging technologies have resulted in an increased risk due to:  

  • Building Services Technologies commonly specified to use open hardware, software, and communication protocols
  • Open protocol solutions frequently contain known vulnerabilities that malicious actors will attempt to exploit.
  • Cyber Security of specified systems is not commonly a key consideration during a building’s design phase.
  • Many networks are not designed and/or managed by IT specialists.

Most cyber security incidents involve elements of human error.

  • Human error can reduce the effectiveness of otherwise sound security protocols and lowers the technical abilities required to access Intelligent Buildings. 
  • Insufficient password protection is frequently seen in intelligent buildings
  • Cyber-security is frequently sacrificed for operational and administrative convenience.
Entry Points:

Many Building owners and Facility Management staff are unaware of the risks from Building Services Technologies’ interconnectivity and remote accessibility of Building Services Technologies.

  • Outdated Operating systems, application software and firmware dramatically increase the likelihood of malicious entry.
  • Poorly configured Remote Access policies are common, where management of these policies is not performed centrally.

Intelligent buildings will have multiple points of entry for malicious actors to attempt to exploit.

  • Remotely accessible HVAC, BMS and Power monitoring systems.
  • Access Control and CCTV system
  • Energy analytics platforms
  • Third-party applications installed on Servers and Client workstations
  • Incorrectly configured or poorly managed converged Networks
  • Cloud hosted applications connecting into Intelligent building services
  • BYOD policies can allow users to bypass in-place security protocols
How can Building Owners Minimise the Risks of Cyber-Attack?

The consequences of these attacks are ever increasing as information systems become more central to business and society. The incidence and severity of cyber-attacks can be reduced by:

  • Centralising management of IT software and hardware required for Building Services Technologies
  • Centralising ownership and management of networking hardware to encourage the use of converged networks.
  • Conducting periodic security reviews across all Building Services Technologies platforms.
  • Improving baseline security protocols implemented across all Building Services Technologies
  • Enforcing the installation of secure products and services
  • Ensuring that proven disaster recovery procedures are in place and regularly tested for all key systems
  • Making informed purchasing decisions
  • Taking steps to grow the cyber awareness skills of the operational staff
  • Engaging specialist external help and support when needed
  • Reporting all cyber-crime to the correct authority

Ensuring your Intelligent Building is secure online is a shared responsibility.


For more information on Building Cyber Threats, please contact:

Wayne Preston
Building Technologies, A.G. Coombs Advisory
P: +61 3 9248 2700 | E: wpreston@agcoombs.com.au


download pdf

For more information

Contact Us

Loading ratings...

Latest Advisory Notes

July 27, 2021 in Advisory Notes

Operational Analytics and Facility Outcomes

Over the last 10 years we have seen the emergence of automated analytics in just about every aspect of our daily lives. This includes the use of analy...