In November 2011 the Government launched the UK Cyber
Security Strategy: Protecting and promoting the UK in a
digital world. The strategy acknowledges the importance of a
safe cyber environment for business.
Cyber-crime is today the world’s fastest-growing crime
sector. Your cyber security is paramount if you are beginning
to trade overseas or expanding your overseas business.
The cyber risks include viruses, identity theft (spyware,
wifi eavesdropping, hacking) and threats to wealth (fraud,
identity theft, spam emails). Of special concern to
businesses is cyber-crime connected to intellectual
property theft.
This report is the first publication of its kind from IET
Standards. Its purpose is to inform professionals involved
in the development and operation of intelligent or smart
buildings about the resilience and cyber security issues that
arise from a convergence of the technical infrastructure and
computer-based systems.
Resilience and Cyber Security of Technology in the Built Environment
Resilience and Cyber Security of Technology
in the Built Environment
IET Standards
IET Standards Technical Briefing
IET Standards Technical Briefing
Resilience and Cyber
Security of Technology in
the Built Environment
www.theiet.org/standards
IET Standards
Michael Faraday House
Six Hills Way
Stevenage
Hertfordshire
SG1 2AY
Cyber Security Cover.indd 1
17/06/2013 13:25:29
Resilience and Cyber Security
of Technology in the
Built Environment
Author: Hugh Boyes CEng FIET CISSP
The IET would like to acknowledge the help and support of CPNI in producing
this document.
Published by The Institution of Engineering and Technology, London,
United Kingdom
The Institution of Engineering and Technology is registered as a Charity in
England & Wales (no. 211014) and Scotland (no. SC038698).
© The Institution of Engineering and Technology 2013
First published 2013
This publication is copyright under the Berne Convention and the Universal
Copyright Convention. All rights reserved. Apart from any fair dealing for the
purposes of research or private study, or criticism or review, as permitted
under the Copyright, Designs and Patents Act 1988, this publication may be
reproduced, stored or transmitted, in any form or by any means, only with the
prior permission in writing of the publishers, or in the case of reprographic
reproduction in accordance with the terms of licences issued by the Copyright
Licensing Agency. Enquiries concerning reproduction outside those terms should
be sent to the publisher at this address:
The Institution of Engineering and Technology
Michael Faraday House
Six Hills Way, Stevenage
Herts, SG1 2AY, United Kingdom
www.theiet.org
While the publisher, author and contributors believe that the information and
guidance given in this work is correct, all parties must rely upon their own skill
and judgement when making use of it. Neither the publisher, nor the author, nor
any contributors assume any liability to anyone for any loss or damage caused by
any error or omission in the work, whether such error or omission is the result of
negligence or any other cause. Any and all such liability is disclaimed.
The moral rights of the author to be identified as author of this work have been
asserted by him in accordance with the Copyright, Designs and Patents Act 1988.
A list of organisations represented on this committee can be obtained on request
to IET standards. This publication does not purport to include all the necessary
provisions of a contract. Users are responsible for its correct application.
Compliance with the contents of this document cannot confer immunity from
legal obligations.
It is the constant aim of the IET to improve the quality of our products and
services. We should be grateful if anyone finding an inaccuracy or ambiguity
while using this document would inform the IET standards development team at
IETStandardsStaff@theiet.org or The IET, Six Hills Way, Stevenage SG1 2AY, UK.
ISBN 978-1-84919-727-4 (paperback)
ISBN 978-1-84919-728-1 (PDF)
Contents
Participants in the Technical Committee
4
1Introduction
5
2Background
7
3
Overview of resilience and cyber security
13
4
Understanding the threat landscape
18
5
Resilience and cyber security during specification phase
23
6
Resilience and cyber security during design phase
27
7
Resilience and cyber security during construction
31
8
Resilience and cyber security during operations
35
9
Managing change – impact on resilience and cyber security
41
10
Resilience and cyber security during decommissioning
43
11
Relevant standards
44
Appendix A – Intelligent building case studies
47
Appendix B – Twenty critical controls
52
Appendix C – Glossary
55
Participants in the Technical Committee
The IET and author wish to acknowledge the support received from representatives
of the following organisations in reviewing the drafts of this document.
Arup
Centre for the Protection of National Infrastructure (CPNI)
Corporate IT Forum
Defence Science and Technology Laboratory (dstl)
ECA Group Ltd
General Dynamics UK Ltd
Incoming Thought Ltd
Newrisk Ltd
Symantec
Transport for London
CHAPTER 1
Introduction
Creation of intelligent or smart buildings requires greater integration of systems,
both the operational and business systems used by the buildings occupants and
a wide range of infrastructure systems. This is typically being achieved through
the convergence of the technical infrastructure and the widespread use of readily
available commercial and open source technologies.
Although the initial focus of the designers of intelligent or smart buildings has been
on developing solutions to make them more energy-efficient, there is an increasing
focus on the interaction of systems. The drivers for intelligent buildings and thus
systems integration arise from the need for new energy-efficient interventions,
real-time decision support systems, enhanced building and personnel security,
and better management information dashboards that offer easy access to key
performance indicators.
The purpose of this technical briefing is to inform professionals involved in the
development and operation of intelligent or smart buildings about the resilience and
cyber security issues that arise from a convergence of the technical infrastructure
and computer-based systems as those systems become interconnected with
the global network that comprises cyberspace. This document is not intended to
address the physical hardening of buildings to protect against specific physical
threats such as earthquakes, weather or blast.
The document examines different sources of threats across the building life cycle
from initial concept through to decommissioning. It considers potential threat agents
that could cause or contribute to a cyber security incident and identifies some of the
measures that may be appropriate to reduce the risks.
The key points that we highlight in this document are as follows:
●●
●●
●●
●●
Economic and environmental factors place increasing pressure on building
owners and operators to adopt a converged (i.e. common or shared) IT
infrastructure and to achieve integration between multiple electronic systems
supporting building management functions and business applications.
Given that systems integration blurs the boundaries between traditional
roles and responsibilities in any organisation, it is important to adapt the
business practices and governance processes to work effectively across
organisational boundaries.
In view of the significant level of systems convergence in intelligent buildings
and the consequent higher probability of systems failure, the design of the
built environment should take resilience into account.
Sharing of IT infrastructure and the integration of corporate IT and industrial
control systems (ICS), including building systems, in an intelligent building
poses a number of design and operational challenges if a safe, secure
and resilient environment is to be achieved. Thus whenever upgrades or
new investment are planned, a strategic review of new or upgraded threats
should inform the requirements and design brief.
© The Institution of Engineering and Technology
5
●●
●●
●●
●●
●●
●●
●●
●●
●●
1
6
From a resilience perspective the greatest threat to the building is likely
to come from single points of failure, which may be the building fabric or
structure, utilities, infrastructure, systems or processes.
When considering the potential threats to a building, the assessment should
take into account non-malicious acts, malicious acts (from employees,
contractors, visitors and, in open access buildings, from the public) and the
potential effects of natural causes.
A serious challenge with some incidents, particularly those that are cyber
security-related, may be identifying the cause of an incident. The task is
particularly difficult where there is a lack of logs or system logging and
audit.
During the requirements, concept and specification phase of a building
project, the resilience and cyber security requirements need to be identified,
taking into account the nature and purpose of the construction and the
potential threats to the occupants and their business operations. These
requirements should include appropriate protection for intellectual property,
and commercial or sensitive information.
During the design phase of a building project, appropriate solutions to the
resilience and cyber security requirements should be developed. As part of
a design assurance exercise, the proposed design should be assessed to
ensure that it has not introduced any new or unforeseen risks. Assuring the
continuity of intent through the construction phase may require investment
in competent resources.
During construction of the building, resilience and cyber security issues
need to be addressed while managing the supply chain, monitoring design
integrity, maintaining physical security and implementing systems security.
Once the building is in operational use, its resilience should be proactively
managed to prevent any unforeseen or emergent loss of resilience and to
identify any additional requirements arising from changes in the building’s
use.
The building’s IT systems are at risk from the outset. Application of the 20
critical controls1 (see Appendix B) can provide protection by detecting
reconnaissance, preventing unauthorised access or actions, detecting
unauthorised access or actions and mitigating cyber security events.
When changes to the building, its infrastructure, systems and use are being
planned and implemented, the impact on resilience and cyber security
should be assessed and appropriate steps taken to address any new
or modified risks. This should include assessment of the impact of any
decommissioning.
Developed, coordinated and published by the SANS Institute: http://www.sans.org/criticalsecurity-controls [accessed 24 Apr 2013]
© The Institution of Engineering and Technology
CHAPTER 2
Background
2.1Technology developments in the built environment
Economic and environmental pressures are increasingly affecting the design and
operation of the built environment. In a competitive global economy, economic
pressures relate to the total cost of ownership, both in terms of capital investment
throughout the building’s life cycle and operating costs. These operating costs are
not just the costs of facilities management and building maintenance, but also the
users’ operational costs that are influenced by the built environment. A building that
is operationally inefficient will inevitably have an economic impact on its occupants.
Environmental pressures include the need to reduce energy consumption through
increased energy efficiency and to reduce waste. To address these pressures a
range of innovative IT-enabled solutions are being developed, as summarised in
Figure 1.
Figure 1 –
Intelligent
buildings are part
of an increasingly
integrated built
environment
Smart
Cities
Smart
Grid
Intelligent
Buildings
Smart
Homes
Intelligent
Transport
A key theme in these solutions is the increased IT-based interaction between physical
assets with supporting communications, energy and transport infrastructures.
Examples of this integration would include an intelligent building interacting with the
smart grid to manage energy demand and ensure the most economic use of supply
tariffs. In future it could include interaction with urban transport systems to inform
building users of the current local transport situation.
This integration affects both the operational and business systems used by the
buildings’ occupants and a wide range of infrastructure systems that maintain a
comfortable, safe and secure environment. Historically this integration has been
difficult due to the proprietary nature of many building systems. However, the
increasing adoption of open standards and commercial ‘off the shelf’ products to
© The Institution of Engineering and Technology
7
build these systems, for example TCP/IP networking and the use of commercial
operating systems, has made the integration much easier.
Unfortunately the use of these technologies can create significant issues from a
resilience and security perspective. For example, some software products have
‘remote access’ links inbuilt, connecting them to their suppliers for upgrade and
maintenance support by default, and the increasing use of browser-based control
interfaces has encouraged some manufacturers to require Internet access to
their systems for condition monitoring and diagnostic purposes. If these remote
connections are not adequately protected and managed, they create vulnerabilities
and adversely affect system security and resilience.
The greatest economic and environmental benefits are likely to be derived from
deployment of new automation and control systems that take information from
business systems and data from sensor networks and building systems, to automate
routine functions, maintain an optimum environment and achieve improved
performance.
In an office environment an example of intelligent building technologies could be
the management of meeting rooms. If a building management system has access
to meeting room booking information, it could be configured to reduce energy
use by turning off non-essential equipment in the room and limiting environmental
conditioning until the room is required and the first occupants arrive. This would
require interaction between building systems and the room-booking service,
which may be part of the organisation’s email or operational systems. In a factory
environment, similar integration might be used to control the heating and lighting of
operational areas based on shift patterns, operational demand and the presence
of the workforce in a particular area. Provided that these features work reliably they
can offer significant user benefits, but chaos can result when there are system
failures or unwanted/unauthorised human intervention. Therefore, the more complex
the technology and the greater the reliance on its fault-free operation, the greater
the need will be for integrity, availability and confidentiality from a safety, security
and reputational perspective.
Any IT system is potentially at risk, regardless of whether it is standalone or part
of an integrated system. The increased systems integration required to deliver an
intelligent building is therefore not without risk even when carefully managed and
monitored. We need to recognise that intelligent buildings are complex systems.
This document outlines the key factors that need to be addressed to identify
and manage the resilience and cyber security factors, and risks to an intelligent
building.
2.2 What is an intelligent building?
The precise definition of an intelligent building varies around the world. Although
there is no agreed definition, there is a common theme – the integration of
technologies. For the purpose of this document we define an intelligent building as
one that provides a responsive, effective and supportive environment within which
an organisation can achieve its business objectives. Intelligent buildings may also
be referred to as smart buildings.
Some of the systems that may be integrated in an intelligent building are illustrated
in Table 1. The fact that a building contains some of the listed systems does not
8
© The Institution of Engineering and Technology
make it an intelligent building: it is the systems integration to achieve operational
efficiencies, energy efficiency, additional functionality or other user benefits that
delivers the intelligent element. An issue that potentially increases the operational
complexity of managing an intelligent building is the organisational and often
contractual boundaries between those responsible for the different elements of
infrastructure, building, ICT and business systems. A key principle for an intelligent
building is that it needs to be designed and operated so that it provides a safe,
secure and resilient environment, and to the extent that is practical, it needs to
include a degree of future-proofing.
Infrastructure
Sensors, Structured cabling, IP network, Wireless*,
Plant rooms, Data rooms, Server rooms, Communications rooms, etc.
