Why Cybersecurity Risks Should Be on the Sustainability Radar

Imagine a scenario where hackers break into your building’s management system. The air-conditioning goes haywire and the heating cranks up to an unbearable level. The lights and power switch off, causing chaos and confusion. Work grinds to a halt and worse, everyone’s safety is compromised as lifts, security, and fire systems cease to operate.

If the cybersecurity breach affects transactions on a busy trading floor, the financial implications are obvious. But in some cases, a cybersecurity event could be as significant as a natural disaster.

Consider the ransomware infection which crippled the UK’s National Health Service in 2017. Staff around the country were forced to revert to pen and paper and their own phones because computer and telephone networks were shut down. Patients were turned away and people in affected areas were being advised to seek medical care only in emergencies. Thankfully, no lives were lost, but this story could have been a very different one.

According to the IoT (Internet of Things) Alliance Australia, the world will have more than 1 trillion IoT devices up and running by 2035. These devices are soon to be pervasive and their application endless—from wearables that track our heart rate to connected cars, and from sensors that monitor pollution, parking, traffic congestion, and waste in our cities to smart fridges that know when it’s time to restock.

In the last few years, low cost IoT sensors, switches, and gateways have transformed the high-performance building market. High-performance building technology now automates, monitors, and optimizes heating, cooling, ventilation, lighting, power, security systems, and more. These buildings use less energy, are easier to manage, and more comfortable in which to live and work. And this means smart buildings are increasingly sustainable buildings.

But as all these devices connect to the internet, the rise in the IoT hacking becomes an alarming proposition. Worldwide spending on information security products and services will reach more than AUD$114 billion in 2018, an increase of 12.4 percent from last year, according to the latest forecast from Gartner, Inc. In 2019, the market is forecast to grow 8.7 percent to AUD$124 billion..

Senior Cybersecurity Consultant Raymond Frangie, with Tetra Tech’s High Performance Buildings Group, says that our built environment is now a primary target for cyber criminals—and he has the evidence to prove it.

Frangie recently set up a “trap” for would-be attackers, observing more than 100,000 attacks from 65 countries in a single day. “Cyber criminals are actively looking for systems to compromise, and building management systems are an obvious target,” Frangie warns.

Most business leaders understand the damage that data breaches can wreak on an organization. Shares in Equifax, a credit reporting agency, tumbled to a 16-year low in 2017 after a cyberattack compromised the privacy of an eyewatering 145.5 million people.

Frangie says international incidents over the years, like the Equifax breach, have driven the Australian Government to establish the Australian Notifiable Data Breaches scheme. This scheme, which came into force in February 2018, requires companies to notify the Office of the Australian Information Commissioner of any harmful data breaches, as well as every individual whose personal information was potentially breached. Non-compliant companies face penalties of up to AUD$1.8 million..

But the effect of cyberattacks on our built environment infrastructure has impacts uncommon in other environments, which is why our industry must begin to consider cybersecurity in much the same way we do the structural integrity of a building.

Imagine the consequences if the lights switch off during the Super Bowl, the Boxing Day sales, or during peak hour traffic in Sydney, Australia? There are potentially enormous financial costs, and the question is: who will pay for it?

Protecting people and profits

Cybersecurity within the built environments is about protecting buildings, public infrastructure, and critical services. However, it is also about protecting people within the spaces they occupy.

It would be a mistake to think that this is just an issue for large companies. The Target breach in 2013, for example, is a case in point. After the credit and debit card information of 41 million customers was compromised, up to 70 million people were affected. The investigation by U.S. state prosecutors found that the hackers had accessed Target’s server through credentials stolen from a third-party vendor—a HVAC specialist with access to some of Target’s point-of-sale systems.

“Almost five years since the attack, Target is still paying for the breach, recently agreeing to $18.5 million in compensation to customers, after already having settled $39 million with financial institutions affected by the breach,” Frangie explains.

Another recent case involved Austrian hotel Romantik Seehotel Jaegerwirt, which was targeted by cybercriminals in 2017. After the electronic key system at the four-star hotel was infiltrated and disabled, guests couldn’t access their rooms. The hotel’s reservation and cash desk systems were compromised, too.

The cyber attackers demanded a ransom from the hotel management, to which the hotel paid. At the time, the hotel’s managing director justified the decision because “the house was totally booked with 180 guests. We had no choice. Neither police nor insurance will help you in this case.”

“Ninety-five per cent of attacks are financially motivated. If cyber criminals can take a building hostage, it can really hurt the hip pocket,” Frangie adds.

Beyond IT: A sustainability issue for the boardroom

So, what does this have to do with sustainability? Recently, analysts have begun to argue that cybersecurity isn’t an issue restricted to IT departments and building services teams, but an environmental, social, and governance issue that must be tackled in the boardroom.

When shareholders are increasingly looking for assurance that their investments are with well-governed companies, it’s no surprise that boardrooms are beginning to keep a careful eye on cyber risks.

It’s also about resilience. Many companies are investing in cyber insurance not to replace what they’ve lost, but to bounce back afterwards. In fact, the ability of a company to endure or recover from a targeted cyberattack is likely to become a key expectation of investors, shareholders, and clients.

We aren’t necessarily facing a doomsday scenario, and not every HVAC specialist or vending machine technician must become a cybersecurity expert. But it does mean we must start factoring cybersecurity into our designs, Frangie says. “Cybersecurity can’t be an afterthought. It needs to be considered from day one of the planning process.”

The message is clear. As we transition to a high performance built environment, cybersecurity has become a business issue.

Tony Arnel, Global Director of Sustainability