“Cyber security is widely perceived as one of the most prominent threats facing society today,” begins this latest report Cyber Security in Smart Commercial Buildings 2017 to 2021 from Memoori. However, this is not necessarily because attackers are infiltrating society’s most important systems but because seemingly inconsequential elements can act as an entry point for a whole network of vital assets.

Attackers seeking entry into corporate networks will often seek out the path of least resistance. The interconnected nature of the Internet of Things in Buildings (BIoT) means that cyber attacks can pose risk far beyond the initial point of entry. Potentially causing cumulative damages that could potentially permeate into new layers of the enterprise, building and facility portfolio, users, operators, and service providers.

The increased proliferation of smart devices, combined with persistent concerns over cyber risk and data privacy and an increased incidence of cyber attacks against smart buildings will drive a significant increase in demand for new cyber security hardware, software and services in the market.

Memoori estimates that global revenues for smart building cyber security will reach $8.65 billion by 2021, up from an estimated $4.26 billion in 2016, which represents a healthy CAGR of over 15% during the forecast period.

According to Fred Gordy, director of Cyber security at Intelligent Buildings LLC, as much as 80% of the time, an attacker’s aim is to infiltrate the network via a BAS, and to get past those controls to accomplish a larger goal or seek a more specific target. As we dive deeper into the internet of things (IoT) it is not just BAS that creates vulnerabilities.

Organisations that have adopted a centralized approach to building management, through a building management system (BMS) hosted in the cloud could provide the vector for an attack. Network routers, gateways, cloud and Web servers all have the potential to provide potential entry points to a network. The vast number of network connections and servers managed by data centres mean those facilities are highly targeted and any breach could be catastrophic.

Even so called “Bring Your Own Device” (BYOD) policies, increasingly seen in all manner of buildings, can create security vulnerabilities. Security protocols adopted by the average user, on their own personal devices, may not conform to the criteria required to protect a network, potentially making a single mobile phone the weak leak that brings down an organisation.

"It is clear that a more holistic approach to cyber security is required in smart commercial buildings. In order to determine potential system vulnerabilities in a modern networked Smart Building, one must also carry out an assessment of the systems, devices and networks that are connected to building automation and control systems,” states the report.

For smart buildings, a robust building cyber security plan is critical. Armed with knowledge from security audits and security risk assessments, organisations can make more informed risk management decisions and proactively identify the steps required to reduce threats. Even after a plan has been developed, an effective defense involves an ongoing iterative process, which must be continuously reviewed against the constantly changing threat environment.