Building systems (ICS)†
ICT systems
Business systems‡
Building management
HVAC controls
Access control
Lighting control
Intruder alarm
Security/CCTV
Fire alarm
Water management
Waste management
Utilities
Stand-by generators
UPS
Office automation
(email, data, Internet)
Enterprise resource
planning (ERP)
Material requirements
planning (MRP)
Customer relationship
management (CRM)
Integrated commandand-control centre
Integrated service/
helpdesks
Media/multi-media
(voice, video, music)
Telephony
(voice, fax, video
conferencing, SMS,
pagers)
Table 1 – Systems
that may be
integrated in
an intelligent
building
IP-based applications§
* The term ‘wireless’ is used as a generic term to cover communications and data links that
do not require a physical connection; technologies employed include WiFi, Bluetooth,
ZigBee, radio, NFC, RFID
†
ICS – Industrial Control Systems
‡
Only included to the extent that they are integrated with building systems, for example
CRM – Access Control, ERP/MRP – Supply Chain Management
§
Relevant where they interact with building systems or sensors, for example RFID for tracking location of material or assets
An innovative aspect of systems integration is the increasing use of sensors within
intelligent buildings. This can range from passive infrared motion detectors, to
the CCTV motion detection and the use of radio frequency identification (RFID)
technologies. By allowing sensors that are usually applied to a single sub-system
to be used by other systems, the building can be made more intelligent: for
example, the use of RFID tokens to control access to the building or building
zones, to provide access to the corporate network and to retrieve documents on
communal printers. Another example is the use of building security sensors and
CCTV motion detection to operate and control lighting (both internal and external)
and in conjunction with environmental monitoring systems to manage heating,
shutters, etc.
Appendix A to this document contains some intelligent building case studies,
which provide examples of the types of systems integration already occurring
and the operational benefits achieved. Currently the ‘intelligence’ is predominantly
automation of routine tasks, based on the sharing of information or data, e.g. energy
efficiency measures applied to unoccupied rooms.
© The Institution of Engineering and Technology
9
As technology develops it is likely that significant gains will occur when the
converged systems become self-aware, with network-based tools learning over
time and responding accordingly. For an intelligent building this could represent
the development of a ‘self-preservation’ response, with the systems developing an
awareness of relationships between events. An example might be that rather than
relying on signature-based analysis to detect malware, attacks or system failures,
the intelligent building responds to deviations from system and network behavioural
norms, seeking to minimise disruption and alerting an operator to the need for an
intervention. With this increased integration and interaction there will be a need to
avoid the creation of single points of failure.
Economic and environmental factors place increasing pressure on building
owners and operators to adopt a converged (i.e. common or shared) IT
infrastructure and to achieve integration between multiple electronic systems
supporting building management functions and business applications.
2.3How does this integration affect building operations?
There are three fundamental issues that need to be considered in respect of the
operation of an intelligent building:
●●
●●
●●
the organisational responsibilities for integrated technical infrastructure;
the differences in the nature of corporate IT and building systems (ICS);
the processes, practices and governance, including legal and regulatory
compliance, required to operate and maintain the intelligent building in a
safe, secure and resilient fashion.
In multi-occupancy buildings there will also be the issue of maintaining the privacy
of the occupiers, and where appropriate, their information and data, their staff,
visitors or customers.
If there is no integration or interconnection between corporate IT and building
systems (ICS), the responsibility for these systems will lie with IT management and
facilities or operations management respectively. Integration and interconnection
creates a shared responsibility across two often culturally and technically different
teams, because a malware incident on a corporate computer could have a significant
impact across the entire intelligent building, affecting all the systems.
At a generic level, the differences between the building systems (ICS) and
corporate IT systems (ICT and business systems) are shown in Table 2. These
differences are significant and inevitably lead to differing operational practices.
For an intelligent building, the criticality of a system needs to be assessed in terms
of business impact on resilience, physical security and personal safety. A failure to
recognise these differences and system-criticality assessments, or to take account
of them in the design, delivery and operation phases of an intelligent building,
will significantly affect resilience and increase cyber security risks. Where some
features are at the very least safety or security critical, they must be adequately
protected from unauthorised intervention or access from the rest of the system
while being part of it.
10
© The Institution of Engineering and Technology
Characteristic
Corporate IT systems
Building systems (ICS)
Lifetime
3–5 years
5–20 years
Availability
Out-of-hours outages
often acceptable
Continuous operation
typically required for
control systems
Time-critical
Delays often acceptable
May be safety-critical
Patching
Frequent, can be daily
Rare
User accounts
Usually individual
users with permissions
according to business
role
Often shared functional
accounts, based on
specific roles, e.g.
operator, administrator,
engineer
Outsourcing
Widely used
Varies, rare for
production systems
Antivirus
Widely used
Difficult/impossible to
deploy
Security skills
Limited to good
Often poor or
non-existent
Security awareness
General awareness
Often poor or
non-existent
Security testing
Widely used
Rarely used and risk
of damage to control
systems
Physical security
Generally secure and
manned
Generally remote/
unmanned
Table 2 –
Comparison of
corporate IT
systems and
building systems
(ICS)2
2
An example of the difference between systems is the practice of allowing
users to access removable media (CDs, DVDs, USB drives) from their desktop
or laptop computers, which may be acceptable on the corporate IT system,
where antivirus and anti-malware is installed, but is best avoided on the building
management network where not all computers can be protected in this way.
The practices for dealing with a compromise may also differ significantly. The
New York Times,3 for example, simply replaced all compromised computers
on its corporate network when faced with a serious threat. Removing a virus
or malware from a building management system may be significantly more
complex, however, given that some electronic sensors or components will be
embedded in many different major components and sub-systems. The problem
may be further exacerbated by the potential age of the systems and the need
to maintain building operations.
Historically, industrial control systems (ICS), including the subset that comprise
building systems, and corporate IT systems have been managed by operations
(including estates) teams and IT teams respectively, with different operational
processes, practices and governance. The combination of these organisational
Adapted from Table 5.1 in Protecting Industrial Control Systems from Electronic Threats,
Joseph Weiss, 2010, 978-1-60650-1979
3
http://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-timescomputers.html [accessed 24 Apr 2013]
2
© The Institution of Engineering and Technology
11
boundaries coupled with systems integration and/or interconnection can introduce
significant operational complexity and risk into intelligent buildings.
Given that systems integration blurs the boundaries between traditional roles
and responsibilities in any organisation, it is important to adapt the business
practices and governance processes to work effectively across organisational
boundaries.
12
© The Institution of Engineering and Technology
CHAPTER 3
Overview of resilience and cyber security
3.1 What does resilience mean and why is it an issue?
Resilience is the ability to adapt and respond rapidly to disruptions and maintain
continuity of business operations. From a business perspective, resilience is
generally about preparing for any potential threat to the delivery of a smooth, steady
and reliable service so as to maintain the delivery of critical services. Thus when
bad things happen, as they do, the personnel operating the building are expected
to minimise disruption to the use of the building. To achieve this goal they should
have considered potential causes of disruption, both human and natural, make sure
that key systems and processes are maintained to ensure business continuity, and
have in place systems and processes to enable timely detection of, and response
to, disruptive events.
The concepts of business continuity and disaster recovery are reasonably well
understood by organisations in respect of their corporate IT systems and the
management of manufacturing or production processes. To ensure the resilience
of business operations, the organisation might employ a range of provisions,
including: alternate/disaster recovery premises; offsite backups of business-critical
data; diverse network and communication routes, etc. This is particularly the case
for organisations that are heavily dependent on technology and IT for their business
operations.
From a resilience perspective, the threat to business-critical corporate IT systems
is generally mitigated and managed through disaster recovery, incident response
and business continuity plans. The nature of these plans and the specific measures
required to maintain business operations should be determined by the nature of
the business, regulatory and legal requirements, and a business impact analysis.
Where there is a critical business need to maintain continuity of IT operations, the
solution may be to increase redundancy, such as through the provision of duplicate
IT systems in geographically separate high-availability data centres.
The resilience of systems, whether they are IT or building systems (for example
HVAC), is generally considered in terms of redundancy and their availability under
both fault and maintenance conditions. Table 3 illustrates a classification mechanism
used for data centres and industrial plants. A building or plant classified as Tier
1 will have minimal resilience, with single points of failure in critical systems. This
type of accommodation is likely to be used by organisations that can tolerate some
loss of IT or building systems. In contrast, a building or plant classified as Tier 4
will have a high degree of fault tolerance and might be used by an organisation
delivering critical national infrastructure services. A Tier 4 site should be able to
accommodate varying levels of scheduled maintenance and systems failure without
losing capacity.
© The Institution of Engineering and Technology
13
Tier
Description
Performance
1
Basic infrastructure
Non-redundant capacity components
and single non-redundant connection/
distribution paths
2
Redundant capacity
components infrastructure
Redundant capacity components and
single non-redundant connection/
distribution paths
3
Concurrently maintainable
infrastructure
Redundant capacity components and
multiple distribution paths
4
Fault-tolerant infrastructure
Fault-tolerant architecture with
redundant capacity systems and
multiple distribution paths
4
In the built environment, the need for building systems to be resilient will generally
be determined by the operational use of the accommodation. Thus for example
data centres and acute health care facilities will have requirements for the continuity
of critical building services, whereas a retail outlet or warehouse may only require
the provision of emergency lighting to allow safe evacuation of the premises.
In an intelligent building, resilience and cyber security are inextricably linked,
because the failure of a building system could have a significant impact on the
cyber security of the building.
In view of the significant level of systems convergence in intelligent buildings
and the consequent higher probability of systems failure, the design of the
built environment should take resilience into account.
3.2 What does cyber security mean?
Cyber security is a broad subject – it is not just about the technology, but has to
address a wide range of factors: people, process and governance issues, and
their interrelationships. These factors are management issues and are as important
in cyber security as the deployment of technical solutions such as firewalls and
antivirus software.
One internationally agreed definition for cyber security is ‘the collection of tools,
policies, security concepts, security safeguards, guidelines, risk management
approaches, actions, training, best practices, assurance and technologies that can
be used to protect the cyber environment and organization and user’s assets’.5 The
aim is that they remain under the control of legitimate users.
Adapted from ‘Site Infrastructure White Paper – Tier classifications define site infrastructure performance’, W. Pitt Turner IV, John N. Seader and Kenneth G. Brill, 2008, The Uptime Institute; available from http://www.greenserverroom.org/Tier%20Classifications%20
Define%20Site%20Infrastructure.pdf [accessed 24 Apr 2013]
5
From ITU-T X.1205: http://www.itu.int/en/ITU-T/studygroups/com17/Pages/cybersecurity.
aspx [accessed 24 Apr 2013]
4
14
© The Institution of Engineering and Technology
Table 3 – Tier
classifications for
site infrastructure
performance4
This definition refers to a couple of terms that perhaps need clarifying:
●●
●●
the ‘cyber environment’ (also sometimes called ‘cyberspace’) effectively
comprises the interconnected networks of electronic, computer-based and
wireless systems;
the ‘organization and user’s assets’ includes connected computing devices,
personnel, infrastructure, applications, services, telecommunication
systems, and the totality of transmitted, processed and/or stored data and
information in the cyber environment.
The cyber environment therefore encompasses the Internet, telecommunication
networks, computer systems, embedded processors and controllers, and a wide
range of sensors, storage and control devices. Although this definition of cyber
environment only makes reference to systems, it also includes the information,
services, social and business functions that exist only in cyberspace. Experience
shows that even standalone systems and isolated networks are at risk from attacks
by malicious users and from the introduction of malicious software via removable
media.
Cyber security strives to ensure the attainment and maintenance of the security
objectives of the organisation and user’s assets against relevant security risks in the
cyber environment. The general security objectives comprise the following:
●●
●●
●●
●●
Confidentiality, including the control and authorisation of access to
information or data, for example to protect personally identifiable information,
intellectual property and commercially sensitive data such as financial
transactions, energy-metering data and production records.
Integrity, which may include the trustworthy and safe operation of electronic
and computer-based systems, their software and associated business
processes, the assurance and authenticity of data or information, and the
validity and retention of transactions including their authentication and nonrepudiation.
Availability of the building in general, and in particular the systems and
processes required for its safe, secure and reliable operation. The
availability needs to take into account the impact of failure on the ‘system of
systems’ arising from the failure of a single system, i.e. is there a cascading
or domino effect.
Privacy, as, although this is often treated as part of the confidentiality
objective, the convergence of systems creates additional risks. It is
important that personal data remains ‘private’ and that in any system where
there is an aggregation of data, that personal data is given appropriate
protection as required by regulation and/or legislation. An example of this
aggregation in a transport terminal is the aggregation of data relating to
individual travellers as ‘passenger data’.
3.3 Why is cyber security an issue?
For both safety and security reasons it is important that an intelligent building
meets the general security objectives of its owners, operators and occupiers, thus
maintaining the required level of confidentiality, integrity and availability. From legal
and regulatory perspectives (e.g. under EU and UK data protection and privacy
legislation) there are also requirements to protect personal data. The interconnection
and integration of systems from the three categories (i.e. building, ICT and business
© The Institution of Engineering and Technology
15
systems) creates additional risks. Without careful planning, testing and monitoring,
the more technology that is added to a building, the more the ‘Law of Unintended
Consequences’6 may apply to the ‘system of systems’.
