Hyper-connectivity and its direct association with ‘cyber,’ ‘Big Data,’ ‘datafication,’ the ‘Internet of Things’ (IoT) and the already emerging ‘Internet of Everything’ (IoE), has led to interaction, communication and collaboration between people and devices on a level that only a few years ago couldn’t have been imagined. Currently, approximately 40 percent of the world’s population has access to the Internet. In 1995, it was less than one percent. Yet we are still at the beginning of this technological trend. Experts estimate that, as of this year, there will be 25 billion connected devices, and by 2020, 50 billion.
The connection of physical objects to the Internet and to each other through small, embedded sensors supported by wired and wireless technologies has created an ecosystem of “ubiquitous computing.” In 2000, the highest-performing processors achieved levels of computation equivalent to that of a spider; today they are close to being as powerful as the brain of a mouse. If processing power continues to grow at its current rate (doubling every three years), by 2023 some computers could have the processing power of the human brain and by 2045 they could be 100,000 times more powerful.1
So much that we’ve come to appreciate about our lifestyles today—flexible working, mobile technologies, smart cars, iPhones and data collection—may be converging to create the perfect storm. Big Data, together with the IoE, lie at the core. Globally, by 2018, it is estimated that mobile data traffic will exceed fifteen exabytes — about 15 quintillion bytes — each month.2 By comparison, an exabyte of storage could contain 50,000 years’ worth of DVD-quality video.3 This means there will be new privacy issues as categories of data and their option value offer new insights.
For instance, for smart homes this could be ‘load signatures’ that describe the power consumption of electrical devices that are unique to the appliance. This information can be used to determine when residents are not at home and provide insights into their daily behavior or even illegal activities. Data emitted from worn sensors could affect insurance premiums, and as more data is captured and cross-referenced it will become harder to protect privacy.
Interconnected data systems of the CRE infrastructure are increasingly vulnerable to attack. Source: The Institution of Engineering and Technology, UK, and Deloitte Center for Financial Services Analysis(Click on image to enlarge)
In 2000, 25 percent of the world’s information was stored digitally; today it is more than 98 percent. On this trajectory, by 2045 there will be 20,000 times more digital information than there is today. Personal data as Big Data will certainly aid de-anonymization through patterns and correlations that become visible with other data sources. However, it is not all bad and much of the hyper-connectivity revolution can be seen as beneficial. Not only will consumers be in closer contact with business; they’ll also be more connected to one another, forming Internet communities and thereby growing the bargaining power of the customer base.
Hyper-connectivity will also provide unparalleled convenience for consumers and businesses. Remote control of utilities will provide an unprecedented level of awareness and control from lights to heating, with the analytics to deduce activity patterns, energy consumption and dictate optimal usage. In the corporate world, hyper-connectivity will revolutionize the definition of the workplace, by eliminating the need for traditional workspace. Emails and documents will be universally more accessible, and face-to-face communication will be only a click of a button away. Behind the scenes, networked sensors will inform maintenance staff of the mechanical status of infrastructure, allowing repairs and replacements to be carried out before problems develop.
Hyper-connecting the Risk: the Threat to Corporate Real Estate
With these technological advances though, come advanced risks. Hyper-connectivity not only increases overall vulnerability to cyberattack; it also fundamentally alters the nature of the threat, which is no longer restricted to the lone hacker or the disgruntled student. Today, well-organized and funded networks of cyber-criminals and terrorists operate within a complex marketplace. They’re able to orchestrate large-scale and widespread attacks.
Areas of corporate real estate (CRE) that stand to benefit most from hyper-connectivity are also the most vulnerable: Building Management Systems (BMS) and Energy Management Systems (EMS). These systems represent the brain and nerves of CRE infrastructure and will be evermore vulnerable to attack as sensors, systems and networks become increasingly connected. Our emerging ‘smart’ buildings, or even ‘smart’ cities, require universal operating systems, which in turn require a myriad of sensors and regulating devices. Attack vectors for smart offices now include smart TVs that may run operating systems used also in smartphones, smart meters or office automation devices, to name just a few. Not only will such networks present thousands of potential access points, but also many of them will be parts of systems for which security has never been considered a major concern before.
On top of that, BMS and EMS systems also suffer from common basic weaknesses including poor password protection, unmonitored access points and rudimentary software. Furthermore, sensors are inherently difficult to secure, often lacking the processing capacity to even support security programming. Policy makers have also routinely not been part of the early design phase, which may result in a lack of relevant legislation and regulation.
