Online security

New code of practice puts cybersecurity at the heart of the built environment

Cybersecurity expert Sarah Cameron of Pinsent Masons said the revisions to the code, which was first published in 2014, were timely.

“With the exponential growth of the Internet of Things (IoT) and industrial control technology devices, a vision for physical cybersecurity is an absolutely critical part of strategy,” Cameron said.

Christian Toon of Pinsent Masons said, “As organizations seek to integrate technology infrastructure into built assets, it is essential that safety, security and privacy are engineered into the facility to maximize protections and minimize the risks.

“The benefits are clear: smart, connected infrastructure that delivers convenience, control and business efficiency. The risks posed to this technology can be enormous if not safeguarded throughout the life cycle of the asset,” Toon said.

The IET Code of Practice sets out practical guidance for multidisciplinary teams to achieve its objectives, asking questions and identifying issues to consider. The IET said the code was not intended to be a checklist of effective cybersecurity for the built environment, and unlike published guidance on generic or IT control systems, the document addresses the complexity at of both a constructed asset and stakeholder life cycles.

The code is intended to apply to a wide range of functions related to the design, management, operation and security of buildings, the data associated with them and the systems that help them operate such as lighting, heating, security, elevators and industrial processes. or equipment.

“This renewed release of the Code of Practice is a welcome step in reinforcing the message of the ‘byDesign’ principles to be embedded from the start of the program while considering cyber issues throughout the asset lifecycle,” Toon said. .

“It is fair to say that this should not be considered in isolation or even implemented as such. This code of practice should be integrated into your product and organizational management system for information security and cybersecurity. This consistent approach will ensure standardization and alignment with business objectives through an acceptable risk lens,” Toon said.

The UK government also set out to secure the next generation of connected technologies by taking a secure-by-design approach in its National Cybersecurity Strategy, published in December 2021.

The Product Safety and Telecommunications Infrastructure Bill is also pending in Parliament, and the Digital, Culture, Media and Sport Committee recently launched an inquiry into the implications of the technology. connected.

The code of practice also reinforces that protection and resiliency are necessary to protect intellectual property, user data and other telemetry data collected from a building and its systems, to reduce the likelihood that technology be taken over remotely and used for malicious purposes, and to remove the risk to security systems and human life in the event of system failure.

Toon said this is particularly relevant in the context of the growing prevalence of malicious bots, or in the context of the IoT, bot networks and the threat they can pose to devices and systems.

However, the IET Code of Practice also reminds those involved in the security of built assets that threats can also come from non-malicious and malicious insider sources, and that the security of personnel is a key factor in the implementation. cybersecurity protocols.