From a cyber security perspective it is important that the intelligent building is
designed and operated so as to minimise and manage the risks to confidentiality,
integrity and availability. The nature of potential threats to intelligent building
systems will vary widely and will in part depend on the nature of the building and
its occupants or users. Threats to systems include deliberate attacks, unintentional
disruption and natural factors.
A key difference between the cyber security of corporate IT systems and buildings
systems (ICS) is the focus of protective measures, as illustrated in Figure 2. In part
this arises from the differences between the systems that were outlined in Table 2,
but it is also influenced by the differing operational priorities.
Corporate IT
systems
Financial
integrity
Denial of
service
Figure 2 – Risks
arising from
compromised
systems
Building
systems (ICS)
Loss of
information
Loss of
view
Loss of
control
Impact on systems
Financial and reputational risk
Safety and operational risk
In protecting corporate IT systems the emphasis is typically on the prevention of
data loss and the threats to the financial integrity of the business, for example loss
of intellectual property or customer data, fraudulent transactions and the continuity
of business operations. The focus of technical solutions is therefore generally on
the protection and control of information, with solutions deployed to address known
attack vectors, for example network security, access control, advanced persistent
threat (APT) detection and prevention and encryption.
In building systems (ICS), prevention of loss of control (i.e. the ability to control
the process and physical assets) or loss of view (i.e. the ability of an operator
or manager to see what is actually happening in the process or systems) are
the primary requirements. Prevention of information or data loss is potentially
accorded a much lower priority for these systems. The reason for this difference
in emphasis is that the loss of control or view can lead to significant safety and
operational risks: the former could lead to death or serious injury and physical
damage to equipment; the latter may ultimately have financial or reputational
consequences. Therefore system availability and integrity are generally afforded
the greatest protection, with for example mechanisms such as verification of
message integrity and the authentication of devices being given a higher priority
than encryption of data.
6
16
http://www.econlib.org/library/Enc/UnintendedConsequences.html [accessed 24 Apr
2013]
© The Institution of Engineering and Technology
Solutions that afford protection to a corporate IT system may not be an appropriate
or optimum solution for building systems (ICS). Thus in an intelligent building,
infrastructure convergence and systems integration may impose technical and
operational constraints on the protective measures employed.
Sharing of IT infrastructure and the integration of corporate IT and industrial
control systems (ICS), including building systems, in an intelligent building
poses a number of design and operational challenges if a safe, secure and
resilient environment is to be achieved. Thus whenever upgrades or new
investment are planned, a strategic review of new or upgraded threats should
inform the requirements and design brief.
© The Institution of Engineering and Technology
17
CHAPTER 4
Understanding the threat landscape
4.1 Who or what might cause an incident?
This section examines different sources of threats in terms of who (or what) might
cause an incident. It considers the potential threat agents, which can be individual(s)
whose actions or inactions will cause or potentially cause a cyber security incident,
or natural factors. For those threat agents with a malicious intent, it then considers
the nature of the groups to which the threat agents may belong, because this may
influence the potential severity and sophistication of the threat.
From a resilience perspective the greatest threat to the building is likely to
come from single points of failure, which may be the building fabric or structure,
utilities, infrastructure, systems or processes.
4.1.1 Potential threat agents
The potential threat agents that initiate a cyber security incident are as follows:
●●
●●
●●
●●
Malicious outsiders: This is a person or persons unconnected with the
building owner, the building occupier or supporting contractors; in essence,
a person who does not have privileged access to the building or its systems.
A malicious outsider could be a hacker, a cyber criminal, activist, terrorist
or state-supported attacker – in all cases the intent is to cause harm or
disruption. The attack may be targeted at the intelligent building and/or its
occupants or be indiscriminate, for example malware or viruses.
Malicious insiders: This is a person (or persons) connected with the
building owner, the building occupier or supporting contractors; in essence
a person who has some level of authorised or privileged access to the
building or its systems and puts that privileged access to a use not intended
or allowed.
Non-malicious insiders: This is a person (or persons) connected with
the building owner, the building occupier or supporting contractors, who
through error, omission, ignorance or negligence causes a cyber security
incident.
Nature: This could be solar, weather, animal or insect related and result in
a failure or significant impairment of one or more of the utility supplies or
building systems, with a knock-on effect on systems that enable the correct
operation of the intelligent building.
When considering the potential threats to a building the assessment should
take into account non-malicious acts, malicious acts (from employees,
contractors, visitors and, in open access buildings, from the public) and the
potential effects of natural causes.
18
© The Institution of Engineering and Technology
4.1.2 Potential threat agent groups
Malicious threat agents will belong to one of the following groups, which are listed
in order of increasing sophistication and capacity to cause damage and disruption:
●●
●●
●●
●●
●●
●●
●●
Sole activists: This could be a disaffected employee or an activist in an
organised group who decides to take his or her own action. The severity
and sophistication of the threat will be determined by the individual’s
capabilities. Unfortunately, the ready availability of hacking and denial-ofservice tools on the Internet (and in some cases distributed with technical
magazines) means that the level of technical understanding required to
launch an attack has been significantly reduced.
Activist groups: The recent activities of some groups demonstrate that
when a team of determined activists work together the threat increases,
e.g. when they have persuaded naïve third parties to allow installation of
software on their computers, thus magnifying the effect of distributed denial
of service (DDoS) attacks.
Competitors: These groups are likely to work through third parties, with
the aim of harming a rival by stealing intellectual property or disrupting
operations to cause financial or reputational loss.
Organised crime: These groups are well organised and motivated by financial
gain, through fraud, theft of intellectual property, attacks on e-commerce
and banking systems, and blackmail or extortion. The sophistication of the
malware used by these groups is increasing and there is evidence that they
operate on a commercial basis, making their tools available to third parties.
Terrorist: These groups have demonstrated that they are increasingly
IT aware, making use of the Internet to distribute propaganda and for
communications purposes. Well-funded groups could take advantage of
the services offered by organised crime, seek support from a nation state or
encourage internal members to adopt these attack methods. Again these
groups could rely on the various toolkits available for download.
Proxy terror threat agent with nation state support: In effect, this is statesponsored terrorism, where the proxy party is used to provide deniability.
This type of group effectively has the capacity and sophisticated technical
support available to a nation state made available by the sponsoring nation.
Nation states: It is alleged that some nation states are actively involved in
cyber attacks on a wide range of organisations to acquire state secrets or
sensitive commercial information and intellectual property. During periods
of heightened international tension and conflict, these activities may include
more widespread attacks as evidenced by malware such as Stuxnet, Duqu
and Flame.
4.2 What harm might an incident cause?
Depending on the nature of the incident, where it occurs during the building life
cycle and whether it is deliberate (the motivation of the threat agents), the building
owner, operator, occupants and user may suffer significant inconvenience or losses.
It is important that the losses below are not considered in isolation and there may be
significant interdependencies.
●●
Commercial losses: These could be consequential losses due to the
building being uninhabitable or inoperable, or they could arise from loss
of commercial opportunities, e.g. due to commercial espionage during a
tender exercise.
© The Institution of Engineering and Technology
19
●●
●●
●●
●●
●●
●●
●●
●●
Reputation loss: The higher the profile of the building and its occupants,
the greater the potential for loss of reputation. These losses are likely to arise
from incidents that cause major disruption or malfunction of the building,
loss of personal or sensitive data, or widespread negative publicity.
Theft or loss of intellectual property: This is of the greatest sensitivity
during the specification, design and construction phases of the intelligent
building where particularly innovative techniques or commercially sensitive
options are being examined. However, even during the operations phase,
including any significant changes or refurbishments, there may be significant
volumes of commercially sensitive or proprietary information being handled
by the building owner, building operators and support staff.
Regulatory action: Depending on the use of the intelligent building, the
failure or malfunction of systems as a result of an incident could lead to
regulatory action. For example, a significant loss of personal data could
trigger action by the data protection regulator, and incidents involving
serious injury or death could trigger action by health and safety officials.
IT incidents: Following an incident, there may be significant work required
by IT and operations teams to identify, clean or restore affected systems and
make appropriate changes to prevent a repetition of the incident. Depending
on the nature of the incident, there may also be significant damage to the
fabric of the building, the technical infrastructure and to non-IT systems. This
damage may need to be repaired before the building can be restored for
operational use. This represents an opportunity cost, because the resources
could presumably have been deployed on other tasks.
Contract and service delivery costs: The impact of dealing with an incident
may include making changes to contracts and service level agreements,
with a consequential impact on their costs.
Disruption and recovery costs: If the incident causes physical damage
to the building there may be significant costs associated with the repair
and cleaning of affected facilities or assets and their restoration into fully
serviceable condition.
Investigation costs: Depending on the nature of the incident, there may be
significant investigation costs associated with the use of digital forensic and
engineering specialists to establish the chain of events. This will particularly
be the case where there is a need to involve law enforcement agencies or
insurers, who will both want evidence of the cause of the incident.
Mitigation costs: If the incident leads to loss of availability of the intelligent
building or the need to invoke business continuity measures, there are likely
to be a range of mitigation costs, e.g. the temporary provision of alternative
accommodation, the refund of tickets or the rescheduling of events.
A serious challenge with some incidents, particularly for those that are cyber
security related, may be identifying the cause of an incident. The task is
particularly difficult where there is a lack of logs or system logging and audit.
4.3 How do you assess vulnerability?
The evaluation of vulnerabilities is typically based on a risk management cycle,
as illustrated in Figure 3. The assessment generally starts with the identification of
a threat agent; examples of these were discussed in section 4.1. For a particular
threat agent the threat types can be identified based on the vulnerabilities they
exploit. The existence of a specific vulnerability creates a risk that may damage or
20
© The Institution of Engineering and Technology
impair an asset. Having identified the asset at risk, the exposure can be assessed;
this may be financial and reputational loss. The potential exposure is mitigated by
putting an appropriate safeguard in place, which should limit the ability of the threat
agent to cause a problem. In undertaking the threat assessment, it is normal to
assess the likelihood of the risk event occurring, the value of the exposure and the
cost of implementing the safeguard.
Affects
Threat
Agent
Figure 3 – Typical
risk management
cycle
Causes
Threat
Type
Safeguard
Exploits
Mitigated by
Exposure
Vulnerability
Creates
Causes
Asset
Risk
Damages
In considering proportionate safeguards, four options are typically considered:
●●
●●
●●
●●
Avoidance, e.g. by deciding not to start or continue with the activity that
gives rise to the risk.
Reduction, i.e. taking steps to reduce the impact or reduce the likelihood of
the risk occurring, e.g. through controls and protective measures.
Sharing the risk with another party or parties, e.g. through contracts,
outsourcing or insurance.
Retention, i.e. accepting the risk, and taking appropriate steps to manage the
consequences, e.g. budgetary provision or business continuity measures.
To illustrate this process in an intelligent building, an example might be a review
of a proposal to replace a number of physically cabled building security cameras
with new wireless CCTV cameras. The building contains a number of pieces of
expensive equipment and the assessment might consider the following scenario:
●●
●●
●●
●●
●●
●●
Threat agent – thief wants to break into the building to steal equipment.
Threat type – wants to disrupt CCTV recording to prevent identification
following break-in.
Vulnerability – has ability to jam WiFi signals used by CCTV cameras.
Risk – that jamming may be successful, preventing recording of security
events and hindering the investigation of the subsequent criminal activity.
Asset – thief to break into premises and steal equipment.
Exposure – loss of equipment, creates financial loss through the cost of
replacing and any consequential losses until missing equipment is replaced.
© The Institution of Engineering and Technology
21
●●
Safeguard – use wired CCTV cameras to cover all points of entry to and exit
from the building and adopt a policy to permit the use of wireless CCTV only
in internal areas where there is limited ability to jam or disrupt the network
connection from outside the building.
Examples of increased vulnerability for an intelligent building include:
●●
●●
●●
●●
●●
●●
The potential for deliberate disruption of the systems due to the increased
connectivity between systems, particularly where some of the systems
connect to networks outside the building, e.g. network connectivity or
remote monitoring functionality.
The potential for accidental disruption of systems due to the failure of a
system or of the building’s infrastructure.
The possibility that unforeseen consequences will arise from unintentional
system interactions, e.g. the potential for one system to interfere with the
operation of another, under both normal and abnormal operating conditions.
The potential for unintentional increased vulnerability of one system arising
from its connection to or access from another system, e.g. arising from
systems operating with different security rules and levels of trust.
The need to manage access of staff, suppliers, contractors, and building
occupants or users to the intelligent buildings systems so as to prevent
unauthorised access to sensitive information and prevent unauthorised
changes to systems or information.
The need to understand the consequences of natural phenomena, such as
extreme weather, earthquakes, flooding, solar storms, etc. for the operation
and integrity of the building systems.
