The smart

buildings
report 2017
The installed base, benefits
and challenges, cyber threat
and barriers to adoption
Introduction
IFSEC Global recently canvassed 860 professionals in order
to understand the changing ‘smart building’ landscape and
how the industry can best harness new technologies.
The concept of intelligent buildings is nothing new. A
book published in 1988 referred to an intelligent building
as one “which totally controls its own environment”. Thirty
years later and the definition remains much the same;
however, the delivery vehicle for that vision has evolved
beyond all expectation.
While intelligent standalone systems still represent
exceptional value for building owners, it is the integration of
these systems that is propelling buildings from the realm of
intelligent to the heights of ‘smart’.
Smart buildings are the direct result of the continuing
convergence between operational and information
technology. With the Internet of Things (IoT) is gaining more
traction by the day, great advances are being made in the
world of building control.
Not only can smart buildings ensure that occupants remain,
healthy, safe and productive, but they can now help to drive
bottom-line profits. Facilities should no longer be viewed as
overheads; but strategic assets that can help organisations
realise their objectives.
IFSEC recently surveyed 860 security professionals, facility
managers and building owners, in order to understand the
changing smart building landscape.
This report provides in-depth analysis of those responses,
looking at the perceived benefits, applications and
challenges of smart functionality within the building
control landscape.

Survey highlights
CONTENTS
•O f the 860 professionals surveyed, approximately half
(50%) said they classified their building systems as ‘smart’. Survey respondents................................. 3
•O
 ut of the 435 respondents who did not regard their
building systems as ‘smart’, 46% said that they expected What exactly is the difference between
smart functionality to be introduced within the next 12-24 ‘intelligent’ and ‘smart’?........................... 4
months.
•O
 f the 425 respondents who classified their building as It’s all about data and analytics................... 6
smart, 70% felt that there was room for improvement.
Installed based and perceived benefits....... 7

Challenges/barriers to adoption.............. 10

Cyber security....................................... 14

Conclusion........................................... 16

2 A trend report from IFSEC Global

Survey respondents
Which of the following best describes Which type of building(s) are
your job function? you responsible for?
Answer Options % Answer Options %
Security 18% Office 66%
Consultant 14% Industrial/
40%
Senior executive 12% warehouse
Installer/integrator 12% Residential 35%
IT 11%
Education 26%
Facilities management 10%

Health and safety/ Hotel 26%

8%
fire safety
Retailer 22%
Contractor 5%
Manufacturers/ Healthcare 22%
distributors/suppliers 4%
Leisure 21%
Other 3%
Transport 18%
Architect 1
House builder 1 Other 3

Which technological areas of the building are you involved with?

Answer Options %
Access control 68%

Video surveillance 58%

Fire safety systems 53%

intruder alarms 49%

Integrating systems 41%

Lighting 38%

Building automation 37%

IT/computing 35%

Audio-visual systems 34%

Power/energy/electrics 32%

Telecoms/telephony 29%

HVAC control 24%

Analysing data 21%

CO2/environmental monitoring 18%

Water management/efficiency 18%

Plumbing 17%

Kitchen appliances 15%

3 A trend report from IFSEC Global

What exactly is the difference between
‘intelligent’ and ‘smart’?
“While the ‘internet of things’ is a topic of much speculation Intelligent building control, as we have come to understand
in the consumer market, smart building technology has it, has been around since the 80s. Critical assets such as
steadily been increasing its footprint and impact among HVAC, security and lighting have each had varying degrees
commercial buildings. Smart building solutions are valuable of intelligence incorporated into them over the years, all
technologies for deploying energy management strategies under the BMS umbrella.
that generate operational efficiencies, cost containment
So what – exactly – is the difference between an intelligent
and sustainability benefits that appeal to key stakeholders
building and a smart building?
in building management.” Jill Feblowitz, president,
Feblowitz Energy Consulting “It seems that in English there is a semantic difference
between intelligent and smart,” explains Paul Hughes
Would you classify your building as ‘smart’? of Software AG. “The nuance, however, is often lost.
n Yes – to a
An intelligent building means a building has the
significant degree capability of performing actions on a user request,
while the meaning of a smart building is one that has
n Yes – to some 15% the ability to solve problems.”
extent 27%
The University of Sheffield published a paper that attempted
n Not yet – but to get to the bottom of the intelligent versus smart
I expect this to distinction. The authors characterised the difference thus:
change in the next 35%
12-24 months “Smart buildings are buildings which integrate and
23%
account for intelligence, enterprise, control, and materials
n No – and this isn’t and construction as an entire building system, with
likely to change adaptability, not reactivity, at the core, in order to meet
any time soon the drivers for building progression: energy and efficiency,
longevity, and comfort and satisfaction. The increased
In 1620, Dutch inventor Cornelius Drebbel created amount of information available from this wider range of
the first functioning thermostat capable of controlling sources will allow these systems to become adaptable,
building temperature using air flow. It could be argued and enable a smart building to prepare itself for context
that this was the start of what we now call building and change over all timescales.”
management systems (BMS).

