Opinion column published on December 8, 2023 on Journal du Net.

Intelligent buildings represent an undeniable opportunity to reinvent the long-established property sector. Designed as service platforms, these buildings are proving to be extremely promising at a time when businesses are undergoing digital and environmental transformation: optimising the use of workspaces, improving their energy efficiency, enhancing the quality of life and user experience for their occupants, and so on. A sea of promise in this quest for ever more efficient, virtuous, service-oriented and attractive buildings. But all the connected objects on which these innovations are based have also made them more vulnerable to the risks of cyber-attack to which they are exposed. Implementing a Security by Design strategy has therefore become a crucial issue for businesses and connected buildings.

The extent of the damage

Worldwide, there is a cyber attack every 11 seconds, with losses of around €20 billion every year*. In France, almost one company in two will be the victim of a cyber attack in 2022, with losses estimated at €2 billion**. Two-thirds of the SMEs and SMIs attacked risk disappearing within two years of the attack. The figures are unanimous as to the scale of cyber attacks, and the amplification of the phenomenon which, according to PWC, has become the number one risk facing business leaders worldwide. This information is confirmed in the latest report from the European cyber security agency (ENISA)***, which forecasts that cyber attacks will occur in the first half of 2023. And the situation is only getting worse, with the development of smart buildings and smart cities, where the growing interconnection of infrastructures and connected objects is opening the floodgates to cyber attacks at a time when the general level of security is still low. The consequences are material damage, but also intangible damage such as data theft, ransom demands and paralysis of information systems (IS). And that’s not counting the damage in terms of image for these organisations – companies, local authorities or public services – who don’t know what to do to guarantee the security of their buildings, their data, their business and their employees.

Prevention is better than cure

As the white paper Cyber security for commercial buildings**** rightly points out, while risk is inherent in any activity, so too is the need for trust. It is a quality factor. Building information systems are no exception: as infrastructures interconnecting resources and generating data, they must, like any other IT system, be protected, right from the design stage. This is known as “Security by Design”, and is essential for a number of reasons.

The first seems obvious: designing security into a project from the outset reduces the risk of cyber-attacks and security breaches because vulnerabilities are identified and dealt with upstream. While this may seem obvious, it is far from the norm. According to a study by Trellix published at the end of November*****, CISOs still take a mainly reactive approach, with their management’s willingness to support cyber security often only becoming apparent after a cyber attack!

Incorporating cyber security into the design of a building is also much more cost-effective than after it has been brought into service. It means that the building is adapted to its intended use from the outset, and is amortised in the investment in property equipment, making it more innovative and competitive.

Last but not least, the Security by Design approach contributes to greater satisfaction thanks to good continuity of services, which leads to greater confidence on the part of users, customers and stakeholders.

Expertise, training and common sense in action

Implementing a Security by Design approach must be part of a proactive strategy that is carefully thought through upstream, with a building security policy that includes digital uses from the outset.

To be compliant and resilient, operators still need to have identified their expectations and needs in terms of information systems, to integrate cyber security in terms of IT asset management, access management, vulnerability and incident analysis and patch management.

This strategy must also result in a deployment plan that meets the challenges of protecting personal data: a “Privacy by Design” approach that complies with the RGPD, to guarantee the protection of the data of organisations, businesses and individuals.

It must encompass preventive (awareness-raising), dissuasive and corrective aspects, including a monitoring component via a Security Operation Centre (SOC) with the capacity to escalate and process alerts in the event of an incident or hacking.

A path that is both strategic and operational, based on technology, expertise, training, governance, finance and so on.

This will be a tedious process unless it is accessible and based on common sense. In fact, it is imperative to minimise the complexity of Security by Design, and to avoid the technological mille-feuille by favouring interoperable, manageable and packaged solutions. The cyber solutions chosen must be recognised and certified by the ANSSI, and meet the market’s cyber security standards, with local, accessible and responsive support. The choice of partner is key.

As far as centralised access management is concerned, the key word will be to authorise only what is necessary. A zero-trust approach, strong and exclusive user authentication, and targeted data collection covering the surface of the risks will be favoured. We need to ensure that we can check and double-check at any time, by tracing all computer connections using PAM (Privileged Access Management) and IAM (Identity and Access Management) technologies.

A holistic approach

The Security by Design approach is essential to the cyber security of intelligent buildings, and cannot be achieved without a proactive vision of the risks and a global approach to analysis, data governance, crisis management, incident response and continuous monitoring. The chosen solution must be integrated into the building, as a digital project with a cyber reflex to adopt in order to achieve the much sought-after confidence.

The approach must involve all players in the value chain: players in the building industry, cybersecurity and IT players – equipment manufacturers, integrators, service providers -, legislators and users in the broadest sense – employees, management, etc.

Let’s not forget that the worlds of construction and cyber security do not yet speak the same language. Or that recommendations, standards and regulations differ from one country to another, making the task of solution providers all the more complex, depending on the customers and geographical areas they are addressing.

Security by Design is a recent development in the smart building sector, and there is still a long way to go to understand the concepts, use cases and solutions available. The adoption in January 2023 of the European NIS 2 (Network and Information Security) directive will oblige more than 15,000 companies to tighten their security standards from October 2024. This is an opportunity to look at this approach and turn it to your advantage. The European Union’s finalisation on 30 November of an agreement on cybersecurity regulations for connected products – the Cyber Resilience Act – is a further step towards creating the conditions for safer, more resilient building environments, right from the design stage.

*According to an article in Le Figaro

** According to a statistical assessment by Asterès published in June 2023

***ENISA Threat Landscape 2023

**** Cyber security for commercial buildings, a white paper produced by the Cyber Building Commission of the Smart Buildings Alliance

*****Trellix study conducted as part of its Mind of the CISO initiative and published in November 2023

Pascal Zératès, CEO of Kardham Digital.