To illustrate the impact of the last bullet point above, an interesting example of the
vulnerability of a complex building was the flooding in October 2012 of a Verizon
office in New York by Hurricane Sandy.7 When the storm surge flooded Verizon’s
Manhattan office, the underground 90,000 cubic foot cable vault suffered a
‘catastrophic failure’, rendering miles of copper wiring useless and causing severe
disruption to north-eastern US telecommunications services while the damage was
repaired. In this example the threat actor is nature (the hurricane-induced storm
surge) and the vulnerabilities are the failure to maintain a watertight underground
cable vault or to predict the possibility of the event and prevent its occurrence by
relocating the core function away from the flood risk.
http://www.theverge.com/2012/11/17/3655442/restoring-verizon-service-manhattanhurricane-sandy [accessed 24 Apr 2013]
7
22
© The Institution of Engineering and Technology
CHAPTER 5
Resilience and cyber security during specification phase
5.1 Resilience and cyber security requirements
During the specification phase the project team will develop a specification or
design brief for the proposed building, setting out constraints and parameters for
the design and outlining the project’s objectives, including proposed use and key
functional requirements. Work on this initial project brief potentially encompasses
three workstreams related to resilience and cyber security of the planned building:
●●
●●
●●
establishing resilience requirements of the building and its systems;
establishing cyber security requirements for the building systems; and
protecting intellectual property and commercial data.
These workstreams should take into account the nature of the building, its profile,
proposed use and potential threats. Thus, for example, potential threats to a new
high profile building in a prime city location or a new maximum security prison are
likely to be different to those faced by a new environmentally controlled warehouse
in an out-of-town industrial park. The cyber security requirements will need to take
account of the increasing practice of running physical security systems over the IT
infrastructure.8
5.1.1 Establishing resilience requirements
Key to achieving a resilient building is the design of building structures that are
durable, and resistant to fire, flood, seismic events, severe weather events and other
potential disasters. Failure to address resilience requirements at the specification
stage can lead to significant cost increases or delays during design and construction,
or expensive and disruptive changes when occupied or in operation; in some cases
it may not be possible to address the threats adequately, thus increasing the risks to
building owners and occupiers.
Resilience requirements should be determined by the building owner or investor
based on location factors, proposed type and use of the building, and anticipated
needs of the occupants. The extent to which resilience requirements and associated
level of availability are affordable should be determined by the business case for
construction or modification of the building. Financial pressures may be used during
cost reduction or value management exercises to justify reducing or removing
resilience or cyber security requirements. This can be a short-sighted decision
because the costs of taking remedial or recovery action may be significantly greater
than the savings, and the reputational damage may be irrecoverable.
Resilience requirements should take into account a wide range of factors including:
●●
Physical location and environment of the building, in particular any need to
assure access, prevent flooding, handle severe weather events, prevent
CPNI is publishing guidance on ‘Physical Security over Information Technology’; see http://
www.cpni.gov.uk for further information [accessed 24 Apr 2013]
8
© The Institution of Engineering and Technology
23
●●
●●
●●
forced entry, etc. These requirements should also address utility supplies and
communications, including any need for diversely routed supplies, the quality
and reliability of these supplies and potential for single points of failure.
Physical design of the building, including susceptibility of the design to
physical damage from natural events (e.g. seismic activity), durability of
materials used, robustness of construction, ease of maintenance and repair,
and the ability to adapt the building for future reuse for new ownership or
occupancies.
Overall systems availability requirements and the functional criticality of
each system, or technical service, in relation to correct operation of the
building. In addition to the functional assessment, the consequences of
system failure for the safety and security of the building occupants and
assets should be assessed. When considering the building systems, both
physical location and environment of the building and its proposed physical
design should be taken into account. For example, for a high availability
building such as a data centre,9 the supply of power to the site is critical,
and the reliability of its supply influences the nature of any onsite generation
required to provide resilience and continuity of supply.
Any consequences of integrating building systems with corporate and
operational IT systems, including any issues arising from convergence of
the technical infrastructure used by these systems.
5.1.2 Establishing cyber security requirements
Cyber security requirements need to be considered in conjunction with the resilience
requirements because there will be some dependencies between these requirement
sets. It is important that relationships between these sets are taken into account, as
failure to address a critical resilience issue could have a significant effect on the
cyber security of the building and vice versa. The building specification should cover
both cyber security requirements and their assurance across the building life cycle.
Cyber security requirements of all building systems should be determined by
the building owner or investor, based on proposed type and use of the building,
proposed design of the building systems and their convergence or connectivity
with systems outside the control of the building owner, and any anticipated needs
of the occupants. The extent to which cyber security requirements are affordable
should be determined by the business case for the construction or modification of
the building and its intended or subsequent use and occupation.
By identifying and incorporating appropriate cyber security requirements in the
building specification, appropriate measures can be considered during design and
implemented as part of construction and commissioning. These measures should take
into account the level of system integration both between individual building systems
and between the building systems and any corporate and operational systems used
by the building occupants. If the building is being constructed on a speculative basis,
i.e. without known occupants or tenants, any cyber security requirements will need
to be reviewed and potentially updated as the building occupancy is established.
5.1.3 Protecting intellectual property and commercial data
Widespread use of the Internet and email has revolutionised the way that organisations
work. The construction industry makes extensive use of these technologies to
support collaboration and data exchange on projects. When planning a major
9
24
CPNI Viewpoint 02/2010 – Protection of Data Centres: http://www.cpni.gov.uk/Documents/
Publications/2010/2010006-VP_data_centre.pdf [accessed 24 Apr 2013]
© The Institution of Engineering and Technology
construction project, whether new build or refurbishment, steps need to be taken to
ensure that adequate cyber security measures are in place.
In September 2012, CESG, CPNI, BIS and the Cabinet Office launched Cyber
Security Guidance for Business, a guide aimed at industry Chief Executives
and board members. The guide draws upon the technical foundations of the 20
critical controls (see Appendix B), and the executive summary indicates that the
Government has seen determined and successful efforts to:10
●●
●●
●●
steal intellectual property;
take commercially sensitive data, such as key negotiating positions;
exploit information security weaknesses through the targeting of partners,
subsidiaries and supply chains at home and abroad.
As part of this guidance there are ten advice sheets,11 which outline actions and
measures representing a good foundation for improving cyber security. These
advice sheets for ten steps to cyber security cover:
●●
●●
●●
●●
●●
●●
●●
●●
●●
●●
information risk management regime;
network security;
user education and awareness;
malware prevention;
removable media controls;
secure configuration;
managing user privileges;
incident management;
monitoring; and
home and mobile working.
Although the degree of implementation of these steps will inevitably vary between
organisations depending on the specific risks faced, they do represent common key
measures that may be used to protect the confidentiality, integrity and availability of
corporate IT systems used during the specification phase.
Protection of key information assets, e.g. plans, business cases, designs, tender
specifications, financial models and contracts, is essential to maintain a sustainable
and competitive business. This is an issue not only for the building owner or investor,
but also for all professionals involved in the specification phase of a project, i.e.
architects, lawyers, financial advisers, engineers and lead suppliers. This protection
needs to encompass all aspects of confidentiality, integrity and availability. It could be
as financially damaging to lose an opportunity through theft of sensitive data as it would
be if critical documents were destroyed or corrupted prior to submission of a bid.
Protecting commercially sensitive data is likely to become more complex with the
increasing electronic integration of the design and construction supply chains. For
example, the introduction of Building Information Modelling (BIM) will enable and
require tighter integration of the architecture, engineering and construction industries.12
Cyber Security Guidance for Business, published by CESG, BIS, CPNI and Cabinet Office
10 Steps to Cyber Security Guidance Sheets, published by CESG, BIS, CPNI and Cabinet
­Office
12
‘Building Information Modelling is digital representation of physical and functional characteristics of a facility creating a shared knowledge resource for information about it forming a
reliable basis for decisions made during its lifecycle from earliest conception to demolition’:
http://www.cpic.org.uk/en/bim/building-information-modelling.cfm [accessed 24 Apr 2013]
10
11
© The Institution of Engineering and Technology
25
This tighter electronic collaboration has the potential to speed up the design, reduce
cost and improve competitiveness. However, it will also affect working practices,
sharing of and access to information, intellectual ownership of designs, and the
whole digital environment in the construction industry. There is a need for better cyber
security during design and construction, as well as during subsequent operation.
Unauthorised access to BIM data could jeopardise security of sensitive facilities, such
as banks, courts, prisons and defence establishments, and in fact most of the Critical
National Infrastructure.
5.2 Specifying appropriate resilience and cyber security
The degree of resilience and level of cyber security protection required by a building
should be determined by a number of factors, including:
●●
●●
●●
●●
●●
●●
●●
●●
●●
●●
●●
location;
physical environment;
profile and attractiveness as a target;
planned use/function, including particular safety or physical security
requirements;
nature of occupiers/users;
any legal or regulatory requirements;
whether it is a single or multi occupancy building;
construction materials and overall design;
complexity and criticality of building systems;
degree/level of systems integration and convergence;
degree of connectivity to systems outside the building.
A project team that is developing a requirements document and business case
during the specification phase needs to conduct an initial threat assessment taking
into account these factors to identify any safeguards that may be required as part of
the design and implementation. A decision to require implementation of a specific
safeguard should be reflected in the specification by adding appropriate requirements.
During the specification process, decisions should be made as to the acceptable
degree of risks from individual threats. These decisions and any supporting
analysis should be recorded, because subsequent design decisions may require
individual threats to be reassessed. This audit trail will also support assumptions in
the business case regarding any residual financial risk associated with individual
mitigated resilience or cyber security risks and their ‘cost–risk balance’. Owners
and occupiers need to understand the nature of any residual risks and level of
financial exposure so that they can make informed decisions about the degree to
which insurance cover may be required to protect against specific risks.
During the requirements, concept and specification phase of a building project,
the resilience and cyber security requirements need to be identified, taking into
account the nature and purpose of the construction and the potential threats
to the occupants and their business operations. The requirements should
include appropriate protection for intellectual property, and commercial or
sensitive information.
26
© The Institution of Engineering and Technology
CHAPTER 6
Resilience and cyber security during design phase
6.1 Designing a resilient and cyber secure building
6.1.1 The design process
As the building project moves through this phase, all aspects of the design will
progress through a number of iterations as it evolves from an initial concept design
to a detailed technical design. The latter often includes a substantial amount of
work by specialist sub-contractors and suppliers. Throughout this phase, building
requirements should be analysed, interpreted and elaborated by the project team,
with design decisions progressing from an early strategic level to increasingly
detailed technical decisions. Given this progressive evolution of a final design
and a need to address resilience and cyber security requirements throughout,
workstreams are required to:
●●
●●
interpret resilience requirements and ensure that appropriate measures are
designed in; and
interpret the cyber security requirements and ensure that appropriate
measures are designed in.
As the design evolves, with key decisions being made and more detail becoming
available, it is necessary to consider how well specific design options meet
resilience and cyber security requirements. It is important that these requirements
are addressed in the contractual frameworks as they develop.
There will inevitably be tensions arising from the cost of additional space, systems
and protective measures required to fulfil these requirements, particularly if these
requirements are not well understood. For example, to deliver mechanical and
electrical systems that meet Tier 3 requirements rather than Tier 1 (see Table 3 in
Chapter 3), the additional systems cost and complexity may appear unnecessary
to a designer. This is often the case where a project team is struggling to stay within
a space and cost budget. However, achieving this level of resilience may be an
essential feature of the delivered accommodation and is likely to be difficult and
expensive to retrofit.
Throughout this phase there is a need to review and update the threat assessments
that were used to inform the development of the original resilience and cyber
security requirements. As design work progresses, it should be possible to verify,
through design assurance, that the proposed technical solutions continue to meet
the requirements (see section 6.2).
The design process needs to address the change management of requirements
and ensure that there are mechanisms in place to prevent compromise of resilience
and cyber security requirements. For example, a shift from single occupancy to
multi-occupancy use, or change of use for part of the accommodation, could have
significant implications depending on the planned use of the building.
© The Institution of Engineering and Technology
27
Some technical proposals may require further threat assessments to be conducted,
such as where the solution introduces a feature that was not taken into account
during the original assessment. An example of this might be the proposed supplier
of a major building systems component requiring remote electronic access to a
system in order to monitor performance and provide remote diagnostics. If this
aspect had not been considered at the specification stage it may require the cyber
security requirements to be revisited.
6.1.2 Design considerations
During the design of any complex building there will be a number of strategic
choices that need to be taken at an early stage. These choices are often about the
overall architecture, both at the physical level and for an intelligent building at the
infrastructure and systems levels.
Examples of architectures the systems design authority may have to consider for
the building infrastructure include the following:
●●
●●
●●
●●
truly converged networks, with logical partitions (VLANs) for functional
separation of applications/data traffic;
multiple physical IP networks for estate/premises management, electronic
security, building controls, metering and business productivity applications
(the networks may be converged in the same physical spaces or managed
in separate (or caged) spaces);
bespoke data communications for building automation/controls, electronic
security and metering applications, rather than IP networks;
use of physical (cable or fibre) versus wireless networking infrastructures.