4 A trend report from IFSEC Global

Connected things installed base within smart cities (in millions of units)

Smart City Subcategory 2015 2016 2017 2018

Healthcare 3.4 5.3  8.4 13.4
Public Services 78.6 103.6 133.1 167.4
Smart Commercial Buildings 377.3 518.1 733.7 1,064.8
Smart Homes 174.3 339.1 621.8 1,073.7
Transport 276.9 347.5 429.2 517.4
Utilities 260.6 314.0 380.6 463.5
Others 8.6 13.3 20.8 32.3
Total 1,179.7 1,641.0 2,327.7 3,332.5

Source: Gartner (December 2015) 

This rather wordy definition of ‘smart’ can be distilled into

five fundamental components. Smart buildings are:
• P roactive, not reactive
• Integrated
•E  fficient
•G  reen
•A  daptive
The evolution from intelligent to smart buildings has been
driven primarily by growing demand for tighter integration.
The building control industry, like most other high-tech
sectors, was born in a closed source world. Systems
were built on proprietary hardware and software stacks,
leading to a highly fractured, disparate ecosystem of quasi-
intelligent systems.
The demand for greater interoperability prompted the
industry to move away from proprietary systems to a much
more open architecture, with protocols such as BACnet and
LonTalk leading the way. •G
 eneral Electric estimates that the industrial internet market
will add between £8tn-£12tn to global GDP within the next
Global smart buildings market: insights 20 years. For context, China’s total GDP is just over £7tn
• “ Building managers report 30% savings in repair •B
 uildings are the largest consumer of global energy
costs when networked buildings enable proactive production, ahead of industry and transport. Also
maintenance” (Jim Young, CEO, Realcomm) contribute one third of total global greenhouse gas
•G
 lobal spending on smart building technology was emissions, primarily through use of fossil fuels during
forecast to grow from $7bn in 2015 to $17.4bn by 2019 operational phase (International Energy Agency)
(IDC Insights: ‘Business Strategy: Global Smart Building
Technology Spending 2015–2019 Forecast’)
•C
 isco estimates that the number of connected
devices worldwide will rise from 15 billion today to
50 billion by 2020. Intel believes this figure will be
closer to 200 billion devices

5 A trend report from IFSEC Global

It’s all about data and analytics
When people, or organisations, make their first foray
into the world of smart technologies, it is all too easy for
them to become preoccupied by the inherent benefits
of any given asset. Consider the immediate and tangible
benefits of a lighting system capable of integrating with
access control: only consuming energy when employees
occupy a specific zone.
But this ‘intelligent’ behaviour does not necessarily equate
to ‘smart’ behaviour. Because the internet of things is not
actually really about things; it’s about data, and the insight
extracted from that data.
IP-enabled building infrastructure increasingly allows us
to collect operational data that was simply not imaginable
even just a few years ago. The challenge now is to figure out
what to do with it.
A smart building’s value therefore depends entirely on its
analytics capabilities.

Do you analyse the data your smart systems are

capturing?
n Yes, we have
a structured 5%
6%
approach to this
n Yes, but it’s not 34%
structured 18%

n No, but we’d like

to
n No, we have no
plans to use data in
this way 37%
n Don’t know
IFSEC Global asked respondents if they analysed the
data generated by their smart systems. Only 34% of
respondents claimed to have a structured approach to
data analytics. A further 37% said that they queried data on
more of an ad hoc basis, while 29% admitted to having no
analytics capabilities in place or were unaware of having
such capabilities.
“It’s about taking existing data and combining it with new
data to gain insight,” says Stuart Higgins, head of digital
impact for Cisco UK and Ireland, in explaining the process
of analysing the data generated by smart systems.
Offered the chance to elaborate on how they analyse
captured data, respondents to our survey offered these
responses, among others:
• “ We send the data to a cloud-based system and analyse
the data there”
• “ Assessed the need for battery storage and evaluated
need for exact PV generation requirements” using
captured data
• “ Review and analysis of security incidents for corrective/
preventative action”
• “ Piecemeal analysis of energy usage data, efficiencies
analysis and improvement opportunities”

