Why Cyber Security risks should be on the Sustainability radar

Imagine, that hackers break into your building’s management system. The air-conditioning goes haywire and the heating cranks up to an unbearable level. The lights and power switch off, causing chaos and confusion. Work grinds to a halt. Worse, people’s safety is compromised as lifts, security and fire systems cease to operate. 

If the cybersecurity breach affects transactions on a busy trading floor, the financial implications are obvious. But in some cases, a cybersecurity event could be as significant as a natural disaster. 

Consider the ransomware infection which crippled the UK’s National Health Service in 2017. Staff around the country were forced to revert to pen and paper and their own phones as computer and telephone networks shut down. Patients were turned away and people in affected areas were being advised to seek medical care only in emergencies. Thankfully, no lives were lost, but the story could have been a very different one. 

According to the IoT Alliance Australia, the world will have more than 1 trillion Internet of Things (IoT) devices up and running by 2035. These devices are soon to be pervasive and their application endless – from wearables that track our heart rate to connected cars, and from sensors that monitor pollution, parking, traffic congestion and rubbish in our cities to smart fridges that know when it’s time to restock. 

In the last few years, low cost IoT sensors, switches and gateways have transformed the smart building market. Smart building technology now automates, monitors and optimises heating, cooling, ventilation, lighting, power and security systems and more. These buildings use less energy, are easier to manage and more comfortable in which to live and work. And this means smart buildings are increasingly sustainable buildings. 

But as all these devices connect to the internet, the rise in IoT hacking becomes an alarming proposition. Symantec recorded a 600 per cent increase in IoT attacks in 2017, and Gartner estimates that worldwide spending on IoT security will reach US$1.5 billion by the end of 2018. 

our built environment is now a primary target for cyber criminals

Raymond Frangie is Norman Disney & Young’s senior cyber security consultant. He says our built environment is now a primary target for cyber criminals, and he has the evidence to prove it. Frangie recently set up a “trap” for would-be attackers, observing more than 100,000 attacks from 65 countries in a single day.

“Cyber criminals are actively looking for systems to compromise, and building management systems are an obvious target,” Frangie warns.

Most business leaders understand the damage that data breaches can wreak on an organisation. Shares in credit reporting agency, Equifax, tumbled to a 16-year low in 2017 after a cyberattack compromised the privacy of an eyewatering 145.5 million people.

Frangie says international incidents over the years, like the Equifax breach, have driven the Australian Government to establish the Australian Notifiable Data Breaches scheme, which came into force in February 2018, requiring companies to notify the Office of the Australian Information Commissioner, and individuals whose personal information is involved in harmful data breaches. Non-compliant companies face penalties of up to $1.8 million.

But the effect of cyberattacks on our built environment infrastructure has impacts uncommon in other environments, which is why our industry must begin to consider cybersecurity in much the same way we do the structural integrity of a building.

Imagine the consequences if the lights switch off during the SuperBowl, the Boxing Day sales or during peak hour traffic in Sydney? There are potentially enormous financial costs, and the question is then: who will pay for it?

Protecting people and profits

Cybersecurity within built environments is about protecting buildings, public infrastructure and critical services. However, it’s also about protecting people within the spaces they occupy.

It would be a mistake to think this is just an issue for large companies. The Target breach in 2013, for example, is a case in point. After the credit and debit card information of 41 million customers were compromised, up to 70 million people were affected. The investigation by US state prosecutors found the hackers had accessed Target’s server through credentials stolen from a third-party vendor – a HVAC specialist with access to some of Target’s point-of-sale systems.

“Almost five years since the attack, Target is still paying for the breach, recently agreeing to US$18.5 million in compensation to customers, after already having settled $39 million with financial institutions affected by the breach,” Frangie explains. 

Another recent case involved Austrian hotel Romantik Seehotel Jaegerwirt, which was targeted by cybercriminals in 2017. After the electronic key system at the four-star hotel was infiltrated and disabled, guests couldn’t access their rooms. The hotel’s reservation and cash desk systems were compromised too. 

The cyber attackers demanded a ransom from the hotel management, which the hotel paid. At the time, the hotel’s managing director justified the decision because “the house was totally booked with 180 guests. We had no choice. Neither police nor insurance will help you in this case.”

“Ninety-five per cent of attacks are financially motivated. If cyber criminals can take a building hostage, it can really hurt the hip pocket,” Frangie adds.

Beyond IT: A sustainability issue for the boardroom

So, what does this have to do with sustainability?

Recently, analysts have begun to argue that cybersecurity isn’t an issue restricted to IT departments and building services teams, but an environmental, social and governance (ESG) issue that must be tackled in the boardroom. 

When shareholders are increasingly looking for assurance that their investments are with well-governed companies, it’s no surprise that boardrooms are beginning to keep a careful eye on cyber risks.

The message is clear. As we transition to a smart cities ecosystem, cybersecurity will be as important as keeping the lights on. Cybersecurity is not an IT issue – it’s a business issue. 

It’s also about resilience. Many companies are investing in cyber insurance not to replace what they’ve lost, but to bounce back afterwards. In fact, the ability of a company to endure or recover from a targeted cyberattack is likely to become a key expectation of investors, shareholders and clients. 

We aren’t necessarily facing a doomsday scenario, and not every HVAC specialist or vending machine technician must become a cybersecurity expert. But it does mean we must start factoring cybersecurity into our designs, Frangie says.

“Cybersecurity can’t be an afterthought. It needs to be considered from day one of the planning process,” Frangie explains.

The message is clear. As we transition to a smart cities ecosystem, cybersecurity will be as important as keeping the lights on. Cybersecurity is not an IT issue – it’s a business issue. 

Contact Us

  • This field is for validation purposes and should be left unchanged.