The increased incorporation of technology within the construction industry and Government pressure to reduce energy wastage has led more and more buildings to utilise smart technology
The hidden risks of smart buildings

Yet for all their positives, smart buildings can leave facilities exposed to cyber risk which can paralyse operations and hold building owners and users at ransom. In this article we look at the benefits and risks of smart buildings and discuss how insurance can help to respond to this risk.

What are smart buildings and what are the benefits?

Smart buildings are dwellings or workplaces which use automation for efficiency. They boast analytical tools which can predict the needs of those within the building i.e. by controlling the temperature. Smart buildings can also monitor the component parts within them and flag the need for maintenance or repair.

The ubiquity of smart buildings has in part been brought about by the increased presence of the Internet of Things (IoT) which allows systems to communicate without human intervention and in part by the ‘Fourth Industrial Revolution’, recognisable by our increasing reliance on data, smartphones and connectivity.

An increase in smart buildings has a positive environmental impact too. Buildings produce a significant amount of greenhouse gas emissions (30-40%), use 72% of electricity produced as well as 15% of water. With the UK Government attempting to reduce carbon emissions by 80% of 1990 levels by 2050,1 the introduction of sensors to a building’s infrastructure can help to use less energy. Prior to sensor technology air-conditioning would be left on all summer or lighting would switched on even when nobody was using the room or corridor. The latest EU EPBD building directive, which requires buildings to be C02-neutral by 2050 also helps to reaffirm the importance of energy-saving measures with new buildings requiring a high standard of energy control.2

As well as basic features such as heating and light, smart buildings can save lives. In the event of an emergency, they can automatically set off alarms, activate sprinklers or show evacuation routes. The use of integrated systems at the building’s entrance can advise emergency services on how many people are in the building. These systems can also help with building security by allowing access only to authorised areas, in the case of large offices or flats for example.

Smart buildings are vulnerable to cyber threats

Smart buildings are more at risk from cyber-attacks than legacy buildings. Those with malicious intents can cause chaos with connected buildings by interrupting systems or by harvesting personal data about those within. A hacker, once they have control of the systems, can cut off heating supplies, remove power or deny entry to a building. Ransomware can threaten to lock building systems until a fee is paid, and even if their demands are met there is no guarantee the systems will be released. Not only can this cause significant stress and expense, it can also result in financial damage in the form of fines and loss of reputation through negative press. In the event of an incident, the building may find itself on the receiving end of regulatory penalties.

Part of the issue is that smart buildings are activated section by section/floor by floor, with different companies using different systems without communicating with each other. Each provider will have separate controls, cabling and security standards which naturally generates vulnerabilities. Many internet-connected building systems are unsafe as they use legacy methods. For example there are currently 14 million controls systems connected to the internet globally, and the vast majority have no security considerations. This includes everything from elevators, irrigation, air-conditioning, lighting, electrics, window shades and parking barriers.

As well as this, buildings tend to have their security patched or updated less frequently – unless an issue impacts building owners financially or detracts from their occupant’s experience then it will remain low priority. Another problem is lack of education amongst contractors. The facilities manager and IT support should work together to close any gaps in their cyber security when adopting smart technologies. Alongside this, the landlord should put an infrastructure policy in place from the buildings inception, while existing buildings should have rules for how the building is accessed. What happens for example to passwords when an employee leaves a role? No system is fool proof of course, but a highly encrypted and certified network can significantly minimise the risks.

Speak to Gallagher to understand all of our Cyber solutions

Carried out correctly, smart buildings can help to reduce energy consumption cost effectively while delivering a significant return on investment for the operator – but they have to be secure. No matter how diligent you are, you cannot always prevent a cyber-attack and with these types of attacks on the increase it is often a case of not if, but when.

That’s where effective cyber risk management and insurance comes in. At Gallagher we can provide Cyber risk management advice and guidance. We can support you to assess your existing IT infrastructure or any future IT infrastructure planning.

As an ‘after event’ solution our cyber insurance policy can help ensure that your building can still operate if ransomware does lock your systems with minimal financial and reputational damage. With GDPR requiring you to report a breach with 72 hours or you could face a fine, being able to confidentially handle a breach has never been more important. A cyber policy can outsource these issues, giving you access to specialist knowledge which could help you to avert a PR crisis and a significant fine, as well as getting the building back up and running.

Our cyber insurance offers a 24-hour hotline response to speed up the important step of reporting the breach to the ICO. After the cyber-attack has occurred, we can help you with disaster recovery costs, pay for forensic investigations into the cause of the breach and help to mitigate the damage by engaging PR specialists and legal advisors.