The benefits are profound, he believes. “Traditional systems • “ If everything is pre-planned then we just need a smart
were very reactive, but ‘smart’ is about being able to move software programmer and an engineer to have full
away from reactive towards proactive. control on system”

“Take that data a step further and you are able to be

predictive. Based on what happened in the last three
months of last year, we can predict what’s going to happen
in the last three months of this year.”

6 A trend report from IFSEC Global

Installed base and perceived benefits
“There has been a mismatch between what users expect
from an intelligent building and what the suppliers are able
to deliver. One of the main reasons for the disparity is that
the intelligent building has generally been defined in terms
of its technologies, rather than in terms of the goals of the
organisations which occupy it.”
Professor Derek Clements-Croome, school of
construction management and engineering,
University of Reading
Our survey also quizzed respondents on which
specific components of their buildings they defined as
‘smart’. It is worth noting that the top four of the most
common smart technologies were all security and
safety-related, suggesting these fields are well ahead
of the curve in terms of collecting data and turning that
data into something meaningful.
Security and safety systems remain two of the most
fundamental resources in building design and the
technologies supporting them are well-established
and mature. They were the first assets to gain
intelligent functionality, so it makes sense that they are
already widely deployed.
Garnering 73% and 67% of responses respectively
access control and CCTV systems were smart in more
than two thirds of buildings and well out in front.
Nearly one in two intruder alarms (48%) were also
considered smart, suggesting that the epochal shift to
not just IP but data-driven systems has now affected a
clear majority of businesses.
Even more than half of fire alarms (53%) were deemed
smart, which is noteworthy for an industry where stringent
requirements for regulatory compliance mean that
technological change often lags that of other industries.
Nevertheless, a UK-based fire-safety professional laments
that the “the benefits of ‘smart’ technologies are not being
fully realised in terms of building safety, at least in part due
to the fact that technical regulatory requirements for fire
protection and life safety systems exceed those for other
systems – eg BMS and data network cables and other
components are not required to be as resilient, for example
in terms of resistance to fire.”
The smart building concept is fast becoming a widespread
reality on other BMS areas too, with at least one in five
having smart lighting (47%), energy management (47%),
HVAC (37%), A/V (35%), building performance (34%),
telecoms (31%), CO2/environmental monitoring (23%) and
water management/efficiency systems (21%).
“Immense benefits could be realised
in terms of building safety, in particular
fire protection, but these are not being
realised due to a disproportionate focus
on security and energy management.”
Fire-safety professional

Which of your building functions would you describe as having ‘smart’ functionality?
Answer Options %
CCTV 67%

Fire safety systems 53%

Intruder alarm 48%
Lighting 47%
Energy management 47%
HVAC control 37%
Audio/visual systems 35%
Building performance 34%
Telecoms/telephony 31%
Intercom 27%
CO2/environmental monitoring 23%
Water management/efficiency 21%
Energy storage 15%
Plumbing/taps in kitchens and bathrooms 11%
Kitchen appliances 9%

