If these walls could talk. And in the ‘connected’ buildings that continue to be of prime interest for real estate and infrastructure investors, the doors, the lights, the appliances, and much more beyond.

In a recent survey by the Royal Institution of Chartered Surveyors, 27% of respondents reported that their building had suffered a cyber attack in the past 12 months — while 73% of the 8,000 survey respondents believe that an attack will disrupt their business in the next two years.

So-called smart buildings offer benefits for owners and operators (e.g., reduction in operational costs, lower environmental impact and improved efficiency) as well as tenants and residents (e.g., greater personalisation, increased safety and security, and heightened user convenience). But with the collection and generation of vast amounts of data, both personal and otherwise, come a range of data protection and cyber security challenges for owners and operators as well as their investors.

Data Protection Challenges

  • Of the types of personal data that are collected about individuals as they navigate through the world, when and how they use their homes and offices may not appear to be the most consequential. However, connected buildings collect a range of data that can reveal insights into the lives — and, in some cases, the private lives — of occupants, workers and visitors to the buildings. These data can be generated from a host of sources, including access control and surveillance systems, visitor management tools, occupancy tracking and service applications, and amenities usage, among others.
  • Where these data are personal, data protection laws in the EU and UK will apply to their collection and processing. But the non-personal data generated by connected buildings — including occupancy and footfall information, sensor and energy usage data, system performance logs and equipment diagnostic data — can often be just as valuable to operators, owners and investors, as well as, inevitably, to bad actors.
  • Beyond data protection laws, current and incoming cyber security laws can — in the case of the EU’s NIS2 Directive — apply where a connected building hosts activities in critical sectors such as energy, transport, health, water or digital infrastructure. Similarly, an organisation that provides critical services to an in-scope entity will likely be asked by that entity to meet — potentially stringent — diligence requirements and contractual security standards.
  • In the UK, the soon-to-be-announced Cyber Security and Resilience Bill builds on the NIS (Network and Information Security) Regulations — the UK’s version of the NIS2 predecessor, NIS1 — and will broadly align the UK and EU approaches to regulation of critical infrastructure and digital services. Most notably, the Bill is expected to prohibit private sector entities that operate within the Critical National Infrastructure (CNI) from making ransom payments. The CNI, which includes the energy, water, finance, communications and transport sectors, could apply to connected buildings and structures that form part of those sectors, thereby heightening the need for owners, operators and investors in smart infrastructure to take these issues seriously.

Cyber Security Challenges

  • All internet-connected systems face security risks, and bricks and mortar structures are no exception. Indeed, the rich pools of data produced by connected buildings, together with a variety of attack surfaces to be exploited (sometimes with relative ease), have made them increasingly attractive targets for threat actors, as the Royal Institution of Chartered Surveyors survey bears out. Risk vectors are varied, including:
    • Unsecured connected devices (e.g., smart sensors and security cameras) with weak security can serve as an easy entry point for attackers, as can building automation and management systems. In one case, a bad actor accessed a building’s management system via a connected vending machine.
    • Phishing and social engineering have increasingly become a key weapon for threat actors across industries, and although buildings are becoming increasingly digitised, the human factor — front desks, cleaning and security staff, facility managers, and more — remains both critical to their operation and an ongoing source of risk.
    • Relatedly, supply chain risks can be particularly acute in the real estate sector, given the number of vendors that implement or manage building systems. Software, hardware and cloud hosting providers, as well as more ‘analogue’ vendors (e.g., electricians, lift maintenance), can all be a source of vulnerability, both at the human and technological level.

Connecting The Dots

Smart buildings are fast becoming the new standard in real estate and infrastructure development, use and investment. But the technologies that help to drive operational efficiency and tenant experience also create complex data protection and cyber security challenges for building owners, operators and investors. To meet those challenges, they should consider taking the following (non-exhaustive) steps:

  • Owners. Prioritise cyber security investment, including by maintaining cyber insurance — a topic I recently wrote about here. Assess the laws that apply to the processing of personal, and non-personal data, and ensure that all appropriate privacy notices, consent forms and policies and procedures are put in place. And take ultimate accountability for the supply chain, including by outsourcing data processing functions — and liability — to the operator.
  • Operators. Adopt robust technical security measures across the estate, including network segmentation, patch management and software updates, regular penetration testing and defined — and tested — incident response plans. Ensure that sub-contractor diligence and contracting adheres to applicable laws (e.g., GDPR, NIS2) as well as owner-specific requirements. And embed a security-first culture among staff and contractors, with particular vigilance around social engineering and other ‘soft’ forms of compromise.
  • Investors.Ensure that cyber security and regulatory compliance are assessed — and robustly so, where the context requires — during diligence. Mandate that technical and legal gaps are remedied as a matter of priority following acquisition. And require regular reporting, including cyber security risk assessments and significant incident reports, during the lifecycle of the investment.