The decisions about the most appropriate technology to use should not be made
solely from a cost and performance perspective, but also need to take into account
factors such as the safeguards required when IT infrastructure, telecoms and IT
applications are partially or fully outsourced.
As part of an integrated design there may be requirements to interconnect systems
with differing criticalities or security requirements. The standard ANSI/ISA-99
(Security for Industrial Automation and Control Systems) introduces the concept
of Security Zones and Conduits to control access between Zones. The standard
defines a Zone as a grouping of logical or physical assets that share common
security requirements. Each Zone will require a Security Level Target (SLT) based on
factors such as equipment criticality and consequence of loss or failure. Equipment
in a Zone has a Security Level Capability (SLC) only if that capability is not equal to
or higher than the SLT, in which case extra security measures, such as additional
security technologies or policies, must be provided.
The Conduits between Zones should provide protection by resisting denial-ofservice (DoS) attacks, preventing transfer of malware, shielding equipment in
the Zone and by protecting the integrity and confidentiality of network traffic. Any
communications between Zones must be via a Conduit. The use of Conduits can
increase the SLC for all equipment in the connected Zone.
Figure 4 illustrates an approach using Zones and Conduits to allow data from the
building systems local site computer to the business systems. In this illustration a
data diode (a one-way traffic regulator) is used to create a one-way flow of data from
the local site computer to ICT systems in a DMZ (‘demilitarised zone’) protected by
a firewall. The business systems are able to communicate via the firewall to collect
28
© The Institution of Engineering and Technology
data, but due to the use of the data diode they cannot communicate with or control
the building systems.
Business System
Centralised ERP, ERM,
CRM, C&C, Helpdesk
ICT System
Level 5
Figure 4 –
Security Zones
and Conduits
DMZ
Office Automation, Media,
Telephony
Building Systems
Level 4
Data Diode
Local Site Computer
Level 3
Firewall
Control Systems
PLC, SCADA, ICS
Level 2
Critical I/O Infrastructure
Level 1
Sensors, Actuators, Motors
Level 0
Figure 4 demonstrates a building management systems (BMS) application with
network segregation (the firewall) and secure gateway protection (the data diode)
as an example of securing safety critical BMS infrastructure from external threats
and vulnerabilities in a manner compliant with ANSI/ISA-99.
6.2
Design assurance
In complex technical systems a large percentage of failures and anomalies that
occur during implementation and operation are attributable to errors or omissions
originating in the design process. By implementing a design assurance process,
steps can be taken to identify and resolve undiscovered or unidentified design risks
and issues, with the aim of addressing them as early as possible in the design
phase. The design assurance process has two principal functions:
●●
●●
to ensure that the proposed design appropriately addresses the specified
requirements;
to ascertain that the requirements and the proposed design are complete
and have not introduced any new or unforeseen risks.
A design assurance process should be an independent, formal, systematic process
that complements the design team’s work and increases the probability that a
design conforms to agreed requirements and meets the foreseeable operational
© The Institution of Engineering and Technology
29
needs of the building’s owner, occupiers and users. At this stage it should be an
exercise based on examination of a range of material including architectural and
engineering drawings, systems models, technical analysis and specifications,
security and implementation strategies. The design assurance aims to ensure that
the resilience and cyber security requirements are addressed adequately by the
design and associated engineering documentation supporting the procurement,
manufacture/build, configuration, test/acceptance, operation and maintenance of
the building and its systems.
During the design phase of a building project, appropriate solutions to the
resilience and cyber security requirements should be developed. As part of
a design assurance exercise the proposed design should be assessed to
ensure that it has not introduced any new or unforeseen risks. Assuring the
continuity of intent through the construction phase may require investment in
competent resources.
6.3 Protecting intellectual property and commercial data
As outlined in section 5.1.3 there is a continuing need to protect adequately the
intellectual property inherent in the design and the commercial confidentiality of any
procurement processes and contract negotiations. The design phase is likely to see
a significant increase in the number of collaborating organisations, particularly once
specialist contractors become involved in the design process.
30
© The Institution of Engineering and Technology
CHAPTER 7
Resilience and cyber security during construction
7.1 What needs to be addressed during construction?
A particular challenge during this phase is establishing and maintaining appropriate
security for the technical infrastructure and building systems without unduly hindering
the construction and fit-out teams. Resilience and cyber security consequences of
an action or inaction by a contractor may not be apparent initially but could have
serious cost and schedule implications if an agreed safe and secure design is
compromised, requiring rework during occupation.
A number of issues need to be addressed regarding the resilience and cyber
security of the building during construction:
●●
●●
●●
●●
managing the supply chain;
monitoring design integrity;
maintaining physical security;
implementing systems security.
Handling of these issues may be complicated by contractual relationships between
the building owner, the design team, construction contractors and the planned
building occupants. The situation may be exacerbated if it is unclear who is
responsible for decisions and governance related to the building’s resilience and
cyber security.
During construction of the building, resilience and cyber security issues need
to be addressed while managing the supply chain, monitoring design integrity,
maintaining physical security and implementing systems security.
7.2 Managing the supply chain
The transition from design to construction phase will result in a significant expansion in
the number of individuals involved in the project. Contracts and sub-contracts are let
for materials, systems and services required for construction, fit-out, commissioning
and preparation of the accommodation ready for occupation and use. The contracts
and sub-contracts need to address the security and resilience issues, with steps
taken to ensure that they are handled in a consistent manner and managed at the
most appropriate level in the contracts hierarchy. It is important that they are not
simply pushed down the contractual chain, because small sub-contractors may
have little interest in, understanding of or control over key vulnerabilities and design
decisions.
Site offices will have a steady turnover of personnel, bringing with them a variety
of personal and storage devices, and connectivity to a range of external systems.
The contracts and site operating procedures should define responsibilities and
© The Institution of Engineering and Technology
31
acceptable practice to address the risks associated with the frequency of personnel
changes. These controls should be applied to permanent staff of all construction
and site contractors and to all agency personnel. This may have human resource
implications if changes are required to standard employment contracts and
acceptance of monitoring of systems use.
Appropriate measures should be established to protect intellectual property
and commercial data, both from threat of theft and from unauthorised change
or destruction. These threats can arise from insiders, external hackers and the
introduction of viruses or malware onto the site or suppliers’ equipment and networks.
On a large or complex site, controlling these threats is difficult given the number of
companies and contractors involved, and the inevitable differences in contractual
terms and responsibilities. A potential lack of clarity as to who is responsible for
cyber security within the overall construction team may further exacerbate the
problem.
There is an increasing need to ensure quality and integrity of all supplied equipment,
systems and software. With initiatives like the UK Trustworthy Software Initiative,
some steps are being taken to improve the quality and integrity of software.
With pressure to keep costs down, suppliers are encouraged to source ‘best value’
hardware and software; this is often interpreted as the cheapest source of a particular
component, software package or piece of technical equipment. However, this
increases the risk that the purchased item may be counterfeit. A study by Microsoft
found that cyber criminals had infiltrated an insecure supply chain to introduce
counterfeit software embedded with malware onto brand new computers.13 Microsoft
claim that 20 per cent of the computers sampled were infected with malware.14
Counterfeiting is not limited to software. Studies by the Alliance for Gray Market
and Counterfeit Abatement (AGMA) indicate that there is a significant volume of
counterfeit technical hardware sold every year.15 It is estimated that up to 10 per
cent of IT products sold may be counterfeit. A report by the US Bureau of Industry
and Security on behalf of the US defence industry found that ‘The rise of counterfeit
parts in the supply chain is exacerbated by demonstrated weaknesses in inventory
management, procurement procedures, recordkeeping, reporting practices,
inspection and testing protocols, and communication within and across all industry
and government organizations.’16 This is an important issue for intelligent buildings
because the use of counterfeit components could lead to premature systems failures
and create significant cyber security weaknesses in the delivered systems.
7.3 Monitoring design integrity
To address implementation issues, changes are often made to the design
during construction. These changes may be required to address new business
requirements, to overcome defects or shortcomings in the physical design or to
http://blogs.technet.com/b/microsoft_blog/archive/2012/09/13/microsoft-disrupts-theemerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain.aspx [accessed
24 Apr 2013]
14
http://www.youtube.com/watch?v=mP4LwIPzcvU [accessed 24 Apr 2013]
15
http://www.agmaglobal.org/cms/uploads/news%20releases/current/Four%20Pillars%20
FINAL%203-1-12.pdf [accessed 24 Apr 2013]
16
http://www.agmaglobal.org/cms/uploads/BIS%20Survey%20%28January%202010%20
final%29.pdf [accessed 24 Apr 2013]
13
32
© The Institution of Engineering and Technology
cater for errors that are expensive to fix. For example, when contractors come to
install network cabling they might discover a failure to provide a specific cable
route for diverse cable routing, and the rectification of this problem may involve
significant additional structural work. It is essential that design change management
processes incorporate appropriate assessment of any impacts on resilience and
cyber security. In this cable routing example, a failure to provide diverse routes may
have significant implications for resilience of affected systems, allowing connections
to be disrupted in the event of a fire, accidental damage to a single cable leading
to denial of services or external tampering. This may not seem a significant issue
to a contractor responsible for the physical works, but may be very significant for
facilities managers and building occupiers.
Following physical installation of building systems, there will normally be a period
where systems are configured, tested and commissioned with the aim of achieving
contractual acceptance and handover to the building owner. This programme
of work should be designed to assure the integrity of the design from an overall
integrated systems perspective rather than a purely physical perspective. If
schedule overruns occurred during the physical construction of the building there
may be significant pressure to curtail these activities and then fix any problems
during operational use of the building. For buildings with significant resilience or
cyber security requirements, curtailing these activities will increase the risk that the
system design has not been verified and that operational use may be disrupted by
foreseen but untested failure scenarios.
7.4 Maintaining physical security
For health and safety reasons and to prevent theft of construction materials, most
building construction sites have a reasonable level of physical security. Although
this may be adequate to prevent theft of large items, the building and corporate
IT systems will also contain a range of relatively small, high-value components.
Once installation of these systems commences, consideration should be given to
providing additional security for IT equipment, plant-rooms and communications/
networking rooms. This security will also prevent unauthorised access to these
systems during the configuration, testing and commissioning activities, i.e. prior
to the handover of the building to its occupiers and their support teams. From a
cyber security perspective the prevention of ‘tampering’ or addition of unauthorised
software or other components is as crucial as prevention of theft.
7.5 Implementing systems security
During the technical implementation of the systems, i.e. once the equipment has
been turned on and while it is being tested and configured, systems are vulnerable
to hostile reconnaissance and tampering to install backdoors17 and malware. So
even though systems are not yet fully operational, steps must be taken to prevent
reconnaissance, attacks or future compromise.
Many common IT components are supplied from the manufacturers with standard
administration accounts preconfigured to use default passwords. This is a common
17
A ‘backdoor’ is a means to access a computer program or system that bypasses security
mechanisms, sometimes inserted by programmers to enable access for troubleshooting,
but also created by some malware
© The Institution of Engineering and Technology
33
cause of security weakness in deployed systems, because default passwords are
often widely known and many can be found on the Internet. In addition to this basic
account/password weakness, steps need to be taken to address other important
initial security tasks, such as removing or disabling guest accounts.
It should not be assumed that because the building is not yet occupied, its systems
will not come under external scrutiny. Any new connection to the Internet is likely
to be scanned as soon as it becomes available. Some of these scans are relatively
benign, e.g. those of common search engines looking for new web content. However,
other scans by specialist search tools, e.g. Shodan,18 or by potential hackers who
are sweeping through particular TCP/IP address ranges, are potentially more
serious. The problem is not limited to Internet connections, because an unsecured
wireless access point or dial-up modem may be used to gain unauthorised access
to the network. Securing the networks and all external connections at an early
stage reduces the risk of accidental data loss, and prevents reconnaissance during
system configuration, testing and commissioning.
7.6 Preparing for handover to operations
Before completing this phase a critical step is the preparation and handover of
the systems documentation to the operations team employed by the building
owner or occupier. The design documentation should reflect the ‘as built’ building;
i.e. all approved changes have been incorporated into the design drawings and
specifications. Without this handover of accurate information it is impossible to
operate an effective change management process during subsequent building
occupancy. There is also an increased risk of system integrity being compromised
during maintenance or systems changes, thus reducing resilience and creating the
potential for cyber security breaches.
http://www.shodanhq.com [accessed 24 Apr 2013]: Shodan is a tool to search for specific
computers (routers, servers, etc.)
18
34
© The Institution of Engineering and Technology
CHAPTER 8
Resilience and cyber security during operations
8.1 Managing and maintaining resilience
The needs of the building’s users will change and develop over time. It is therefore
important that the resilience requirements of an intelligent building are regularly
reviewed to ensure that the building and its systems continue to meet the operational
needs. Management of this ongoing monitoring can be handled through the business
continuity plans for the building and its occupiers.
