With the Internet of Things, smart buildings pose big risk

As buildings get more automated, they raise new security risks

In an Internet of Things (IoT) world, smart buildings with web-enabled technologies for managing heat, lighting, ventilation, elevators and other systems pose a more immediate security risk for enterprises than consumer technologies.

The increasing focus on making buildings more energy efficient, secure and responsive to changing conditions is resulting in a plethora of web-enabled technologies. Building management systems are not only more tightly integrated with each other, they are also integrated with systems outside the building, like the smart grid.

The threat that such systems pose is two-fold, analysts said. Many of the web-enabled intelligent devices embedded in modern buildings have little security built into them, making them vulnerable to attacks that could disrupt building operations and pose safety risks.

Web-connected, weakly protected building management systems also could provide a new way for malicious attackers to break into enterprise business systems that are on the same network.

The massive data theft at Target for instance, started with someone finding a way into the company's network using the access credentials of a company that remotely maintained the retailer's heating, ventilation and air conditioning (HVAC) system. In Target's case, the breach appears to have happened because the company did not properly segmelol! nt its data network.

Such issues could become more common as buildings and management systems become increasingly intelligent and interconnected, said Hugh Boyes, cybersecurity lead at the U.K.'s Institution of Engineering and Technology.

"It creates some interesting challenges for enterprise IT," Boyes said. "They need to know there are some increasingly complex networks being put into their buildings that are running outside their control."

As one example, Boyes pointed to the growing use of IP-enabled closed-circuit security cameras at many buildings. In some cases, the cameras might be used instead of a motion sensor to detect whether someone is in a room, and whether to keep the lights or heat turned on.

In such a situation, the camera, the lighting and the heating systems would all need to be integrated. Each of the systems could also have web connectivity linking them with an external third party for maintenance and support purposes. "You quickly get into a situation where a network that was just inside the building goes to locations outside the building," Boyes said.

It's not only heating, lighting and security systems that are integrated in this manner. An elevator manufacturer might stick smart sensors on all the elevators in a building to detect and spot a failure before it happens. Or, a building manager might have technology in place to monitor and conserve water use in a facility.

Many of these technologies will have a path out of the building and over an IP network to a third party supplier or service provider, Boyes said. Often the data from these systems are captured not only for real-time decision support but also for longer-term data analytics.

Exacerbating the situation is the fact that many of the communications protocols for building automation and control networks, such as BACnet and LonTalk, are open and transparent, said Jim Sinopoli, managing principal at Smart Buildings LLC.

Device manufacturers have adopted these protocols for product compatibility and interoperability purposes, Sinopoli said. However, the openness and transparency also increase the vulnerability of building automation networks.

"None of these systems are isolated any longer," Sinopoli said. A security breach in one system could have a cascading effect on multiple building automation systems and networks, he said.

The threat is not only about someone penetrating a building system to cause serious disruptions. There is also a potential impact on IT, such as a loss of communications due to a building system outage or unauthorized access to enterprise data because of poor segmentation between the building automation network and the IT network.

"The penetration of IT into building systems is an issue that is front and center," at a growing number of companies, Sinopoli said.

As buildings have become smarter, vendors of consumer devices have begun entering the space, said Rolf von Roessing, president of German security consulting company Forta AG and a member of ISACA's Professional Influence and Advocacy Committee. ISACA is a trade group focused on IT governance issues, with 128,000 members.

"Building automation, including critical functionality, is now readily available through web shops and hardware or electronics stores. While professional solutions usually feature in-built security and protection against hacking, consumer offerings are less well protected," von Roessing said.

In terms of preparation, IT practitioners should extend their information security and cybersecurity management processes to cover buildings and building management systems, he said.

"In many cases, these will be controlled through a Windows-based or compatible interface, using standard PC equipment and network connectivity via standard IP," von Roessing said. "Where remote control is a known or desired feature, security practitioners should look long and hard at mobile devices, the remote control apps and underlying processes. If and where critical building functionality can be controlled and manipulated from an unprotected mobile device, there is a significant risk of breaches," he said.

For a growing number of companies, the issue is already upon them, said John Pescatore, director of emerging security trends at SANS.

In a SANS survey on the security of the Internet of Things, smart buildings and industrial control systems were the second most frequently cited near-term concern behind consumer devices, Pescatore said.

Often, IT has little idea of the sheer scope of the issue, Pescatore said, He gave the example of one university's chief information security officer at a recent SANS conference who ran a security scan of a new building on the campus. "In a single six-story building, he found nearly 1,500 sensors," in elevators, doors, camera systems, lighting and heating systems and elsewhere, Pescatore said.

Traditionally, building management systems have not been considered IT systems. They are not selected by the CIO and have long been considered operational technology under the purview of building and facilities management teams.

That attitude will have to change. Building management and IT organizations will need to work together to identify and mitigate potential risks, said Robert Stroud, the incoming international president of ISACA.

But any response will need to be based on a thorough understanding of the risks, Stroud said. Companies will likely have to pay more attention to practices like network segmentation, strong authentication and network monitoring.

Vendor management processes will need special attention, Stroud noted.

Many of the devices integrated in smart buildings have little security built into them and come from vendors that are unfamiliar to most IT organizations. Suppliers in the building automation world don't have the same kind of processes in place that IT vendors do for responding to vulnerabilities in their products. Few have any notification process to let customers know about security threats to their products.

IT organizations will need to work with building management teams to update vendor lists, build a register of contacts and know who to reach out to in case a response needs to be escalated, Stroud said.

This article, With the Internet of Things, smart buildings pose big risk, was originally published at Computerworld.com.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Targetapplicationssecurityapplication securityAccess control and authenticationsoftware

More about ISACASmartTechnologyTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts