Enter any large or tall building, and you will see signs of security. These familiar sights include CCTV cameras covering every inch of the property, safety points where someone can call for help, and security personnel ready to intervene physically if necessary. While protecting a building and its inhabitants from physical threats is still a growing concern, the danger of a cyber attack can prove just as dangerous (if not more).
With the increasing implementation of connected devices, known as the Internet of Things (IoT), into smart buildings, as well as the use of operational technology and IT systems now so widespread, the points of cyber attack are increasing. With these systems open to the entire world, threats are also no longer localized, as discussed in the following article: An Escalating Threat – How Smart Buildings Can Fall Victim to a Cyber Attack https://www.hstoday.us/subject-matter-areas/infrastructure-security/an-escalating-threat-how-smart-buildings-can-fall-victim-to-a-cyber-attack/
Smart Buildings
To maintain energy efficiency and remain marketable in the competitive real estate industry, most properties larger than 10,000 square meters are now smart buildings by design and by default. Through the use of sensors, clever software and an enhanced understanding of data analytics, facilities managers are now able to automate many of the functions of a building, such as lighting, heating, access control, fire detection, elevators, and electric power distribution.
While proptech makes the management of these intuitive through more connected Building Automation Systems (BAS), creating so-called ‘smart buildings’ from residential towers, office blocks, hospitals, retail premises, and universities entails the implementation of thousands of subsystems. These subsystems, in turn, rely on a network of sensors and controls distributed throughout the building.
With such disparate and foten ad-hoc connectivity, the opportunity for malicious agents to access these systems is extensive. One of the most common forms of attack, for example, is to target BACnet, a protocol commonly used in building automation, including the regulation of heating, ventilation, and air conditioning (HVAC). In its most popular variety, BACnet comes unencrypted. As discussed in our article on the risks of not using encryption, unencrypted data can be listened to and controlled.
Wireless networks used to implement IoT devices also pose a risk. Mesh networks running WiFi, ZigBee, and Bluetooth are all similarly vulnerable to cyberattacks. Part of the problem is that as automation demands increase, the computational power necessary to perform the tasks requires the use of microcontrollers and embedded operating systems. Though powerful for their size, these devices are relatively simple and, once hooked up to a wider network, offer points of entry for cyberattacks.
Increase in Cyber Attacks
In 2019, the internet security company, Kaspersky, discovered that four in ten smart buildings were the subject of malicious attacks. According to Kaspersky’s research, most attacks came from the web and sought to compromise a building’s BAS:
- 26% of attacks came from the web
- 10% of attacks came from removable media
- 10% of attacks came from phishing links
- 1.5% of attacks came from shared corporate network folders
The types of attacks detected were all varieties of malware. These range from worms and spyware, to more malicious attacks like ransomware. One of the most widespread cyber attack methods is to target the operational technology used in the critical functions of smart buildings. According to the article above, attackers will often look to exploit the siloing of OT and IT systems, with the weaker security of the former allowing access to the latter.
As smart buildings become more complex, integrating a host of IoT devices and other possible points of compromise, the potential for data breaches – and worse – increases. While data breaches pose a particular type of risk, the danger to human life of cyber attacks that manipulate and corrupt the physical access and menachical breathing systems of buildings is now all too real.
In 2017, the Austrian hotel Romantik Seehotel Jägerwirt found guests were locked out of their rooms after an attack compromised the access system. While that security breach did not result in harm to human life, thankfully, similar scenarios can be imagined where non-functioning building systems, including HVAC and fire detection, could put people directly in harm’s way.
Building Automation Systems Now Targeted
With cyber attacks on power grids and even nuclear programs causing industrial control systems (ICS) to beef up cyber security, smart buildings and their building automation systems are the most likely next target for attackers. The interconnection of older operation technology with newer IoT devices is resulting in vulnerabilities that are predictable and, frankly, inevitable.
While many of the cyberattacks simply demand cryptocurrency in return for access to systems, there is an increase in hacktivism targeting smart buildings. These cyber attackers are less concerned with financial gain and aim to make political points through their compromising of a building’s BAS. These attacks are often endorsed by rival states and well-organized criminal groups in the hopes of disrupting enterprise, according to the above article.
Whatever the reason, a smart building that finds itself compromised by a cyber attack can expect damage in a variety of ways. If a HVAC system comes under the control of threat actors, for instance, the risk to the health and possibly life of the inhabitants is considerable. If the internal climate controls are taken over, for example, temperature levels could be raised to intolerable levels affecting breathing. The risk to data is also significant. The ability to control temperature and ventilation could lead to server rooms no longer being sufficiently cooled. This sort of BAS attack can lead to prolonged business downtime and disrupt operations.
Addressing the Issue
The prevention of such cyber attacks requires forward-thinking by the designers of master systems and facilities managers. The building industry as a whole needs to implement more cybersecurity frameworks such as Standard Access’ Digital Spine technology.
While the last twenty years have seen an increase in the physical security protecting tall and large buildings, the next twenty will see a much greater focus on cybersecurity. Cyber attacks pose not just a threat to data and digital systems, but through the IoT, a real and significant risk to properties and to human health.
With attacks on our buildings now possible from a computer on the other side of the world, it is vital to address this weakness in smart buildings. While all buildings can benefit from retrofitted digital master systems, incorporating robust and secure systems at design stage is the most effective and cost-efficient approach and we expect this approach to become best practice in a short amount of time.
About Standard Access:
Established in 2014 by Damien Browne, Standard Access is the global leader in IoT digital spine secure data transmission for smart building technologies, providing solutions for contactless building access through the patented Sonic Handshake®, along with a suite of AI-enabled solutions for building owners/operators and their tenants. www.standardaccess.co