7 A trend report from IFSEC Global

Survey respondents offered more specific examples of
building components that were smart, including automatic
shutter control, car parking and backup generators.
What has been/do you expect to be the biggest
benefit of installing smart technologies in your
building?
n Improving security
n Cutting energy
5%
usage/costs
11%
n Creating a more 23%
comfortable
environment for staff
and/or customers 18%
n Cutting costs
generally 23%
n Helping staff do their 21%
jobs more efficiently
n Reducing cost of
changing occupancy and
configuration (churn)
Asked what they considered to be the single most
important benefit of installing smart technologies –
whether from experience or expectation – ‘improving
security’ and ‘cutting energy usage/costs’ were tied at
the top of the rankings with 23% apiece. ‘Creating a more
comfortable environment for staff and/or customers’ and
‘cutting costs generally’ also polled well, garnering 21%
and 18% respectively.
‘Helping staff do their jobs more efficiently’ and ‘reducing
cost of changing occupancy and configuration (churn)’
were comparatively seen as much less significant benefits.
The ‘Honeywell smart building score’
Honeywell recently designed a universal framework for the
purposes of evaluating the ‘smartness’ of buildings. The
‘Honeywell smart building score’ allows for a quick, easy
and comprehensive assessment of any building.
Applied to close to 500 buildings for validation purposes
the framework revealed a fascinating finding: building
managers in all verticals tended to give their buildings
higher scores than the assessments revealed. Honeywell
said the findings suggested a need for greater education
about the full capabilities and applications of smart
buildings.
Maybe this helps explain why an overwhelming proportion
of those polled – 91% – were pleased with how their smart
technologies have performed. Unaware perhaps of how
much smarter they could actually be, more than one in five
declared themselves to be ‘very pleased’ indeed.
Our survey respondents were offered the chance to suggest
other benefits they have realised – or expect to realise – and
these were among the more interesting answers:
8 A trend report from IFSEC Global
“So many systems have capability on
paper but generally require significant
tailoring and development, which
never then meets original expectation –
which is set too high.”
Project manager
• “ Improve fire and smoke safety for all building users”
• “ Quicker reaction to failures”
• “ Overall efficiency […] measuring building performance,
operation and degradation over time, [better] ROI, cost of
operation and depreciation […] The opportunity to evolve
with improvements in technology is a very important
consideration”
• “ Saving lives of building occupants due to ill-health or
self-harm.” CTO for medical device company
• “ We would really like to help our customers – students,
staff, visitors – to self-serve to a certain degree [through]
access to services through an app. They could choose to
use it or not.” IT professional in education sector
• “ In large, complex buildings it is useful to have various
intelligent systems to assist with monitoring fire alarm
cause and effects – ie where electrically locked doors,
ventilation shuts down, floors are signalled to go to
ground for certain fire alarm zone activations”
Not everyone was convinced about smart-building tech,
however: “We are yet to be convinced of payback,” said
one company director.
How pleased are you with how your smart
technologies have performed?
n Very pleased 1%
8%
n Quite pleased 22%
n Quite
disappointed
n Very
disappointed
69%
Respondents were given the chance to explain why they
were, overall, pleased or disappointed with the impact of
smart tech on their building and its occupants.
Comments from those who were pleased – albeit some had
caveats – included:
• “ It enables easy identification of any part of the building
infrastructure”
• “ It takes a long to implement this technology properly in a
single building, but once this is done it can have fantastic
benefits to energy performance”
• “ I’ve had a few problems with one of my apps but overall
I’m happy”
• “ Our Axis IP camera could be monitored clearly, remotely,
alongside our IP intercom”
Gripes about smart tech on the other hand:
• “ Difficulty of integration”
9 A trend report from IFSEC Global
“In the future we expect to have nearly
all devices connected and accessible
via smartphones.”
Health and safety/fire safety professional
• “ Network failure always a potential challenge”
• “ Solution suppliers are slow to open up but instead try to
cling on to black-box solutions”
• “ In some ways, we are very pleased with the immediate
results; it’s just that the cost of installation, longevity of
units and length of time changeover took beyond the
expected schedule all but doubled, affecting ROI”
Challenges/barriers to adoption
Case study after case study has shown the positive impact
of smart technologies. From energy efficiency and comfort
levels to safety and maintenance costs, the benefits far
outweigh the challenges – as long as the systems are
procured, integrated and deployed wisely.
And yet there remains a great deal of resistance, among
many building owners and managers as well as staff of all
pay grades. Indeed, asked what they viewed as the biggest
challenge of all, 10% opted for ‘cultural resistance to new tech
among staff’.
“As a security manager I am all for integration and use of
‘smart’ technologies,” said one respondent, “but there is
still some resistance to it from the old school, both from
the client and some of my own staff, who may feel a little
intimidated by it or see it as their replacement rather than a
tool to assist them.”
However, several other issues were flagged in greater
numbers.
Interoperability
“In some sense, the goals for perfect interoperability,
cybersecurity and privacy may always be just out of reach
as new applications, features and threats emerge. However,
aligning a shared vision to a collective set of directions may
allow buildings automation ecosystems to form and flourish.”
US Department of Energy
It is perhaps of little surprise that interoperability was named
the number one challenge. Nearly 30% of respondents said
this was their top concern.
While building control is rooted in the world of proprietary
hardware and software, the industry began shifting towards
an open environment in the mid-90s. A consortium of
building management players and manufacturers joined
forces, ultimately creating the building automation and
control networks (BACnet) protocol.
Along with LonWorks (local operating network) BACnet
currently dominates the intelligent building market. But
these open automation communications protocols are
now being threatened by the most open protocol of
them all: the internet.
The gravitational pull of this colossal network of networks is
having a profound impact on the building control landscape
and the internet of things has proved a great disrupter. A
deluge of IP-based solutions is breaking down proprietary
barriers. The shift towards IP-centric infrastructure neutralises
many of the integration challenges faced by traditional
building control systems.
However, interoperability and integration between new
and existing building infrastructures remains a challenge.
“There does appear to be a level of
cultural resistance/reluctance to invest
in new ‘smart’ technology.”
Service provider and end user of smart
technology