When undertaking the reviews it is important to revisit the operational and business
criticality of both discrete elements of the building and the various business and
corporate IT systems that relate to or are located in the building. It is not uncommon
to find that over time part of the accommodation, a system or process has become
business critical and that it is not adequately protected from a business continuity
perspective. This unforeseen or emergent loss of resilience can be addressed once
it has been identified as part of a business continuity review.
When the building is in operational use, its resilience should be proactively
managed to prevent any unforeseen or emergent loss of resilience and to
identify any additional requirements arising from changes in the building’s use.
8.2 Managing and maintaining cyber security
Once it becomes operational the building is exposed to a diverse range of threats.
Some will have been foreseen and appropriate measures may be in place to mitigate
the risk, whereas others will be new or unforeseen with no effective countermeasures
in place. From a cyber security rather than resilience perspective, the majority of
threats are related to attempts to compromise the system, which may originate from
threat agents that are insiders or from external parties or systems.
In an intelligent building, maintaining resilience and cyber security should be a
multidisciplinary team effort involving teams managing building and corporate IT
systems and to varying degrees the cooperation of building occupants and users,
support contractors and suppliers. As cyber security issues are rapidly evolving, it
is likely that many of the technical threats the building will face would not have been
seen or experienced at the time the building was designed.
The 20 critical controls, which are summarised in Appendix B, are a list of technical
measures that should be implemented by organisations in order to improve cyber
defences. The controls can be visualised as providing protection by
●●
●●
●●
●●
detecting reconnaissance;
preventing unauthorised access or actions;
detecting unauthorised access or actions;
mitigating cyber security events.
© The Institution of Engineering and Technology
35
The building’s IT systems are at risk from the outset. Application of the 20
critical controls (see Appendix B) can provide protection by detecting
reconnaissance, preventing and/or detecting unauthorised access or actions,
and mitigating cyber security events.
8.3 Detecting reconnaissance
Before many cyber security incidents occur there may have been various
reconnaissance activities by the perpetrators, where the threat agent is looking
for weaknesses to exploit or material to steal. The reconnaissance may involve:
connecting an unauthorised device to the network or systems; introducing
unauthorised software to allow weaknesses to be probed; or installing backdoors
or Trojans. To protect the network and systems it is important to know whether
reconnaissance activities have occurred. This information may also assist in the
mitigation and resolution of any subsequent events.
Here are some specific control measures that can assist in the detection of
reconnaissance:
●●
●●
●●
●●
●●
creating and maintaining an inventory of authorised and unauthorised
devices;
creating and maintaining an inventory of authorised and unauthorised
software;
performing continuous vulnerability assessment and remediation;
implementing secure network engineering;
performing penetration tests and red team exercises.
8.4 Preventing unauthorised access or actions
In the event that a threat agent is trying to compromise the system, the threat may be
partly mitigated by secure configuration of the organisation’s networks and systems.
For example, the failure to remove or disable guest accounts, the use of default
passwords on systems components or the failure to limit access to sensitive files
make it easier for threat agents to achieve their objective.
Specific control measures that can be used to prevent unauthorised access or
actions include the following:
●●
●●
●●
●●
●●
●●
●●
implementing secure configurations for hardware and software;
implementing secure configurations for network devices;
vulnerability assessment and remediation;
addressing application software security;
supplying wireless device control;
implementing malware defences;
limiting and controlling network ports, protocols and services.
8.5 Detecting unauthorised access or actions
To minimise the impact of any cyber security event it is important that unauthorised
access or actions are detected as early as possible so that a suitable response can
36
© The Institution of Engineering and Technology
be initiated. For example, if attempts are being made to steal intellectual property,
early detection may allow preventative measures to be taken to minimise the loss.
Specific control measures for preventing unauthorised access or actions include
the following:
●●
●●
●●
●●
●●
maintenance, monitoring and analysis of audit logs;
implementing boundary defence;
controlled use of administrative privileges;
controlled access based on the need to know;
performing penetration tests and red team exercises.
8.6 Mitigating cyber security events
Should a cyber security event occur, the damage and disruption may to some extent
be mitigated by an appropriate response from the organisation. The response will
be determined by the skills and training of the team handling the event as well as
the ability and preparedness of the organisation to recover systems. It is not only
a case of having processes and procedures in place, but also the ability of the
personnel involved to implement them correctly and appropriately under pressure.
Here are some specific control measures that can be used to mitigate cyber security
events:
●●
●●
●●
●●
●●
regular security skills assessment and appropriate training to fill gaps;
maintaining a data recovery capability;
account monitoring and control;
implementing data loss prevention;
incident response and management.
The manner in which incidents are handled can have a significant impact on the
damage or disruption that occurs. It is important that there is clear assignment of
responsibility and roles, that procedures have been tested and that key staff know
what is expected of them during and after an incident.
8.7 Addressing the insider threat
The term ‘insider threat’ applies to a malicious threat to the organisation that
originates from people within the organisation. These people can be employees,
former employees, contractors or suppliers, who are familiar with the organisation’s
security practices, policies and procedures, and who have or had access to data
and the organisation’s systems.
An insider threat can involve a range of actions causing financial or reputational loss,
including fraud; theft of intellectual property, commercially sensitive or personally
identifiable data; or sabotage of corporate IT, building or industrial control systems.
Insiders may also be implicated in attacks by third parties (criminals, terrorists or
competitors seeking business advantage). In these cases the insider may provide
assistance to circumvent defences or information on specific measures in place to
counter threats.
© The Institution of Engineering and Technology
37
The damage from insiders can be significant because they may have both detailed
knowledge of the sensitivity of the systems or data they are attacking and privileged
access that gives them the ability to bypass many protective measures. To address
the insider threat, appropriate personnel security measures are required, not just
during recruitment processes but on an ongoing basis.
Appropriate measures that should be put in place with regard to existing staff
include the following:19
●●
●●
●●
●●
●●
●●
●●
identifying changes in circumstances that make an individual more
vulnerable;
access controls to manage staff access to company assets;
security passes and access privileges, i.e. controlling access to buildings,
sensitive places and systems, so that access is limited to those who
genuinely need it;
management practices, e.g. the implementation of appropriate personnel
security procedures and availability of confidential reporting mechanisms;
manipulation, i.e. ensuring that staff are aware of social engineering
techniques and the mechanisms to defend against such attacks;
protective monitoring of employees’ use of IT systems, which in the UK
should be in accordance with the Data Protection Act – Code of Practice:
Monitoring Workers’ Activities;
investigation of cases of non-compliance with security rules to ascertain the
facts and take appropriate follow-up action.
8.8 The cyber security responsibility paradigm
An issue that exists in any building where there is a converged infrastructure is
allocation of responsibility and the boundaries of influence. For example, in Figure
5 where building management, communications and corporate IT services are
all delivered using a structured cabling infrastructure, it may be unclear who is
responsible for the management of it. Responsibility could rest with the head of IT
or with a facilities manager. If there are two cabling systems in use there is an issue
as to whether they are physically separate or whether they share cable risers and
patch rooms. If they share any space, measures should be implemented to prevent
unauthorised connection of the two systems. Where a building is multi-occupancy,
this fact changes the responsibility of the building’s facilities manager and the
relationships with those responsible for management of tenants’ IT infrastructure.
Further advice is available at http://www.cpni.gov.uk/advice/Personnel-security1/Ongoingmeasures [accessed 24 Apr 2013]
19
38
© The Institution of Engineering and Technology
IT departments
Data centres
Tenants areas of assumed
responsibility for their own
cyber security
Users
Figure 5 –
Cyber security
responsibility
paradigm
CCTV and
surveillance
Authentication
Access control
BMS
Comms
Comms distribution
and management
Developers/architects/engineers/owners/landlords area
of ‘policy development’ for cyber security on areas
under direct control
Network
External supply
Power
Power management
In a complex multi-occupancy building, it is reasonable to expect the building
operators (who could be an owner, developer or landlord) to have responsibility
for supply and management of ‘services’ over and above their obvious interest in
the BMS, fire alarms and building security systems. If responsibilities are allocated
as shown in Figure 5, building operators must take responsibility for cyber security
of the building’s technical infrastructure, including delivery of communications and
networks to their tenants. The tenants are then responsible for cyber security of their
own ‘domain’ at their boundary, serviced by the building infrastructure, i.e. security
of their IT equipment, applications and data storage.
To manage this interaction between infrastructure and business systems, there
should be clear operating procedures and agreed ‘best practice’ in respect of
connection to and use of the infrastructure. These procedures should be based on
recognised standards for information security management, e.g. ISO 27001.
© The Institution of Engineering and Technology
39
Adoption of a converged IT infrastructure and the integration of building and
corporate technologies create issues related to allocation of responsibility and
boundaries of influence. The interaction between infrastructure and business
systems should be based on clear operating procedures and agreed best
practice regarding the technical integration.
8.9 Legal issues
To maintain the security of the converged systems over the operational life of an
intelligent building there will be a continuing need to install countermeasures. If
the building is not owner occupied, the lease should include terms that allow the
tenants to obtain the landlord’s permission to install the countermeasures and for
the landlord to provide reasonable support and assistance in their design and
deployment. Where the landlord, or the landlord’s agents or contractors, have
access to the converged systems, the lease/tenancy agreements should include
appropriate provisions in respect of data protection, human rights (e.g. monitoring
and CCTV surveillance) and any requirements for employment contracts to include
provisions regarding matters such as appropriate use, confidentiality, etc.
Some of these provisions will also be applicable to visitors to, or users of, the building.
For example, where public WiFi access is provided, users should be required to
agree to specified conditions of use. Without such agreement there is an increased
risk of malicious claims or prosecution for data protection breaches.
40
© The Institution of Engineering and Technology
CHAPTER 9
Managing change – impact on resilience and
cyber security
Change is inevitable during the operational phase of a building’s life cycle. When
changes are made there is a risk that they will compromise the resilience and/or
cyber security of the building. Impact assessment of building, infrastructure and
systems related changes should therefore include any impact on both resilience
and cyber security. It is essential that assessment addresses not only changes to
systems and infrastructure, but also physical changes to the building and changes
to its local environment.
A simple internal change, e.g. a proposal to move internal partitions, may result in
unsecured cable ducts becoming accessible in a public area, where previously
they were located within a secure area. The implication of this change, which may
not have directly affected any IT systems, is that the structured cabling could be
exposed to an increased risk of damage or tampering. Impact of this change may
not be immediately apparent to the person making the request and may only be
detected on detailed examination of building and infrastructure plans. It is essential
that the detailed plans are an accurate reflection of the ‘as built’ infrastructure and not
what was originally designed but not built. The detailed plans must be maintained to
reflect the implementation of cumulative changes, again with the emphasis on what
was actually changed.
Another example is partial decommissioning of a building, where an area is taken
out of operational use to be refurbished or remodelled. The presence of construction
contractors in a decommissioned area can increase the risk of damage to building
systems, e.g. power, structured cabling, alarm systems, etc. These resilience risks
need to be assessed to determine their impact and the potential for business
disruption or loss of security. Common problems can include power outages due to
the actions of a contractor and false fire or security alarms arising from damage to
circuits or sensors.
Before an area is decommissioned and handed over for work to commence, steps
should be undertaken to ensure that cyber security is maintained, including the
following:
●●
●●
●●
●●
●●
●●
removal and secure storage or disposal of any special security equipment,
e.g. cryptographic systems;
removal and secure storage or disposal of any systems used to process or
store personally identifiable or commercially sensitive data;
removal and secure storage or disposal of all other IT equipment in the area;
decommissioning of any public telecommunications network links/services;
decommissioning of any network or communications links to other company/
organisation sites;
decommissioning of any network or communications links to building
management systems;
© The Institution of Engineering and Technology
41
●●
●●
removal and secure storage or disposal of all used media, paper records,
etc. containing personally identifiable or commercially sensitive data;
re-routing of sensitive communications and network cabling routes.
During the construction and fit-out, and prior to occupation of the area, the security
measures outlined in Chapter 7 should be applied.
When changes to the building, its infrastructure, systems and use are being
planned and implemented, the impact on resilience and cyber security should
be assessed and appropriate steps taken to address any new or modified
risks. This should include assessment of the impact of any decommissioning.
42
© The Institution of Engineering and Technology
CHAPTER 10
Resilience and cyber security during decommissioning
If an intelligent building is no longer required it should be decommissioned prior
to sale or demolition. This will ensure that appropriate steps have been taken to
maintain the security of any personally identifiable or commercially sensitive data,
without impacting on other ongoing operations of the building owner, support
contractors or occupants. The process for managing the decommissioning of
an entire building is similar to a partial decommissioning, but should address all
connectivity to the building that is not required to maintain it in a safe and secure
state until it is reoccupied, refurbished or demolished.
When an entire building is being decommissioned, the impact of changes on
infrastructure and systems should be assessed and a decommissioning plan drawn
up that takes account of system and infrastructure dependencies. The sequence in
which decommissioning changes are made is significant. They should be planned
carefully so as to minimise the risk to resilience and cyber security throughout the
process.
