[+] Cyber Security: Smart Buildings a ‘Hackers’ Honeypot’

Australian developers are nervously watching the outcomes from recent major cyber security breaches on home soil. 

Of course, cybercrime has been a real and present danger for developers for many years, but the rise of embedded building technology presents some serious challenges for the industry, according to Mirvac’s chief digital officer, William Payne.

“Buildings are becoming smarter through both ground-up software development and modernisation,” he says.

“Developers and asset managers must now apply cyber security disciplines, tools and continuous improvement techniques more commonly seen in traditional corporate IT environments. There must be an ongoing strategy to protect assets and support customers’ cyber security standards.” 

Those with long memories will recall the poster child cyber incident in 2013 involving the US consumer goods behemoth, Target.

The breach happened after hackers got into the system through the air-conditioning system connected to Target’s main IT network. It sent chills down the spines of development firm principals and asset owners given it could happen to any business that owns real estate.

Today, smart buildings are more connected than ever. So, understanding what data is being collected and retained during the development process and beyond is crucial, says Lara Paholski, chief executive of property and legal technology development company, thelawstore.com.au.

▲ Lara Paholski: Personal information sent back to developers’ offices creates an identity treasure trove.

Some of the data collected when developing smart commercial buildings includes identity documents, financial documents, as well as personal information such as contact numbers, address and next of kin details. The question is once collected, whether this data really needs to be stored longer term.

“Personal information may be captured via photo, which is texted or emailed back to developers’ offices. This creates an identity honeypot. Hackers can get all this personal information simply by gaining access to emails,” Paholski says.

HopgoodGanim lawyer Steven Hunwicks says developers and managers may quickly find they have become custodians of great volumes of deeply personal information about behaviours. 

“But they may not have governance arrangements and practical controls in place to manage and mitigate the risks arising from the data,” Hunwicks says.

As a result, developers need to think about whether they really need to be storing this information long-term. Because the consequences if they are hacked and the data is stolen and sold on the dark web are serious. 

In a sign that the people and parliament are increasingly losing patience with corporate data breaches, new legislation that dramatically increases penalties for serious or repeated privacy breaches passed both houses on Monday, November 28, with bipartisan support.

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 raises the financial penalties from $2.5 million to $50 million, three times the value of any benefit obtained through the misuse of data, or 30 per cent of a company’s adjusted turnover in the relevant period, whatever is larger.

▲ New legislation seriously beefs up penalties for privacy breaches.

Personal data aside, technology consultancy Waterstons’ head of security, Ryan O’Kell, says property firms are often vulnerable to a hack attack due to outdated and unmanaged tech systems. 

“Without a solid cyber security plan in place, your threats and vulnerabilities increase.”

In addition to heating, ventilation and air-conditioning (HVAC) systems, property firms are exposed to cyber risks through security cameras and employees’ own devices.

“One infiltration scenario could be adversaries watching security cameras, gathering information and potentially locking people inside, controlling the HVAC systems to inflict damage to those inside and demanding a ransom,” O’Kell says.

In another hypothetical scenario, hackers could access and then control the lighting or HVAC systems and blast the air-con and leave lights on all night. This is a seemingly invisible infiltration but with serious monetary consequences.

Asset managers and developers need the knowledge, resources and skills to constantly combat these threats. 

Any robust cyber security strategy starts with standards and frameworks. For security reasons, Mirvac does not disclose the measures it takes to protect its assets.

▲ Standards and a framework are effective steps to protecting building systems.

But chief digital officer William Payne says they follow the National Institute of Standards and Technology (NIST) cyber security framework to manage hacking risks. This gives property managers tools to respond to and recover from cyber threats.
 
NIST is just one method developers can use to guide their cyber security strategy. Another common framework Aussie businesses use to is the Essential Eight mitigation strategies the federal government’s Australian Cyber Security Centre recommends putting in place to prevent attacks. These include taking away unnecessary network administration privileges from employees who don’t need them and putting in place multi-factor authentication.

Emergence Insurance head of corporate cyber Trent Nihill says the Target example was a wake-up call for developers that separating corporate networks from building management systems is critical. 

“These systems should be able to run independently so an attack at the property developer’s offices should not impact buildings and tenants.”

Nihill says when assessing property risk for underwriting purposes, for many years insurers have been focusing on the robustness of policyholders’ operational technology such as building management systems. This is because these systems have been increasingly exploited by cyber criminals.

“Building management systems typically have long operational lifespans and they are not patched as often as other systems, so they can be weak assets for criminals to target.”

He notes many businesses are unable to continue trading without their operational technology up and running, in the event a major breach takes these systems down. 

▲ Building management systems can be weak assets for criminals to target.

So it’s essential building management systems are designed with manual overrides so people can get in and out of the buildings and are not stuck in lifts and other places in the event of an attack.
 
Additionally, Nihill says while cyber insurance is one tool developers and asset owners require for cyber safety, it is important for them to understand and manage buildings’ specific cyber risks. 

“Without adequate cyber security controls most businesses won’t be able to get cyber insurance.”

Terry Burgess, data security firm Protegrity’s Asia Pacific head, says property businesses should protect themselves by thinking about data security differently.

“Readily available data privacy technologies such as tokenisation can keep sensitive data, including personally identifiable information, hidden, even in the event of a breach.”

Tokenisation involves substituting personal information for a token in an organisation’s network, as the token has far less value to criminals.

“If this kind of technology had been applied by Optus or Medibank, the cybercriminals would have had to re-identify the data before they could derive value from it, a difficult process for those without authorisation. This makes stolen data less useful to criminals,” he says.

The property sector has a way to go upskilling IT staff, implementing the right cyber security solutions and being aware of the potential effects of a hack in the short and long term. The message is to make this a priority before a hacker takes buildings and businesses down.

You are currently experiencing The Urban Developer Plus (TUD+), our premium membership for property professionals. Click here to learn more.