What has been the biggest challenge/problem of running a smart building so far?

Integration/interoperability 30%
of different systems

Cost of installation and 22%

maintenance

Learning how to operate

11%
new systems or training staff

Cultural resistance to new

10%
tech among staff

Recurrent maintenance issues /

systems often breaking down 9%

Technology has not realised the

benefits promised by the vendor 6%

Friction between teams over who

should have responsibility for new tech 6%

Other 6%

10 A trend report from IFSEC Global

“Interoperability remains a big concern, because like any
new technology area, it’s a lot like the Wild West at the
moment,” says Stuart Higgins, head of digital impact for
Cisco UK and Ireland. “There are no recognised standards.
It’s a bit like the VHS-Betamax war; it’s not necessarily the
best standards that are going to win – it will be the ones that
are easiest to implement and that most people understand.”
To bridge these gaps, middleware is playing an
increasingly important role, shifting data from traditional
sources to a common platform.
Cost of installation and maintenance
“New smart building collaboration processes require
consultants, architects and construction companies to step
outside of their comfort zone. In the future, this will become
common practice as both clients and tenants demand
greater energy conservation and increased amenities
within their building.” Ron Gordon, Cisco Canada
Nearly 22% of respondents cited installation and
maintenance costs as the biggest barrier to successful
deployment of smart building technology.
It can be difficult to evaluate the lifecycle costs and ROI
on smart technologies given the breadth of purpose
and capability. For a typical commercial building, HVAC
accounts for roughly 40% of energy costs and lighting
another 20-30%. Bringing just these two assets into the
smart fold, capital investment should almost always see
a return on investment, albeit over an extended period
of time. Studies have demonstrated that smart building
technology investments typically pay for themselves
within 1-2 years, primarily through energy and other
operational efficiencies.
The Lawrence Berkeley National Laboratory recently
conducted a study of energy management (or energy
information) systems, examining 28 buildings with smart
11 A trend report from IFSEC Global
“Unfortunately, consultants very often
never get to install or commission
systems. So their knowledge gets more
theoretical and often prevents much
better solutions being implemented at
a lower cost.”
IT consultant
functionality installed. Reported energy savings were as
high as 35%, with average savings of 17% for individual
buildings. While the lifecycle costs of these subsystems are
relatively easy to quantity, the ROI on smart technologies
extends well beyond the obvious benefits.
As previously mentioned, integration sits at the heart
of the smart revolution. The deep integration between
building assets can lead to synergies whose benefits are not
immediately apparent – for example how data from motion
sensors or access control can regulate HVAC. Such synergy
savings can only be quantified post-installation and over a
period of time.
Even harder to quantify are the plethora of soft benefits,
such as higher occupancy rates, improved health and
increased productivity.
It’s also worth considering the plummeting cost of ‘things’.
The average selling price of sensors is forecast to fall by 5%
every year for the next five years, according to the latest IC
Insights report.
“The trend is driven by intense competition as well as basic
commodification of different sensor types,” explains Adam
Lesser of tech research brand Gigaom. “IP appears difficult
to lock up in the market. Throw in the reality that many IoT
applications require rock-bottom pricing and that puts
pressure on sensor manufacturers not just to lower prices,
but also to undercut competitors in the hope of locking up
the market for themselves.”
The ubiquity of IP also means that proprietors can afford to
update a building system by system based on assets most
likely to show a return on investment.
Capital spend is certainly significant. However, it should
no longer be viewed as a barrier to entry. Cisco claims
that it has played a key role in creating smart buildings
that cost less than their traditional counterparts. The
vendor has been working with property owners,
developers, construction companies and architects to
