Posted on August 01, 2017

As smart cities become a reality in the GCC, smart buildings are increasingly becoming more prevalent because of the optimized efficiency and convenience they offer, for both operators and tenants. However, wider adoption of smart building technology should stimulate corporations and governments to ensure that they are adequately prepared for potential cyber risks, stated in a comprehensive report titled ‘Cybersmart Buildings’ co-authored by Booz Allen Hamilton and Johnson Controls.

Smart buildings operate as a link between the physical and digital world and leverage data to optimize operations and lower facility costs, while increasing safety and sustainability. However, unlike cyber risks in other industries, smart buildings are not just susceptible to data breaches and IT interference, they are also vulnerable to disruptions that could negatively impact several aspects of daily life.

Cyber threat actors have demonstrated capability and intent in hacking building automation systems, safety systems, and critical environmental technology.  Smart system network designs must be secured, if integrated with IT systems and networks, to make sure internal systems are not exposed to new threat vectors from building automation systems. For example, hackers can exploit vulnerabilities in Heating, Ventilating and Air Conditioning (HVAC) systems as the entry point into a corporate network, or hack into IoT devices to breach the privacy of residents.

One of Qatar’s most ambitious construction plans for smart cities, Lusail, aims to deliver smart solutions to its stakeholders, in line with the country’s National Vision 2030 strategy. With real estate players looking to reduce costs and meet sustainability and efficiency goals, smart buildings have become increasingly relevant and the wider adoption of such smart technologies across the country is resulting in an increase in the number of sensors and devices talking to one another. Therefore, as automated systems control more of our environment, it is no longer enough for a building to be smart – it must now be cybersmart. This entails a blended approach of risk-based planning, technology, working with the right partners, assessing old and new infrastructure, processes and capabilities across the building lifecycle, and people skills.

Dr. Adham Sleiman (Pictured), Vice President, Booz Allen Hamilton says, “There is tremendous business value in embracing building automation, including their cost savings, energy efficiency and the security and convenience they offer to their dwellers. Smart buildings are an essential component of a smart city, pushing the power of digital optimization into the offices and homes. As such, it is of paramount importance to protect smart building investments for all stakeholders involved from developers to end-users. To achieve this, cross-functional cooperation between internal and external stakeholders is a must, including IT, cybersecurity and facility teams, external business partners and vendors. This will ensure that the truly transformative benefits of automation and connectivity can be protected so that smart buildings can achieve their full potential.”

Booz Allen Hamilton has created a core functions checklist to help assess and plan for threats throughout the following smart building lifecycle phases:

Qatar smart building industry 2 [].jpg


Consider Security Requirements: Work with vendors and technical partners to prioritize security as an integral part of any connected smart building solution. Define how you want the vendor to integrate with your existing network. Be prepared to articulate the budget for security operations throughout the building lifecycle.


Assess: Set a consistent assessment framework to evaluate security vendors and their solutions. Recognize that business imperatives like cost may supersede security concerns. So design a framework that evaluates the security implications and tradeoffs, but provides flexibility for add-on security controls.

Operations and maintenance

Build in Security: Understand vendor recommendations for how to securely deploy building automation systems and work with your IT department to follow those guidelines. Furthermore, understand how to incorporate additional controls over and above vendor recommendations based on your compliance and risk needs.

Test, Monitor, and Respond: Know your risk. Maintain situational awareness on what’s connected. Develop and implement an assessment framework that will identify security maturity across all domains in your ecosystem. Diligently and regularly stress-test your assumptions and technical vulnerabilities.

Merely having a compliance-focused approach of checking boxes is not enough. Wayne Loveless, Principal, Booz Allen Hamilton says: “As the world evolves to smart neighborhoods and smart cities, potential challenges around cyber security will be inevitable.  It is important to have a plan and be prepared to continually evolve. Cybersecurity isn’t a tax on the business, it is not simply an IT issue, and it certainly shouldn’t be a scare tactic. It is a business enabler and, when executed effectively, it is about insuring your investment and generating returns.”

For more information about cybersmart buildings, please download the full report here.