Buildings are getting smarter, and the pace at which intelligent technology is being introduced to our homes, offices and factory floors is breathtaking. The amount of money we collectively spend on networked lighting, physical security, infrastructure and comfort systems is set to increase more than fourfold in the next four years according to recent analysis, from what is currently a $7.42 billion market to a predicted $31.74 billion by 2022.
It’s not surprising; smart building technology has proven itself a good investment for owners and managers. Energy efficiency in particular is desirable both from a financial point of view and in the drive for “zero-carbon” designs, which has been driven by initiatives such as C40 Cities and the EU’s Energy Performance of Buildings Directive (EPBD). Building management systems (BMS) that can channel natural lighting and air are as common in high-rise office blocks as they are in data centers
Landlords and building managers also want to take advantage of connected security and access control systems to better protect and improve the welfare of tenants and workers. Access control systems, for example, is likely to be found in a range of buildings including military bases, government buildings, educational facilities, banks, casinos, stadiums and retail outlets. But as technology becomes an integral part of construction, it becomes imperative that all stakeholders in the design, building and operation of BMS commit to best practices in cybersecurity to protect them from malicious threat-actors, and ensure that new technologies have enough resilience to keep building infrastructure running if and when attackers do get in.
Increased connectivity means more vulnerabilities
The opportunity of smart buildings is that the more interconnected individual systems are, the greater the efficiencies that can be gained. Data from IoT sensors can be used to automate systems such as lighting and HVACs, and even anticipate which floor an elevator/escalator might be needed on. However, the more systems and devices that are introduced to a network, the greater the attack surface that third parties can look to exploit. The problem is that many systems are being deployed in an ad hoc manner without proper consideration of their own security, let alone other parts of the network.
There’s an endless and well documented list of IoT devices which have been deployed with weak security, presenting an easy target to would-be attackers. Devices which connect directly to the internet deployed in office environments – such as sensors and CCTV cameras – are a favorite for malware developers. Opportunists are always on the lookout for weak access control systems too, as well as careless technology deployments and design flaws in systems that leave backdoors open into other areas of a network.
When insecure new devices are integrated into a larger BMS, intentionally or not, the danger is that they compromise other parts of the system. And this is not a hypothetical problem. The issue of how weaknesses in a single, trivial system can be used to compromise others came to the fore in an incident at a Las Vegas casino, whereby attackers are thought to of gained access to an internet-connected thermometer installed in an aquarium display.
Securing a building from digital threats
As unexpected as the Casino attack sounds, it would be naïve to think that this was an isolated incident. Smart buildings are likely to contain a wide mix of new and legacy systems, with many of the latter never designed to be exposed to the internet. This makes them extremely difficult to protect once integrated into smart systems for monitoring and control.
But even the newest products require careful testing and monitoring, and vulnerabilities in connected products common in offices and industrial environments, such as controllers or CCTV cameras, have been well documented and are disturbingly common. Furthermore, some of the protocols that were specifically designed for building automation, such as KNX, Zigbee and Bluetooth, are lacking proper security and have been shown to contain significant vulnerabilities.
Such examples should highlight the necessity of ensuring the security and safety of BMS. A “secure by design” approach, which follows the best practices for assessing and mitigating against risk at every stage of the deployment process, could have helped prevent all these attacks not only ensuring the safety of those in a building, but also their private data.
This highlights the need for lifecycle management and a long-term plan for upgrading IoT devices once they are deployed. Likewise, proper network segregation should keep fish tanks a long way from servers containing customer data. A full security assessment by an independent advisor would have highlighted these potential vulnerabilities before they were left unprotected.
Secure by design also means planning for ongoing security audits and continuous testing, as well as heuristic network monitoring that should alert IT and OT security teams of unusual activity or unexpected devices. It means making sure that staff are aware of the dangers of introducing a novel but vulnerable new feature without proper consultation. Putting the right procedures in place is critical as building management is becoming ever more challenging from a security point of view.
The good news is that these are challenges that regulators and policy makers are looking into. The EU’s Smart Buildings Alliance for Smart Cities (SBA) is developing codes of practice for building managers and vendors alike, while insurance companies are developing new product lines for risk assessment and cover in smart buildings.
In the meantime, however, building owners, suppliers and managers need to act to ensure the security of buildings and the private data they hold, and the safety of those within them. The secret to smart building security is coordinating efforts to ensure that whatever IoT devices they are planning to install, or have already introduced, abide by the principles of secure by design.
Related: Hacked Smart Fish Tank Exfiltrated Data to ‘Rare External Destination’
