At a recent seminar discussion on smart buildings, I was reminded of the Mr. Robot episode where the general counsel of a multinational corporation, which is being targeted by a hacker group, has her futuristic apartment hacked. In case you haven’t been watching, Mr. Robot is USA Network’s psychological thriller about a young programmer who works as a cybersecurity engineer by day but by night is a vigilante hacker.
What struck me about that seminar was the complete lack of recognition of the security risk that connected buildings and smart cities entail, despite some very real world examples, such as the April 2017 hack which set off 156 emergency sirens in Dallas, Texas, disrupting residents and overwhelming 911 operators throughout the day. This appears to have been a prank but could easily have been a ploy to distract attention from more nefarious activity.
Don’t get me wrong—smart office buildings and campuses can deliver a vast range of benefits, with building management or automation systems able to control and monitor mechanical and electrical equipment such as ventilation, lighting, power, fire prevention and security. Or, as the Intelligent Buildings Institute puts it, an intelligent building is one “which provides a productive and cost-effective environment through optimization of four basic elements: structure, systems, services and management, and the interrelationship between them.” Smart cities take this even further with objects such as street lights and parking meters connected to commercial buildings and connected to the internet—the smart city approach is to connect just about everything about the community to the internet using internet of things (IoT) and other smart tech.
So what about that Mr. Robot episode? In the scene in question, as the lawyer returns to her apartment from jogging, the hack unfolds. First, the security alarm goes off—repeatedly. The TV projector turns on by itself. The music system takes on a life of its own—playing opera at full blast. The shower suddenly turns scalding hot, then the building temperature drops to near arctic temperatures before everything in the apartment goes off at once. Eventually, the lawyer flees, at which point the hackers move in and start to “party like its 1999” (again).
Nearly every device connected to the internet has been shown to be susceptible to hacking, from smart fridges to baby monitors to SUVs. The 2016 Mirai botnet DDoS attacks, for example, hit equipment such as routers, CCTV cameras, and DVRs, all vulnerable due to poorly designed security. A French internet service provider was attacked, and U.S.-based users were unable to access the likes of Amazon, Spotify and Twitter.
European regulators and law makers have been quick to respond to the threat posed, especially as regards critical infrastructure. Towards the end of 2017, the EU Cybersecurity Agency ENISA published in in-depth study on IoT security and EU member states have until May this year to implement the Cybersecurity Directive which is aimed at bolstering cybersecurity across sectors that rely heavily on information and communications technology. The General Data Protection Regulation (GDPR) also comes into force in May. It creates principles around data processing and sets out new data protection standards which will be very relevant to the IoT, including data protection impact assessments, privacy by design and by default, informed consent, and profiling.
Season 3 of Mr. Robot ended last December after some crazy plot twists including the FBI itself getting hacked. Back in the real world, however, cyberattacks continue to be reported on an almost weekly basis. With the risk of eye-watering fines under GDPR, designers, builders, operators and occupiers of smart buildings will need to ensure that they have established and implemented privacy and security frameworks which meet the new rules and regulations for data privacy and cybersecurity.