“The cyber security market for smart commercial buildings is largely immature and poorly defined,” according to our latest report – Cyber Security in Smart Commercial Buildings 2017 to 2021.
The reasons for this, as the report explores, are not unlike that of other new markets striving for sustainability in a dynamic and rapidly evolving sector. However, the risks of this continuing confusion in the cyber security industry may pose more serious threats to the market as a whole.
Immaturity and poor definition not only means that the market’s growth is falling behind its vast potential but also that many smart buildings are being left at risk. An increase of attacks on buildings may well spur growth in the cyber security market but a sizeable increase may well undermine the very adoption of connected building systems themselves.
One key issue, it seems, is that many important stakeholders still lack an understanding of the cyber threats at large. It is not just the building owners and managers who are struggling to adapt to their new connectivity-rich surroundings, but also the cyber security sector that is wondering into an unfamiliar physical world.
“While we have established that persistent concerns around cyber security for smart buildings exist, stakeholders are still struggling to fully understand the nature of the threat,” the report suggests. “Without a more comprehensive understanding of threats posed, they are struggling to find the right strategies and strategic partners to address the issue.”
While protecting buildings from cyber attack may just be one element of the broad and well-established cyber security market, the physicality and human impact of cyber threats poses new challenges. This is reflected in the complexity of the solutions, in turn, buyers and partners are faced with a confusing array of inconsistent cyber security options.
“The technical nature of many of the products and services offered by vendors in the market, and as well as the overwhelming volume of jargon, acronyms and technical terms in common use by the industry can make it difficult for potential buyers to understand what exactly they are buying,” the report points out.
This effect is compounded by the lack of cyber expertise in the building sector. “Many organizations simply do not have the experience or training necessary to develop a viable security policy, protect critical assets and network environments, or identify and respond to today’s more sophisticated attacks,” the report continues.
A 2015 Ernst & Young report found that 58% of organizations do not currently even have a role or department focused on emerging technologies and their impact on security. Reaching cyber security training and recruitment goals in an ever-changing and poorly understood sector is a challenge, even for the wealthiest companies.
“The cyber workforce simply cannot scale in line with additional device connectivity, as budgets for cyber are not unlimited, businesses will increasingly seek to develop adaptive, scalable solutions to match their changing network landscape,” the report states.
Challenges addressed with limited budgets also open themselves up to a range of problems and vulnerabilities. Budgeting may favor the staggered implementation of IoT devices across a facility, each from the most competitive vendors at the time. This can raise compatibility issues, while making security patching or functionality enhancements challenging. Furthermore, a competitive and profit driven IoT market, faced with unknowledgeable buyers, does not encourage the implementation of responsible security measures in connected devices.
“In the rush to market, the main goal for many providers has been to generate revenues through sales, rather than focusing on long term cyber resilience of their devices. Improved standards and IoT device certification programs such as OTA’s Trust Framework should help steadily alleviate this issue,” the report outlines.
As yet, no single established cyber security standard for smart buildings has emerged to take the lead on this issue. While government standards from bodies including the National Institute of Standards and Technology (NIST) and The International Standards Organization (ISO) go some way to address general cyber security but still lack when it comes to the IoT and smart buildings.
Those organizations that are now developing standards for smart building cyber security, such as the Institute of Engineering and Technology (IET) or the Open Building Information Exchange (OBIX), are still heavily focused on industrial facilities. Considering the rate of adoption of connected devices and systems in commercial buildings, more must be done to develop specific standards before unprotected elements are widespread.
All these factors can be attributed to a youngish sector, still trying to find its feet in a rapidly evolving landscape. The key driver, however, is the unrelenting development of the IoT, filling our world with connected devices and systems that leaves us vulnerable to attack. As our comprehensive report describes, more must be done by all stakeholders, and soon, if we are to avoid a much bigger crisis of connectivity.