Sector - Software & Technology

Could your Building Management System be the Weak Link?



Workers have got used to technology advancements that employers have introduced to support them in working from home during lockdown.   As they return to the office, they will not want that technological flexibility to be compromised.  Therefore, there will be a lot of pressure on the IT infrastructure within offices to provide new technology services at scale.

IT assets (laptops, mobiles, etc) will potentially have been used in a less protected environment over lockdown – and will then be being used again within the office environment, which presumably imports risks because nobody quite knows whether they are still “clean”.

New technologies hurriedly brought in to manage the office environment – for example “return to work” software, desk booking etc – may not have had the time to receive the rigour of testing that corporates would normally use before rolling technology out across the business.

This has in part been recognised in the 2021 Queen’s Speech on 11 May 2021 which included proposals to extend 5G mobile coverage and gigabit capable broadband through the Product Security and Telecommunications Infrastructure Bill, internet safety provisions in the draft Online Safety Bill, and strengthening telecoms security in the Telecommunications (Security) Bill.  The Bill will support the installation, maintenance, upgrading and sharing of apparatus to facilitate better telecommunications coverage and connectivity. It is also designed to ensure that smart products such as phones, speakers and TVs are more secure against cyber attacks, and that individual privacy and security is protected.

However, for the time being the risks remain,  and builders should be aware of the issues and challenges to ensure they can mitigate them where possible.

 

Silos of responsibility

Responsibility for IT systems in a business typically reside with the IT department, the CTO or CIO or, increasingly, a Chief Security Officer.   But their focus is often on operational systems and data within the business – email and cloud storage security, etc.

But buildings and other infrastructure are increasingly being run by computer.  Obvious examples would include the physical security systems, the heating, air and ventilation, the lifts.  These are often not within the remit of the business’  IT department and are probably managed by a facilities director or property director, depending upon the size of the business.  Indeed, they may even be managed by the building landlord, rather than the occupier business itself.

As they are “back end” rather than user interfacing, these building systems are often running on older firmware and operating systems, which may or may not have been patched to the most up to date version.   Many organisations lack effective processes and procedures for their building systems.

This wasn’t so much of a problem when these building systems were standalone and not connected to the internet.   But nowadays, as more building management is carried out remotely and centrally across a whole portfolio, that is not the case.

Can a building management system be the weak link?

Let’s say somebody wants to launch a highly visible attack on a major clearing bank as a protest against the bank’s funding policy in relation to climate change.   They could either:

  1. try to circumvent the systems running on the bank’s computer through malware in an email or a phishing attack, or
  2. hack into the building systems in the bank’s headquarters building in Canary Wharf – switch all the heating on to full blast, lock all the digital locks on the office doors, have the lifts go to the top floor and sound the fire alarm.

Consider also that to successfully carry out the first option, they will have to circumvent the bank’s anti-malware software.   The systems used to protect are never guaranteed, but they are now pretty sophisticated, and so an attack has to be sophisticated to bypass them.   Whereas, for the second option, let’s say the building systems could be running an outdated operating system, which has not been properly patched.  Circumventing the security would then be much simpler.  It is almost an open invitation.

The second type of attack might not gain them lots of money or result in a loss of customer data, but it is likely to make a more captivating media story, which is more difficult to supress, and the reputational damage in the customer’s eyes still points to the bank having lax controls over their IT.  Job done.

What data can be stolen?

Smart building sensors are constantly gathering information, much of it personal data and therefore governed by data protection laws.  And they are gathering data in vast quantities.  From that data, one might be able to identify what time an individual enters the building, how many trips to the bathroom they make, what they buy in the canteen, how heavy a smoker they are, and now even whether they have COVID symptoms from the digital thermometer at reception and/or whether they have been vaccinated (which merits another whole article!).  Add CCTV to that, and you have a whole other level of personal information captured and mapped to the individuals’ activities.

More serious concerns arise where building sensors or other Internet of Things (IoT) products are connected to the general business Wi-Fi or network in the building.  Once the hacker is in through the building sensor system, they may end up with free reign to download confidential business information also.  As a general rule, businesses should practice network separation between these two types of networks, but as building systems start to interact more comprehensively with “business information”, we can see that there will be crossovers.

Well documented concerns around speech recognition products (Siri, Alexa, and others) are regularly voiced but what about someone hacking into the conference room microphones and being able to record highly confidential business meetings?

Liability can be complex

Let’s say for example that there is a data breach. Well ultimately the ‘business’ is responsible as the designated ‘data controller’ but if there is a problem with a data processing device or smart building product, then the manufacturer could have some liability.

However, it could also have been configured incorrectly by the IT Manager or used for a function it is not designed for by the Building Manager. Perhaps someone added an app or some software that was not written by the manufacturer. Did one of the employees bring in a device like an Alexa, link it to the building’s WI-FI, and unwittingly gave hackers entry into the network?

Sometimes the risks lie within areas managed or supplied by third party organisations and so contractual compliance is key as is ensuring that policies and procedures reflect contractual and regulatory obligations. Sound legal counsel can help mitigate the risks, both reputational and financial.  If there is an incident then there are a number of legal requirements around communications with organisations such as the Information Commissioner’s Office (ICO) and other supervisory authorities as well as with customers and suppliers.

What does the law say?

Depending on the incident – different legislation or regulations may apply. Here are a few of the most common:

If you are an operator of essential services you will be  aware of the Network and Information Systems Regulations 2018 (NIS)  which states that you must identify and take appropriate measures to manage the risks posed to the security of your networks and information systems. You have an obligation to report any breach incidents which affect security, provision, confidentiality and integrity of service.  The penalties are high – up to £17m.

Failure to ensure the appropriate security of personal data or failure to notify a reportable data breach to the ICO under UK GDPR can result in fines up to £17.5m or up to 4% of total worldwide annual turnover. There is also the risk of contractual claims for breach of confidentiality obligations in a contract. Product liability is covered under the Consumer Protection Act 1987 – but if a device is compromised remotely using its internet connection, is it necessarily defective?

Conclusions

There have been a number of high-profile ransomware attacks in recent weeks which are examples of the vulnerability of our systems to cyber-attack.  The damage can be huge and liability and regulatory compliance in these incidents is extremely complex.  Robust legal counsel is a must.

Ed Cooke is the Founder at Conexus Law

If you would like to read more stories like this, then please click here

  •