Cybersecurity: Best Practices for Securing Buildings

The desire for smart buildings is well-founded and worth working towards. Smart buildings react intuitively to what users and operators need based on past learning experiences as well as real-time data and future predictions. These buildings are not only a place for us to work, live and play but become a part of the overall experience. And, they make the experience better. At least in theory.

Cybersecurity enthusiasts have been cautious about smart buildings from day one. It was less than two decades ago when companies were concerned about bringing in personal wireless devices, ie cell phones and laptops, into the office and have them connect to the network. These personal devices were the wild west for the IT teams – who knew what risky software had been unknowingly installed on these devices that could, once connected to the office network, send out private data or allow access to exterior groups. Over the years, it has become common place for people to bring in their own devices and IT teams educate their users to the best of the ability about how to stay safe. As the place for work is often outside of offices now, the lines between work and personal devices are more blurred than ever.

Now, IT (information technology) teams must partner with OT (operational technology) teams. These operational teams used to work in a completely different silo as building operational systems were not connected to other networks. When BAS and IoT technologies are integrated, facility managers have greater monitoring and control when operating building systems, so the reason for the merging of these two data-filled areas is important. Today the IoT and increasing number and type of devices connected within a space open up buildings, and the people connected to the system, to new risks. 

If buildings think they are not attractive to criminals, think again. 63 percent of all data breaches in 2020 were financially motivated, according to Government Technology Magazine and the FBI estimates that 4,000 ransomware attacks occur daily. The FBI predicts that this year a business will fall victim to ransomware every 11 seconds. “Ransomware attacks are in the process of morphing from spray-and-pray phishing blasts to highly targeted and extremely damaging network-wide infections that can cause days or weeks of downtime for a whole organization,” said Stu Sjouwerman, founder and CEO at KnowBe4.

A 2019 Kaspersky report revealed that almost 40% of 40,000 smart buildings had been impacted by a cyberattack. Many of these cyber attacks tried to compromise computers controlling the BAS. For example, using phishing emails, hackers can gain access and entry into OT systems like HVAC systems and then use them as entry points into data centers and corporate IT networks. And, studies have shown that 57% of IoT devices are vulnerable to medium or high-severity attacks.

Attacks are getting creative, too. A casino was hacked through a smart fish tank and was only discovered after 10GBs of data had been sent out. The fish tank was hooked up with sensors to monitor temperature, salinity and automate feedings – not unlike many of the smart sensors used to monitor and modify the environments for other living things, like people within buildings.

The threat is real, but what’s the best way to avoid a disaster? Well, they say that the “S” in IoT stands for security… There’s another saying called the Five P’s: “Proper Preparation Prevents Poor Performance.” The best way to prevent an attack is to get ahead of it and think of cybersecurity when your smart building is being retrofitted or designed. Don’t add something new to your building because it’s cool or fun to have without doing the proper research on how to do it right. It could really pay off in the end.

There are many different types of technology out there but many of them are designed solely as solution-first. Consequently, security is an after-thought. In today’s advanced cybercriminal landscape, security needs to be involved at every step as a building makes upgrades no matter how big or small. 

Beyond a focus on preventing entry and extraction of data, the type of data made available is another important area to secure. In accordance with GDPR laws, Envio does not store any personally identifiable data. We process Customer Data only for the provision and operation of our Services unless otherwise required by applicable law, in which case, Envio shall inform Customer of such legal requirement before carrying out the processing. All data collected is aggregated and used for the advancement and improvement of the services we provide.

Our hardware is also made with security in mind. The TRIA is a device coordinator ensuring rapid and encrypted communications between web server and controllers. The TRIA gateway can consolidate any existing system (BMS, EEMS, FMS, etc.) and all data collection is in compliance with GDPR policy. Please view the privacy policy at for more information.

The damage of cybersecurity attacks can be devastating and knowing the right way to move forward to protect your building, your people, and your data might seem intimidating if not overwhelming. Fortunately, experience is a great teacher and we’re well-prepared to help you on your journey to a smart building that is better for you, your occupants, and the planet. Contact us to see how to get started.

Share on facebook
Share on twitter
Share on linkedin

Similar insights

When it comes to improving the way buildings are used and managed, we strongly believe that collaboration is key to realizing a

The partner we have chosen to highlight this month brings together industry-leading expertise and innovation to develop technologies that help make buildings

Many businesses are unaware of the substantial financial impact that a well-designed strategic approach to energy management can have on the value