develop smart building practices without incremental
cost at the construction phase, generating significant
cost savings early on.
“This is analogous to providing the benefits of six-
lane super highway for the same cost as a gravel road,”
says Ron Gordon, Cisco Canada’s senior advisor for
smart+connected real estate. “The key to achieving
these cost savings is being able to influence the design at
the early architecture stage and the collaboration among
the providers of the HVAC, lighting, security and access
solutions working together in a win-win situation.”
Learning how to operate new systems
and training staff
More than a fifth of survey respondents said that either
learning how to operate new systems (11%) or cultural
resistance to new tech (10%) posed the greatest challenges
to smart installations.
Cultural resistance will always be a factor when introducing
sweeping changes. The key, of course, is good change
management. The silver lining to smart technology is that it
is – or at least should be – autonomous in nature and so, in
most cases, will not prove to be a hard sell.
At first glance, it’s unsurprising that staff should be culturally
resistant and have misgivings over training demands when
it comes to smart tech. Yet case studies actually suggest that
smart technologies often ease friction rather than create it.
As integration becomes tighter between multiple systems,
the learning curve becomes decidedly less steep, as users
only need to operate a single platform. This has a knock-on
effect, promoting efficiency and cutting training costs.
The smart revolution is also having an interesting impact
on the roles of both facility managers and IT professionals.
As building management systems and their subsystems
continue to drift towards the IP realm, the responsibilities
of facility managers are converging with those of the IT
department. Traditionally, facility managers have been
12 A trend report from IFSEC Global
“We have yet to see any [smart]
technology worth the hassle.”
UK-based company director
tasked with managing complex systems comprising
mechanical, pneumatic and electromechanical systems,
often controlled from bespoke workstations.
Similarly, IT professionals are not necessarily well
versed in the world of building control systems,
with serial communication over application-specific
protocols and hardware.
Rather than transferring ownership of building control
to one specific area of the business, the key is tighter
amalgamation between departments.
Several respondents reported difficulties in convincing
budget holders and senior decision-makers to sanction
investment in smart technology, with one noting: “As always
it is difficult to find money to spend on ‘virtual’ stuff!” Said
another: “Management is a little slow on the uptake, but we
are working on it.”
Although one respondent said they “see IoT happening
faster in healthcare and transportation,” budgetary
constraints will apparently limit investment in the former, at
least in the UK public sector. “I am trying to convert a 1970s
building to be a bit more FM user friendly but with NHS and
departmental budget restrictions I am struggling,” wrote a
facilities manager in the healthcare sector.
Other challenges mentioned included:
• “ The cost of cabling” “I see IoT happening faster in
• “ Delays by traditional building vendors” healthcare and transportation.”
• [ Getting] “the client/owner/operator to understand the Senior executive at IoT service provider
advantages to their organisation”
• “ Providing sufficient justification for investment and
instigating change” It’s interesting to note that the IT department is only ranked
• “ The client pays the utility bills; no incentive to read and fourth out of seven in terms of influence over technologies
analyse data” that connect to computer networks.
• “ There is a will in pockets of the area – however, it takes a
Here are the aggregated rankings (most influential at the
long time to get things moving!”
top; least influential at the bottom):
• “ Instability in internet access”
•S  ecurity
• F acilities management
Procurement and deployment
•H  ealth & safety/Fire safety
Asked to rank various departments by influence when
it comes to are buying, integrating and deploying • IT
smart technologies, respondents ranked the security • F inance
team as having most influence and outside consultants •S  enior executives
as having the least. •C  onsultants