The insider risk should be assessed throughout the planning and implementation of
the decommissioning programme. The changes in personal circumstances brought
about by the closure of the building may increase the risk of security breaches or
careless mistakes by disaffected employees or contractors.
If the building is leased rather than owner occupied, at the end of a lease provisions
covering dilapidations will mean the lessee has to restore the building to the state
that it was in when first occupied. Removal of security systems, equipment and
cabling, and the inevitable need to make good any damage caused during their
removal, can be expensive. Leaving the items behind may represent a windfall for
the landlord, and may also involve costly decommissioning processes to ensure
that all personally identifiable data is removed from the systems. These removal
and decommissioning costs can represent a disincentive for tenants to install
such systems and thus increase the risk of the converged infrastructure being
compromised.
© The Institution of Engineering and Technology
43
CHAPTER 11
Relevant standards
This chapter lists the standards that are relevant to the design and operation of an
intelligent building.
11.1 Security standards
44
Reference
Title/Description
ISO/IEC 13335
IT Security Management – Information technology –
Security techniques – Management of information and
communications technology security
ISO/IEC 15408
Common Criteria for Information Technology Security
Evaluation
ISO/IEC 27001
Information security management systems
requirements
ISO/IEC 27002
A code of practice for information security
management
IEC 62443
Security for Industrial Automation and Control Systems
ANSI/ISA-99.00.01
Part 1: Terminology, Concepts, and Models
PCI DSS
Payment Card Industry Data Security Standard
NIST IR 7176
System Protection Profile – Industrial Control Systems
– V1.0 Incorporates industrial control systems into
Common Criteria
NIST SP 800-82
Guide to Industrial Control Systems (ICS) Security
NIST SP 800-61
Computer Security Incident Handling Guide
PAS 97: 2012
A specification for mail screening and security
BS 7799
Part 3 – Guidelines for information security risk
management
RFC 2196
Site Security Handbook
From IETF (The Internet Engineering Task Force)
RFC 2350
Expectations for Computer Security Incident Response
From IETF (The Internet Engineering Task Force)
HMG IA Standard
No 1
Technical Risk Assessment – IA Standard for Risk
Managers and IA Practitioners responsible for
identifying, assessing and treating the technical
risks to ICT systems and services handling HMG
information
© The Institution of Engineering and Technology
Reference
Title/Description
Supplier Information
Assurance
Assessment
Framework and
Guidance
Guidance on how the Supplier Information Assurance
Tool (SIAT) question sets and tool specification can
be used by suppliers of key business services to the
Government
Supplier Information
Assurance Tool (SIAT)
– Summary
Brief summary of the SIAT Community of Interest set
up to drive development of a supplier Information
Assurance model. ISAB Approved
CESG IA Top Tips
2010/01 – DDoS – Distributed Denial of Service
2010/02 – Importing Data from External Networks
2010/03 – Basic Web Server Security
2011/01 – Trusted Platform Modules
2011/02 – Delivering Services Online
2011/03 – Mitigating Attacks to Online Services
2012/01 – Network Access Control
11.2 Operational and safety standards
Reference
Title/Description
IEC 61508
Functional Safety of Electrical/Electronic/
Programmable Electronic Safety-related Systems
ISO 20000
IT Service Management Standards
BS 15000
Based on Information Technology Infrastructure
Library (ITIL)
COBIT 5
A Business Framework for the Governance and
Management of Enterprise IT
[Control Objectives for Information and Related
Technology (CobiT)]
© The Institution of Engineering and Technology
45
11.3 Technical standards
46
Reference
Title/Description
ISO 7498
Information Technology – Open System
Interconnection
Part 1 – Basic Reference Model
Part 2 – Security Architecture
Part 3 – Naming and Addressing
Part 4 – Management Framework
ISO/IEC 14543
Information Technology – Home Electronic System
(HES) Architecture
A set of common open standards include the KNX
standard, which has been approved as
●●
European Standard (CENELEC EN 50090 and
CEN EN 13321-1)
●●
Chinese Standard (GB/Z 20965)
●●
US Standard (ANSI/ASHRAE 135)
IEC 14908.1
LonTalk
ISO 16484-5
BACnet
X10
An international and open industry standard for
communication among electronic devices used for
home automation
IEC 61158
PROFIBUS – Process Field Bus
A standard for field bus communication in automation
technology and used by Siemens
MODBUS
A serial communications protocol published by
Modicon (now Schneider Electric) in 1979 for use with
its programmable logic controllers (PLCs)
RP-570
RTU Protocol based on IEC 57 part 5-1 (present IEC
870) version 0 or 1
A communications protocol used in industrial
environments to communicate between a front-end
computer and the substation to be controlled
It is a SCADA legacy protocol and is based on the
low-level protocol IEC TC57, format class 1.2
IEC 60870 – Part 5
Telecontrol Equipment and Systems
A communication profile for sending basic telecontrol
messages between two systems which uses
permanent directly connected data circuits between
the systems
ZigBee
A low-power wireless mesh network standard
© The Institution of Engineering and Technology
APPENDIX A
Intelligent building case studies
A.1
Office building
In the office environment there has been an increasing convergence of infrastructure
and systems driven by the economic and environmental pressures to operate the
accommodation efficiently, from both user and energy perspectives. The levels
of convergence achieved vary considerably, depending on the objectives of the
building’s owners, operators and occupiers. Figure 6 illustrates the wide range of
systems that are now typically managed over an IP-based infrastructure.
Converged vs multiple IP
propriety networks
Building Services
Fire/Life Safety
Interface annunciation
View functionality only
Figure 6 –
Convergence
of IP-based
infrastructure
HVAC
Air-handling units
VAV and CV boxes
Exhaust fans
Chilled water plant
Hot water plant
Energy control
CO monitoring
Air quality
Elevators
Elevator retrieval on demand
maintenance
Lighting
Schedules
Scenes
Shades
Light-level sensing
Occupancy sensing
Accommodation Services
Security
Intrusion detection
Energy Management
Utility monitoring
(electric/water/gas/oil)
Utility purchasing
Back-up generation
24/7 Monitoring
Plant management
Condition monitoring
Parking garage utilisation
Access/Video
Building/doors/garage
Elevator
Occupied suites
Asset and personnel tracking
Multiple
control
environments
Business Services
Communications
Voice/video/data
Central Monitoring
and Control
Networking
Fixed/WiFi
© The Institution of Engineering and Technology
47
Traditionally the disparate building systems (e.g. HVAC, CCTV, access control,
lighting, energy management) all had their own control, and were often implemented
using different methods of cabling. The first step in the convergence process
is typically the movement of these systems onto a common cabling and TCP/
IP-based network infrastructure. This convergence has led to the adoption of open
standards (e.g. LonWorks® and BACnet®)20 to support system interoperability and
to allow upgrade or replacement of individual sub-systems over the building life
cycle. Adoption of this building systems architecture allows the use of a common
centralised building management system (BMS) to control the individual building
systems. These central control facilities are typically implemented via a single
browser-based operator interface. Where the building is part of a campus or its
facilities management is outsourced, the use of a centralised BMS enables the
remote monitoring of the facility via the Internet.
Following on from the convergence of building systems, there are opportunities
to derive greater efficiency from the installed building systems. For example, the
building’s access control system, passive infrared (PIR) occupancy sensors and
images from the security CCTV system may be used to determine when an area
is occupied, allowing the level of lighting and environmental conditioning to be
automatically controlled. Common examples are in server rooms and network/
cabling rooms, which generally operate in a lights-out mode with fire suppression
systems enabled. When a technician enters the room the access control system can
automatically turn the lights on and turn the fire suppression system off. This level of
complexity may bring significant convenience benefits but also carries unintended
vulnerability.
From the building users’ perspective, the systems convergence may be visible from
the use of smart ID cards for access control, attendance management and retrieval
of printing jobs. The shared use of the ID card for these tasks requires interaction
between the access control system (a building system), the attendance system
(part of the HR systems) and printer queues (part of the corporate IT system). More
complex examples include the automated reservation and management of meeting
rooms; e.g. building users may book a meeting room using their office calendar
application. This data is stored in a central application database and is accessed
by the building management system, which then reduces energy consumption
by turning off non-essential equipment in the room and limiting the environmental
conditioning until the room is required and the first meeting attendees arrive. This
example requires interaction between building systems and the room-booking
service, which may be part of the organisation’s email, i.e. a corporate IT system.
The increasing emphasis on the environment has led organisations to monitor their
energy consumption and carbon footprint, with some displaying information on this
aspect in the reception areas of their buildings. This information typically originates
in the building systems but is displayed using the corporate IT network. If some of
the developing cloud-based utility management services are used, it is possible
that the data from the building system may have been passed over the Internet to
a cloud service provider, processed and then returned for display via the corporate
intranet.
With the increasing use of wireless networks in buildings, new opportunities have
arisen for convergence of systems: e.g. the use of wireless surveillance cameras
20
48
LonWorks and BACnet are communications protocols used to control and automate
­various functions within a building
© The Institution of Engineering and Technology
and web-enabled tablet devices or smartphones to allow security guards to view
live video feeds as they move through the building.
These examples have focused on the convergence and systems integration at a
building level. As smart cities start to develop, there will be increasing interaction
between the building and its environment. This could include sharing data with
other local buildings, the local transport infrastructure and the smart electricity grid.
These interactions may be passive, i.e. simply making available information such
as the current power consumption of the building, or active, where the building
systems respond to local energy demand and shed non-critical loads to stay within
the contracted supply tariff.
A.2 Sports stadiums
Modern sports stadiums are complex buildings capable of hosting entertainment
events and conferences and providing banqueting and catering services for
thousands of people. In many ways they are akin to a large town or small city.
The building contains a vast range of services including heating, ventilation, air
conditioning (HVAC), lighting, building management systems (BMS), fire, security
(typically comprising access, CCTV and public-address systems), lifts, escalators,
scoreboards, telephones, Internet access for press and visitors, integration with
business systems (e.g. supply chain and payroll), electronic point of sale (EPOS),
ticketing and turnstile systems. During events there is often a demand for access to
large-format video, master aerial television and broadcast systems.
To support these services, hundreds of kilometres of optical fibre and network
cabling are installed in the stadium, with dozens of communications rooms housing
networking equipment. These networks will facilitate the use of IP data, IP telephony
and video communications both within the stadium and providing external links to
law enforcement and other emergency authorities. Although most of the services
may make use of a common cabling infrastructure, the fire systems will require
the use of separate fire-rated cabling. In addition to the systems and infrastructure
using fixed cabling there will also be wireless-based systems, including wireless
networking, use of private radio systems by stewarding and security personnel, and
the radios used by law enforcement and emergency services.
A modern stadium could have up to two hundred building management systems
monitoring and controlling the operation of thousands of heating, lighting, ventilation
and air-conditioning devices. For efficient operation of these during an event it is
common practice for all these technical operations to be integrated onto a single
management system to provide the event, security and police control rooms with a
common single view of the building’s operations.
For large public events, with tens of thousands of spectators, security and public
safety are paramount. The stadium security system will typically manage digital
video feeds from over a hundred cameras and this may include feeds from police
or local authority systems covering areas outside the stadium. The system will also
monitor and control access through all doors and turnstiles, as well as escalators
and lifts. Crowd messaging can be critical for the smooth handling of entry to and
egress from the stadium, and to manage unforeseen incidents. The messaging will
use the public address/voice announcement system and any large-format video
screens, both of which are controlled via the integrated building systems.
© The Institution of Engineering and Technology
49
The operation of the stadium as an intelligent building using a converged IP-based
infrastructure and integrated systems, as illustrated in Figure 7, can offer significant
commercial and operational advantages to the stadium operators and owners.
Access to up-to-date information about incidents in or near the stadium can increase
public safety and security, making it easier to manage the large spectator volumes
in the event of an emergency. The flexibility of the systems also allows the flexible
use of the venue, enabling quick turnarounds between events without the need for
extensive reconfiguration of the technical and support system.
Heating, ventilation
and air conditioning
(HVAC)
Lighting
Public address
and voice
announcement
(PA/VA)
Fire detection
and alarms
Building
Services
Lift and escalator
management
Structured
cabling
Voice and data
communications
Wireless systems
(radio, WiFi, etc.)
Business
systems
Access
control
Large format
video/scoreboards
Security closed
circuit television
(CCTV)
Stadium control room
Business
Services
Police control room and
links to external authorities
People and asset
location and
management
A.3
Perimeter
protection
Master aerial
television
(MATV)
Energy
management
Digital video
surveillance
Accommodation
Services
Transport terminals
An increasing demand for transport at both international and national levels places
pressure on transport hubs, e.g. airports and railway stations, to handle passenger
volumes efficiently and safely. In response to economic and environmental factors,
the owners and operators of these terminals have sought to reduce the cost of
ownership and operation. Their solution has been to seek innovative IT-enabled
solutions to facilitate energy savings and increase the capacity of the terminal
buildings. Given the increasing levels of systems integration and the complexity of
the systems, transport terminals should be regarded as intelligent buildings, where
the combination of technologies and interconnected systems are essential for the
smooth operation of the transport operation.
