krunja -

IoT Security Foundation publishes smart building whitepaper

The IoT Security Foundation has published a guide on security for smart buildings to highlight key issues and gather feedback to inform future guidance for industry stakeholders

The IoT Security Foundation (IoTSF) has published a free-to-download whitepaper on securing smart buildings, which was launched at the IFSEC International Conference in London.

Entitled: Can you trust your smart building? Understanding the security issues and why they are important to you, the whitepaper is aimed at promoting cyber security best practices in evolving building management systems (BMS).

The report is targeted at a broad range of stakeholders that design, specify, procure, install, integrate, validate, operate and maintain building automation systems (BAS), specifically building owners, facility managers, technology providers, architects and installers.

Smart Buildings are increasingly classified as internet of things (IoT) systems and offer benefits such as savings in energy and water usage; improved working conditions, safety and security for occupants; improved customer service levels; visibility and management of occupancy levels; optimisation of resources; and reduced maintenance costs.

However, the whitepaper notes that with the increasing networking of systems and connections through the internet, this also increases the threat of hacking by criminals and other groups, underlining the importance of understanding those threats and planning safeguards so the buildings systems are cyber-safe and continue to operate as intended.

The whitepaper discusses a number of vulnerabilities that exist and where solutions lie to protect people, assets and business investments.

It further explores the evolving responsibilities that each building stakeholder has to consider across the design, integration, occupation and maintenance of the buildings lifecycle.

Read more about IoT security

Duncan Purves, lead author of the whitepaper and director of, said even if no-one is interested in hacking a particular building, it could become the unintended victim of a cyber incident such as the 2017 the WannaCry ransomware attack that infected over 200,000 devices in more than 150 nations.

“It is important to understand and mitigate the risks posed to your tenants, staff, visitors and assets from vulnerabilities in internet-connected building systems,” he said.

Launching the whitepaper at IFSEC, Paul Dorey, executive steering board member of IoTSF, said the purpose of the whitepaper is to ground the abstract concept of securing internet-connected devices in the reality of building management systems.

“What makes it real is looking at technology that is doing a cyber-physical job, not only in smart buildings but anything that is connected to the internet, but when discussed in very broad terms, it is difficult to make it real.

“This whitepaper grounds IoT security strategy planning in something people have to deal with – which in this case is the building environment – and looks at what the security issues can be, but more importantly at what can be done about addressing those problems and at who is responsible, which is essentially anyone involved from the designers to the operators, and each one needs to accept some responsibility for cyber security to ensure that it is addressed in every single element at every level.”

Sarb Sembhi, one of the contributors to the whitepaper and CISO at Virtually Informed, said the paper is aimed at encouraging all stakeholders to consider what they are doing in response to the security challenges and identify the areas in which they need additional help.

“The whitepaper provides some guidance for what each of the stakeholders can and should be doing, and links to existing resources, but by engaging with the IoT Security Foundation and its dedicated Smart Buildings Working Group about areas where they are still struggling, they can help to develop further guidance as well as help adopt and implement best practice security for smart buildings.”

Read more on IT risk management

Data Center
Data Management