13 A trend report from IFSEC Global

Cyber security
“Facilities managers should work with IT personnel to
manage the high-tech aspects of BAS and the cyber security
concerns that threaten them and, by extension, the rest
of the organisation. The correct approach is to use a
combination of both professions to safeguard the BAS.”
Continental Automation Buildings Association
How concerned are you about cyber security
vulnerabilities created by smart, network-
connected tech?
n Very concerned
13%
n Fairly concerned
n Not concerned 43%
at all
44%
As building control increasingly moves into the IT sphere,
the importance of cyber security is growing in tandem.
Gartner recently predicted that, by 2020, more than 25%
of all identified attacks in enterprises will come from the
internet of things.
Worldwide spending on smart security will reach $348m in
2016, a 23.7% increase from 2015 spending of $281.5m. By
2018, this figure will be closer to $547m.
The security implications of putting buildings ‘online’ should
not be shied away from. Physical infrastructure is inherently
more vulnerable once connected to the digital world.
Understandable then that most of our survey respondents
– 87% – were at least somewhat concerned about the
cyber-security vulnerabilities posed by smart tech, with
43% professing to being ‘very concerned’. Nevertheless,
that even 13% insist they are ‘not concerned at all’ might
alarm some observers given widespread reports about the
vulnerabilities of internet-connected ‘things’.
Vulnerabilities laid bare
IBM’s ethical hacking team, X-Force, recently conducted
a penetration test of a remote building automation
system that controlled sensors and thermostats in several
commercial offices. X-Force found a way into one of the
building’s networks via a vulnerable router. Poor password
management meant the team easily accessed the local BAS
controller and eventually wrested complete control of the
central BAS server.
14 A trend report from IFSEC Global
“The theft of millions of customers’
credit card data from US retailer Target
was traced back to the heating and
ventilation system.”
IBM’s penetration test illustrates the enormous potential for
disaster in this new world of smart things. However, X-Force
was only able to access the BAS due to a series of security
lapses. It is a mistake to assume that the buck always stops
with the vendor.
“The vendors have a responsibility to ensure that their
solutions meet the expectations of the customer,” says
Stuart Higgins, head of digital impact for Cisco UK and
Ireland. “That they are up to date in terms of the vulnerability
landscape and that they are patching both their hardware
and software on a regular basis. But, equally, the customer
can’t wash their hands of responsibility. It’s no one individual
or organisation’s responsibility; it’s a collective duty.”
In 2014, security consultant Jesus Molina told US
cybersecurity conference Black Hat he had commandeered
control of the lighting, HVAC and entertainment systems of
200 rooms at a hotel in Chinese city Shenzhen. A year before
that, the US Department of Homeland Security revealed
hackers had broken into a “state government facility” and
made it “unusually warm”. Google’s Sydney office was
hacked through its building management system in the same
year. Two cyber security experts discovered the vulnerabilities
via IoT search engine Shodan.
Speaking to the BBC, one of these ‘benign’ hackers,
Billy Rios, claimed there are 50,000 buildings currently
connected to the internet, 2,000 of which lack any kind of
password protection.
Conducted by more malevolent actors the consequences of
such breaches could be significant, with disruption to office
buildings that costs thousands of pounds in lost productivity
sitting at the less serious end of the scale. If the heating
system in a hospital or care home was disabled, for example,
the upshot could even be loss of life.
Hacks of building systems have already caused profound
disruption. In 2013, the theft of millions of customers’
credit card data from US retailer Target was traced back
to the heating and ventilation system. More alarming
still, a Ukrainian power station was disabled immediately
before Christmas in 2015 by a spear-phishing attack –
where an employee is duped into downloading malware,
usually via email – leaving around 80,000 Ukrainian
citizens without power.
Martyn Thomas, a professor of IT at Gresham College told the
BBC “that attempts to attack building management systems
are happening all the time […] These BMS systems have
hundreds of thousands of lines of code, and yet the average
programmer makes 20 mistakes in every 1,000 lines of code,
so there are lot of bugs there.”
Respondents who commented further were polarised
over the magnitude of the hacking threat to building
management systems. Those who were more relaxed
about the risk seemed to have one of two main reasons.
The first, expressed by an office-based facilities manager,
was that their system “had no physical connection to the
outside world.” Similarly, a senior executive in the industrial/
warehouse sector said “no life-critical applications will go
on publicly connected networks.”
But even if hackers could access a BMS network, it
doesn’t follow that they would have a compelling motive
for doing so, suggested one integrator: “I work solely in
the residential market. My view is that if anyone has the
capability to hack my home then they would be more
inclined to hack a company for political reasons, or a bank
for money. Security is important, but if I worry about this I’d