Within a transport terminal, the IT-based systems typically comprise four layers:
●●
●●
50
A physical layer, which includes the cable and fibre infrastructure used
within and between the systems;
A networking layer operating over a combination of the physical layer and
wireless to deliver local area and wide area networking (LANs and WANs)
and voice communications;
© The Institution of Engineering and Technology
Figure 7 – Typical
IP-based systems
in a modern
sports stadium
●●
●●
An application layer comprising a range of applications delivering
operational functionality, including passenger processing and ticketing
systems, luggage and freight handling systems, business and financial
systems, safety and security systems, and the facilities management
systems (e.g. building and energy management);
A systems integration layer, which enables sharing of data between the
various applications and with external systems, e.g. international air traffic
control and flight reservation systems.
With the pressure to reduce costs, new and refurbished terminal buildings will
typically use a common physical layer to support a variety of operational, business
and facilities management systems. Although doing so makes it easier to manage
and reconfigure the flow of data, it also creates the risk of inadvertent creation of
unauthorised paths between systems.
Pressure for operational efficiencies has also created a demand for increased
integration of the applications, the objective being to streamline the capture of
data and reduce the opportunities for errors. The provision of a systems integration
layer provides the means to share data between systems and can include access
to common data stores or direct messaging interfaces between systems to allow
for user access and the exchange of data. An example of this integration is the
interaction between systems handling transportation data (e.g. train or aircraft
movements) and the passenger information systems displaying arrivals and
departure information, where the provision of automated updates can be used to
inform passengers of changes or delays and boarding locations. This can allow
the terminal operators to manage delays and scheduling changes efficiently, and
improve the handling of passengers within a terminal.
Although this integration of systems can offer significant business benefits by
providing passengers with accurate up-to-date information on departures from the
terminal, it also creates a number of potential risks. The increasing dependence on
correct, interruption- and error-free operation of a range of integrated systems can
lead to simple problems having a disproportionate impact on terminal operations.
For example, the problems with baggage-handling systems at Denver Airport and
Heathrow Terminal 5 demonstrate how critical these systems are for smooth terminal
operation.
It is important to recognise that terminal buildings fulfil multiple roles, supporting
the basic transport function, local and national security functions (e.g. immigration
control and customs), and housing extensive retail and catering outlets. Building
systems have an increasingly important role in the efficient operation of terminals,
to provide a comfortable, safe and secure environment for passengers and staff.
Availability of the terminal may be seriously affected when building systems are
disrupted, thus preventing the building from delivering the required functionality.
The nature of the availability risk will depend on the type of building and the criticality
of the affected building service. As an example, if a BMS became inoperable and
allowed the temperature to stray outside acceptable limits, the areas of the building
could become inhospitable for the occupants, damage equipment through excessive
temperatures or result in damage to stored materials. This would be critical in an
airport terminal for spaces such as airside lounges and waiting areas, where the
passengers have already been screened by customs and airport security.
© The Institution of Engineering and Technology
51
APPENDIX B
Twenty critical controls
The top 20 critical security controls for cyber defence are a baseline of highpriority information security measures and controls that can be applied across
an organisation in order to improve its cyber defence. CPNI is participating in an
international government–industry effort to promote the top 20 critical controls
for computer and network security.21 The development of these controls is being
coordinated by the SANS Institute.22 The descriptions in the following list of the
individual controls have been adapted to highlight their relevance to both building
and corporate IT systems.
1
Inventory of authorised and unauthorised devices
For IP-based networks this includes the processes and tools used to
track, control, prevent and correct network access by devices (computers,
network components, printers, anything with IP addresses) based on an
asset inventory of which devices are allowed to connect to the network. For
networks and systems that are not IP-based or include elements that are
not IP-based, the inventory should include all communications devices (e.g.
modems, protocol converters, etc.), sensor and control devices, etc.
2
Inventory of authorised and unauthorised software
The processes and tools that organisations use to track, control, prevent
and correct installation and execution of software on computers based on
an asset inventory of approved software. This should include code running
on embedded processors, networking and communications components.
3
Secure configurations for hardware and software on mobile devices,
laptops, workstations and servers
The processes and tools that organisations use to track, control, prevent
and correct security weaknesses in the configurations of the hardware
and software of mobile devices, laptops, workstations and servers based
on a formal configuration management and change control process. This
should include code running on all digital devices, including embedded
processors, networking and communications components.
4
Continuous vulnerability assessment and remediation
The processes and tools used to detect, prevent and correct security
vulnerabilities in the configurations of devices that are listed and approved in
the asset inventory database. From a resilience perspective the vulnerability
assessment should include factors that disrupt or prevent the operation of
the device, e.g. loss of power, loss of cooling, electromagnetic interference,
flooding, vandalism, theft, etc.
Further advice on the CPNI website: http://www.cpni.gov.uk/advice/cyber/critical-controls
­[accessed 24 Apr 2013]
22
Version 4.1 of the controls has been published: http://www.sans.org/critical-security-controls/cag4-1.pdf [accessed 24 Apr 2013]
21
52
© The Institution of Engineering and Technology
5
Malware defences
The processes and tools used to detect, prevent and correct installation
and execution of malicious software on all devices.
6
Application software security
The processes and tools that organisations use to detect, prevent and
correct security weaknesses in the development and acquisition of software
applications, including embedded code. This should address the full suite
of software across all devices in the inventory.
7
Wireless device control
The processes and tools used to track, control, prevent and correct the
secure use of wireless LANS (local area networks), access points, wireless
client systems and all uses of radio for communications and data links, e.g.
Bluetooth, ZigBee, NFC, RFID, etc.
8
Data recovery capability
The processes and tools used to back up critical information/data with a
proven methodology for its timely recovery. This should include state or
configuration data for devices to allow a system to be recovered to a known
safe and secure state following an incident.
9
Security skills assessment and appropriate training to fill gaps
The process and tools needed to make sure that an organisation understands
the technical skill gaps within its workforce, including an integrated plan to
fill the gaps through policy, training and awareness.
10
Secure configurations for network devices
The processes and tools used to track, control, prevent and correct security
weaknesses in the configurations in network devices such as firewalls,
routers, and switches based on formal configuration management and
change control processes. The term ‘network’ should be taken to include
communications and data links required for the operation of the organisation
and its systems. This includes the configuration of all transmitters and
receivers in an organisation’s systems.
11
Limitation and control of network ports, protocols and services
The processes and tools used to track, control, prevent and correct use
of ports, protocols and services on networked devices. The term ‘network’
includes communications and data links required for the operation of the
organisation and its systems.
12
Controlled use of administrative privileges
The processes and tools used to track, control, prevent and correct the use,
assignment and configuration of administrative privileges on computers,
networks and applications.
13
Boundary defence
The processes and tools used to detect, prevent and correct the flow of
information-transferring networks of different trust levels with a focus on
security-damaging data. For building and industrial control systems the
boundary should be considered in terms of protecting the availability and
integrity of the system(s).
© The Institution of Engineering and Technology
53
54
14
Maintenance, monitoring and analysis of audit logs
The processes and tools used to detect, prevent and correct the use of
systems and information based on audit logs of events that are considered
significant or could impact the security of an organisation.
15
Controlled access based on the need to know
The processes and tools used to track, control, prevent and correct secure
access to information according to the formal determination of which
persons, computers and applications have a need and right to access
information based on an approved classification. For building and industrial
control systems, access should be granted on a basis of need to know for
specific job roles and responsibility rather than primarily on classification of
the information in the system.
16
Account monitoring and control
The processes and tools used to track, control, prevent and correct the
use of system and application accounts. This should include those used
by the organisation and those accessed by suppliers or manufacturers to
configure and support devices.
17
Data loss prevention
The processes and tools used to track, control, prevent and correct data
transmission and storage, based on the data’s content and associated
classification.
18
Incident response and management
The process and tools used to make sure that an organisation has a properly
tested plan with appropriately trained resources for dealing with any
adverse events or threats of adverse events. This should include resilience
and cyber security events and threats.
19
Secure network engineering
The process and tools used to build, update and validate a network
infrastructure that can properly withstand attacks from advanced threats.
The term ‘network’ should be taken to include communications and data
links required for the operation of the organisation and its systems.
20
Penetration tests and red team exercises
The process and tools used to simulate attacks against a network or system
to validate the overall security of an organisation.
© The Institution of Engineering and Technology
APPENDIX C
Glossary
Abbreviation/Term
Meaning
APT
Advanced Persistent Threat – a form of cyber security
attack, often used for intelligence gathering, involving
an attacker who has the capability and intent to target
a specific individual or organisation persistently and
effectively
BIM
Building Information Modelling – digital representation
of physical and functional characteristics of a facility,
creating a shared knowledge resource for information
about it forming a reliable basis for decisions during its
life cycle, from earliest conception to demolition [UK
Construction Project Information Committee]
BIS
Department for Business, Innovation and Skills
Bluetooth
A wireless technology standard [IEEE 802.15.1] used
for communicating data over short distances and
which may be used to create personal area networks
BMS
Building Management System
CESG
Information Security arm of the Government
Communications Headquarters (GCHQ)
Continuity
The unbroken and consistent operation of a system,
process or business over a period of time
Convergence
The tendency for previously separate technologies,
e.g. voice, data, video, to now share resources,
both physical (e.g. cabling) and logical (processing,
storage, etc.), and to interact with each other
CPNI
Centre for Protection of National Infrastructure
CRM
Customer Relationship Management
DDoS
Distributed denial of service – an attack by multiple
systems that tries to flood a targeted system with traffic
until connection requests are refused and the targeted
system fails to respond to existing connections
DMZ
Demilitarised zone – a physical or logical sub-network
protected by firewalls used to share data between
trusted and untrusted networks, e.g. between an
organisation’s intranet and the Internet
ERP
Enterprise Resource Planning
Governance
The management, decision-making and leadership
processes employed by an organisation to ensure
consistent and cohesive management of a given area
of responsibility
© The Institution of Engineering and Technology
55
56
Abbreviation/Term
Meaning
HVAC
Heating Ventilation and Air Conditioning
ICS
Industrial Control Systems
ICT
Information and Communications Technology
Malware
Malicious software used to attack, disrupt and
compromise security, or take control of a computer
system or individual computer
MRP
Materials Resource Planning
NFC
Near Field Communications
PLC
Programmable Logic Controller
Reconnaissance
The preliminary inspection, survey, exploration and/or
research undertaken when contemplating an attack or
specific action
Resilience
The ability to withstand a level of failure or disruption
and to adapt or respond to dynamic internal or
external changes while continuing to operate with
limited impact on the organisation or business
RFID
Radio Frequency Identification
SCADA
Supervision Control and Data Acquisition
SMS
Short Message Service – the text service used for
communication between phones/mobile phones
Structured cabling
The implementation of a structured building or campus
telecommunications (i.e. telephony, computer network,
video, etc.) cabling infrastructure, which comprises a
number of standardised smaller elements
Systems integration
The process of bringing together component systems
or sub-systems to create a single system whose
functionality operates as a coordinated whole
UPS
Uninterruptible Power Supply – an emergency power
system providing continuity of supply in the event of an
interruption in the mains power supply
VLAN
Virtual Local Area Network – configuration of a network
to create broadcast domains that are mutually isolated
WiFi
Technology used to deliver a wireless local network
based on the IEEE 802.11 standards
Wireless
Used in this document to cover networks and
communications carried by radio frequency
transmissions allowing passage of information or data
without a physical (wired) connection
ZigBee
A specification for a communications protocol using
small, low-power digital radios, based on the IEEE
802.11 standard for personal area networks
© The Institution of Engineering and Technology
In November 2011 the Government launched the UK Cyber
Security Strategy: Protecting and promoting the UK in a
digital world. The strategy acknowledges the importance of a
safe cyber environment for business.
Cyber-crime is today the world’s fastest-growing crime
sector. Your cyber security is paramount if you are beginning
to trade overseas or expanding your overseas business.
The cyber risks include viruses, identity theft (spyware,
wifi eavesdropping, hacking) and threats to wealth (fraud,
identity theft, spam emails). Of special concern to
businesses is cyber-crime connected to intellectual
property theft.
This report is the first publication of its kind from IET
Standards. Its purpose is to inform professionals involved
in the development and operation of intelligent or smart
buildings about the resilience and cyber security issues that
arise from a convergence of the technical infrastructure and
computer-based systems.
Resilience and Cyber Security of Technology in the Built Environment
Resilience and Cyber Security of Technology
in the Built Environment
IET Standards
IET Standards Technical Briefing
IET Standards Technical Briefing
Resilience and Cyber
Security of Technology in
the Built Environment
www.theiet.org/standards
IET Standards
Michael Faraday House
Six Hills Way
Stevenage
Hertfordshire
SG1 2AY
Cyber Security Cover.indd 1
17/06/2013 13:25:29