Cybersecurity, a new challenge for the construction industry

The smart buildings market is growing in France. According to a study by Xerfi, it is expected to be worth 390 million euros in France in 2023, nearly twice its value in 2017. The data integrated into connected buildings make new functions possible (automatic dimming of a room’s lighting, temperature adjustment, etc.) to limit their energy consumption. However, this data can also bring cyber threats to these buildings.

Building Information Modeling (BIM) is an example of this phenomenon. It is a representation of all the data that form a « digital model » informing on the state of a building or a site and therefore anticipates the wear and tear of the building with the help of algorithms that use the data it contains. The BIM then makes it possible to program work in advance and to insist on a particularly weakened part of the building. However, a British university study has shown that the issues relating to the cyber protection of the accumulated data are not sufficiently taken into account during the construction of a building managed using such a system.

According to the authors, by concentrating all the information about the building’s facilities, the existence of a BIM makes the building vulnerable to cyber threats: « The information represented in infographics shows in great detail the devices, facilities, and settings, as well as all the parts that have been assembled in the building. As a result, this makes a large number of threats possible in the event of a cyberattack targeting a building’s maintenance system running on a BIM. »

Hackers can also penetrate the information system of smart buildings by using connected objects. These devices exchange data with each other via the Internet but have a lower level of protection than a private network or an isolated computer. These objects’ passwords are defined by default by the manufacturers and are not always changed once installed. If hackers manage to guess it, they can then connect to it to capture the flow of data passing through it and even take control of the building.

The Austrian hotel Seehotel Jägerwirt was the setting for this scenario in early 2017. The room locking system was activated with a computer code locking the tourists in the room. The establishment’s management was forced to pay a ransom to unlock the rooms. This case of ransomware illustrates the security challenges of the IoT, which are all the more important as there will be more than 75 billion devices connected to the Internet worldwide in 2025, according to Statista.

A collective effort to ensure security and surveillance

Cyber protection solutions specific to the building sector are growing. According to the Swedish firm Memoori, the cyber protection market for smart buildings should be worth 8.3 billion euros by 2027. In France, IT and IoT design specialists have come together in the Smart Building Alliance (SBA) to develop this market.

This involves establishing cybersecurity practices that must be adopted. To this end, the SBA presented the Ready-to-Service (R2S) label in collaboration with the construction industry certification body Certivéa. This label defines the quality of design and operation of a connected building. First implemented in 2018, this label was updated in June 2022, including a component dedicated to cyber. It is used by IS specialist service providers and SBA members (ABB, Equans…) as a security guarantee to design a site’s information system.

To protect a building from IT threats, it provides for the installation of specific hardware (access control, conditional network routing, data encryption, presence of a Virtual Local Area Network) as well as security procedures to be followed (how much attention is paid to alerts? How often are updates made?) in addition to network compliance with the GDPR.

Since the creation of R2S, a hundred buildings have received or are in the process of receiving this distinction in France. Its implementation is increasing. Between the first quarter of 2021 and the first quarter of 2022, the number of applications for this certification has tripled.

The birth of a regulatory framework

This initiative highlights the lack of cyber rules that are specific to the construction sector. While the building industry regulations set out instructions for ensuring the solidity, accessibility, and energy performance of a building, they do not address the issue of cyber protection. This makes it difficult to define a global cybersecurity strategy that would establish the role and responsibilities of each of the stakeholders of a construction site (construction companies, software publishers, lessors, and electronic equipment suppliers…). This situation is about to change, however, for two reasons.

The first one concerns the Cyber Resilience Act, which was presented by the European Commission at the end of September. This text plans to make it compulsory for manufacturers of connected objects to comply with cybersecurity criteria (« security by design ») when offering their products within the EU. These criteria concern the installation of a data encryption program, the presence of a user authentication system, and/or frequent updates of the software used. Devices installed in the core of smart buildings will then be more difficult to hack.

The second reason concerns the requirement in this same European regulation for companies that have been the victims of a cyber attack to report it to ENISA. This will encourage companies, including those in the construction industry, to be transparent about the level of protection of the data they host. It should be noted that the GDPR already obliges legal entities to protect the personal data they hold.

As a result, these measures will accelerate the consideration of cybersecurity issues in the construction sector, where the use of data is far from being a novelty. Start-ups are already using data analysis to ensure the safety of workers on construction sites (such as CAD 42) or to monitor a building to slow down its obsolescence (Cementys). And when it comes to protection against cyber threats, new players are emerging.

One example is the Bouygues Group’s acquisition of Equans from Engie in October 2022. This year, Equans announced the creation of a new brand called Equans Digital. This new brand will apply its employees’ expertise in cybersecurity, application solutions, and interoperability to specific fields (audiovisual, robotics, BIM, etc.). Within the Bouygues group, Equans will absorb its subsidiary Energy & Services to form a new branch, the largest in terms of projected sales, which will specialize in information technologies.