never install any smart equipment. I rely on the hardware
purchased for this purpose.”
But can you rely on the hardware? Not so, said one security
consultant who believes that ‘security by design’ has only
“been addressed in a limited way as only a few leaders
recognise the issue and manufacturers do not ensure the
products are secure, despite the PR.”
A company director cited cyber risk as “one of our main
reasons for inaction” when it comes to installing smart
technologies.
A health and safety professional offered a balanced view of
the risk, saying that “while no critical systems are likely to
An atrium in Google’s Dublin office; the search giant’s Sydney office was hacked in 2013
15 A trend report from IFSEC Global
be integrated” into smart networks “anytime soon, outside
influences potentially being able to make changes via
networked tech, even if it only means switching the lights
off, can be a costly nuisance.”
X-Force tips for a secure, smart building:
•E nsure that all your device software is up to date as
new security issues are found every day
•E
 mploy IP address restrictions or firewall rules to
prevent connections to vulnerable ports
•E
 mploy a whitelisting approach when designing a
BAS network infrastructure, but be aware that firewall
rules on their own are not always enough to prevent
attacks. Additional controls should be used when
needed
• If there is no business justification for remote access,
disable remote administration features on building
automation system devices. If remote access is
required for business reasons, strengthen controls
around logins
•N
 ever reuse or share passwords between devices,
and avoid making these passwords predictable. Also,
never store passwords in clear text
•E
 mploy secure engineering and coding practices for
authentication control, execution of shell commands
and password encryption
•S
 ecurity incident and event management systems
(SIEMs) can be used to scan network activity between
the router, the BAS system and embedded devices to
identify suspicious activity on the network
Conclusion
“Solving issues related to data privacy, security and
interoperability of devices with wireless protocols is the key
to surpassing the smart building industry’s IoT expectations.”
Frost & Sullivan
A few short years ago, the internet of things was little more
than a talking point – something halfway between a thought
experiment and a prophecy.
But IoT is now very real and its potential impact profound.
Globally, smart building technology could reduce emissions
by 1.68 GtCO2e [gigatonnes of equivalent carbon dioxide],
create £201bn of energy savings and slash carbon costs by
£31.1bn by 2020.
The convergence of open communications protocols for
building control assets and IT infrastructure is providing
building owners, facility managers and building occupants
with countless options at startlingly low prices.
However, there are still many hurdles to overcome. The
buildings sector is slow to adopt new technology: a 15-year
cycle for commercial buildings is not uncommon. There
is a clear lack of incentives for developers and owners
to invest in smart-building technology. With significant
capital expenditure, it can be difficult to justify the long
The convergence of open
communications protocols for building
control assets with IT infrastructure
is providing countless options at
startlingly low prices
16 A trend report from IFSEC Global
returns purely from a business perspective. The absence of
industry-wide standards, meanwhile, is unlikely to change
any time soon.
On top of all this, there remains a clear need to educate
end users about the benefits and limitations of smart
technologies. Expectation levels among facilities
managers are often higher than what can be practically
achieved with available technologies. This often
undermines trust in vendors and supresses demand for
building automation systems.
However, with the right equipment, infrastructure and
solutions, building owners and facility managers can
enjoy future-proofed building control systems that yield
discernible benefits in the short, medium and long term.
The Smart Zone at IFSEC International 2017
IFSEC International will feature leading providers
of smart building technologies and presentations
on buying, integrating and operating smart
technologies between 20-22 June 2017 at ExCeL
London.
You can learn about the latest trends and innovations
in smart buildings and home automation in the Smart
Theatre or check out cutting-edge products and
solutions from exhibitors including: Honeywell ACS,
ASSA Abloy, Paxton Access, TDSi, Sony Europe and
Axis Communications.
Click here to find out more and you can get your
free badge to attend IFSEC 2017 here.
 ifsec.co.uk

Join the critical global

security conversation.
IFSEC International is the only place that brings together stakeholders from
every role within security, giving them the platform to witness and showcase
innovation and ignite collaboration to tackle the world’s most significant
challenge.

IFSEC will be returning to ExCel London from the 19-21 June 2018, welcoming
over 27,000 visitors and 570 exhibitors. This year, IFSEC’s 40-year heritage as a
physical security show will mature to a high-level, integrated security summit to
foster the necessary strategies to achieve global safety.

Get hands on with the integrated security solutions of the future, with more than
10,000 solutions on show from suppliers spanning security’s global technology
leaders to pioneering tech innovators.

Avoid missing out!

REGISTER TODAY