A single unsecured thermal sensor or networked thermostat could be used as the jumping off point for deeper incursions into the wider network. The invasion of Target’s payment network in 2013 was traced to a data connection breach in just this way. Access via the HVAC system facilitated penetration into the main network, resulting in the breach where 40 million credit card records and 110 million personal data records were stolen. The cost: $162 million, not including the expenses Target incurred as a result of class action lawsuits filed after the breach, or wider damage to its reputation with customers. The attack not only cost the CIO and CEO their jobs, but the retailer found Christmas sales for the final quarter of 2013 to be down 2.5 percent on the previous year, which the Financial Times linked directly to fallout from their data loss. Since IoE plays a crucial role in Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA) co n t r o l systems and Automatic Identification Systems (AIS), the lack of a secure foundation will represent a systemic vulnerability to all levels of modern corporate infrastructure. These systems have vulnerabilities, are often poorly protected, or run on software that has reached end-of-life. Attacks could therefore directly impact workplaces, individuals and business operations. Businesses could be temporarily deprived of control over their own management systems, or be locked out completely. There could be physical or virtual damage inflicted to equipment remotely; deliberately induced inefficiencies; or building access controls compromised or even overrun completely.
In short, universal connectivity means universal vulnerability. We can expect to see more targeted attacks, including new forms of blackmailing and extortion schemes, such as ransomware for data theft, smart machines, smart offices or business BMS. Corporate real estate will become a greater target in future military conflict. Why target a military facility that employs multiple layers of enhanced physical and cybersecurity when you can knock over public power utility, critical national infrastructure, a city’s supply distribution networks or the banking system? If money is the sinew of war, what happens if the financial system is crippled?
People — the Weakest Link in the Security Chain
Cyber-criminals are agile and entrepreneurial. They’re almost always more motivated to commit crimes than their potential victims are to take pre-emptive steps to stop them. The criminal community is forever testing the boundaries of what’s possible. They’ll always hold the initiative, and their powers will grow as more data is acquired, stored and shared among an increasing number of mobile devices. There are various forms of traditional cyber-attack. The most popular threat vectors are viruses, malware and botnets, as these attacks are largely automated fire-and-forget systems. The results of Distributed Denial of Service (DDoS) attacks have been spectacular and widely reported. But these attacks provide little return for the attacker as they are usually motivated by politics or a desire for revenge. The spread of interconnected devices is exponentially increasing the platforms available for DDoS attacks, thus greatly increasing their effectiveness and viability.
That said, the most effective technique, and one that is often overlooked when considering cyber-threats, is targeting the human element. The increasing ubiquity of technology and connectivity that characterizes hyper-connectivity exacerbates a point that has been neglected in cyber-security circles: The individual employee (or ‘insider threat’) is potentially the weakest link. The growing amount of personal information we willingly surrender online increases Big Data and therefore vulnerability to ‘social engineering’ techniques. This allows hostiles to bypass any security measures entirely by manipulating those who already have access. It doesn’t matter how high the walls are or how strong the door is, if the enemy has a key.
Information about status, personal interests and activities (in and out of the workplace) inevitably increase the risk of exposure to criminals. So does the practice of employees accessing company-networked systems to connect to social networking sites and browse online. The use of personal devices is commonplace at many work locations and these can bridge into business firewalled environments. Criminals know and exploit these vulnerabilities to breach systems, recruit vulnerable staff, hijack identities and steal data or assets.
Social engineering attacks were used to breach several prominent Internet companies including Facebook, Apple, Microsoft and Twitter in 2013. And if one accepts that in 2013, the average period of time an attacker remained undetected on a compromised network was 229 days4, it is obvious how critical the situation is becoming.
Re-booting the Security Mindset
Hyper-connectivity means that this issue is no longer confined to frontline IT staff. All employees and functional areas are equally vulnerable. Owners, managers and CRE stakeholders need to modernize their security attitude towards the advancing threat. Too many stakeholders view security as a cost, when it is actually an enabler to enhance the ‘bottom line.’
Modern competitive advantage will be driven by volume and usage of Fast Data — data that is collected and analyzed in real time to support decision processes in real time, early warning systems based on opinion mining, awareness and real-time feedback. Investment in security will be required from the outset to facilitate this. The days of security only coming to the fore retrospectively after an incident need to go; reactive response will be too late in the hyper-competitive business environment that the IoE will drive us to.
But who in CRE will be accountable for this pervasive risk? The risk spans a number of CRE business areas — IT, Workplace, HR, Security and Facilities Management — to name a few. Mitigating cyber-threats to a company’s business model, shareholder value, data and reputation can’t be delegated solely to the CIO, or the Head of Security, or the Head of IT. Disputes among these divisions are inevitable; thus, it is the CEO and Board who must ultimately take ownership. Defaulting to specialists, whether through ignorance or nervousness, is to lose sight of the fact that the real threat is to the performance and reputation of the business.
