Legal blog: Cyber Security - building services

Theft of confidential information and development of copycat products are a significant issue in many sectors, especially those involved with R&D. Recent research from the European Commission has shown that confidential R&D information (trade secrets) is a very valuable form of intellectual property, of particular importance to SMEs and start-ups.

The progression of technology, both around physical security and advanced buildings and infrastructure, has provided significant opportunities for security, but has also drastically increased the potential surfaces for attack. On the one hand, technology such as biometric scanners provides, if implemented properly, a significant advance in access control. On the other, the proliferation of networked “internet of things” devices – which may be used by the business occupant, the building owner and/or the infrastructure providers – means the entry points for bad actors are far more numerous than before and are often weak points with poor security. 

In single-tenant, specialist R&D facilities, it is easier for the company to specify requirements and integrate physical and building security into its own corporate processes. Access to buildings is easier to control, too. Where a building is purpose-built, the company can specify its own standards. However, even in that situation, it is important for both the business and the relevant parties involved in construction of the facility to properly understand the requirements and bring their own knowledge and experience to the project. The route by which attackers obtained access to point of sale devices in Target stores in the US – the HVAC provider – remains the best-known example of how attackers can move through different connected building infrastructure systems to get to their target. Industrial control systems remain a significant risk, particularly where many have been in use for some years and can be fundamentally insecure. 

In addition, consideration should also be given to how physical security measures can themselves be the subject of cyber attack to reduce their effectiveness or take them offline, particularly where security systems can be remote monitored. It was reported in November 2016 that the heating systems in two apartment buildings in Finland were knocked offline by cyber attacks. It does not take too much imagination to work out how building infrastructure itself could be targeted to compromise security.  

The shift to flexible office space in multi-tenanted buildings creates a whole new range of complex issues. Many tech companies now operate in this environment, particularly in the early days, when product development is most of the activity of the business. It is in the nature of such businesses that expertise is often on a contract basis with individuals or in collaboration with other organisations. There is also the growth of home working arrangements. These factors mean that employers are limited in their physical ability to control the movement of information out of a building. In shared facilities in particular, firms may not be in a position to wholly control electronic entry points. In such a case it is important to engage constructively with those with the relevant knowledge of building-level systems and controls and entry points (both physical and electronic) to understand security risks. That engagement can only be effective if information about risks is appropriately shared and considered.  

In all situations, information security and physical security plans and policies should interact fully with business continuity plans. For example, if power is cut off to a building, or a DDoS (distributed denial of service) attack takes some systems offline, business continuity plans should be enacted to allow the business to continue operating as best it can, but consideration should be given to how such situations could impact on security. IT systems may automatically switch over to an off-site backup system, but is the security (both physical and electronic) of that location as good?  

Cloud services can deal with these issues to some extent, but some firms remain reluctant (rightly or wrongly) to adopt cloud for the most sensitive of research. If cloud services are used, then particular care should be taken over the security arrangements of the cloud provider, and contractual protections implemented that are appropriate to the confidentiality of the data in question. Some businesses seek to test physical security arrangements, although some providers can be reluctant to permit this. 

Taking appropriate steps to protect key R&D information can go a very long way to reducing risk of data theft or alteration, both from internal and external threats. Understanding the risks and how they relate to the built environment is crucial. We have seen several instances of confidential information being accessed through poor security, and some high-profile public breaches have involved access through building infrastructure. Unfortunately the problem will only become more complex as the proliferation of networked “internet of things” devices increases.