Insight into the future trends and challenges of the smart building industry and how these systems must be secured.
The buildings we live in are getting better, smarter, and more connected. It seems that as we speak, the scenes we have only watched in sci-fi movies are becoming a reality. Starting with ‘smart buildings’, where our offices and apartments are located.
Only a few years ago, buildings offered very basic services. They had a central building management system (BMS) and one or two sub-systems, isolated from each other, typically used to control heating and air conditioning, the lift or lighting systems. The control implemented by the BMS included simply switching on or off the right equipment at the right time of the day or year.
This situation is rapidly changing. In response to the need to reduce energy consumption and make buildings self-sustainable and more comfortable, a wide range of new systems are entering the smart building eco-system. We now have badges to access specific areas of, or entry to a building, solar panels to produce electricity and smart meters to lower energy bills. A staggering range of new applications and services are enabled by these systems, and especially by their integration and communication. BMS are now called iBMS, with the ‘i’, standing for integration, and the buildings are called smart because of the complex use cases they can support.
The benefits of smart buildings are immeasurable. In case of fire, the iBMS could disable the elevator systems and open emergency exits, improving the safety of the building’s occupants. The iBMS can anticipate weather conditions and accordingly adapt the building’s usage of the heating system, leading to energy savings. Home appliances can be automatically powered on when the energy cost is the lowest thanks to the communication among smart meters, the energy grid and solar panels. Altogether, these scenarios reduce energy consumption and improve the comfort of buildings occupants. In the future, smart buildings will become even smarter, and may communicate with each other and the city’s infrastructure to form what is commonly known as a “smart city”.
Unfortunately, this evolution does not come without risks. It has been estimated that by 2018, 20% of smart buildings will have suffered some form of digital vandalism 1, 2, The threat surface is large, and the consequences of a security breach can be significant. As of today, there are many cases of cyber-attacks on Smart buildings: in 2016, in a hotel in Austria, people were locked out of their rooms until a ransom was paid
3; in Finland, a DDoS attack targeting the heating system left residents of two building apartments in the cold 4. The consequences of these attacks could become increasingly dangerous and costly if the targets were to be critical buildings like hospitals, data centers, governmental or public buildings.
One might think that smart buildings are just another incarnation of industrial control systems (ICS) and that their security should be handled like ICS security. This is a misunderstanding for several reasons: (a) smart buildings are much more “open” and interconnected than ICS; and (b) while IoT (Internet of Things) devices will likely not get through the perimeter of ICS, they will certainly enter (and likely reshape) the building automation industry. The new generation of smart buildings will most likely not replace existing legacy systems, but rather enhance them with new technologies. This means we will witness the integration of old OT (operational technology) systems with the latest IT (information technology) devices, including IoT.
BMS include industry-specific sensors, actuators and controllers, that are expensive, and can only be acquired through specific channels. With the advent of the IoT, sensors (e.g., for presence, humidity or temperature) and basic dedicated controllers (e.g., thermostats like Nest) are available in consumer shops. They are much cheaper than industry-specific devices and far easier to install. In addition, they offer remote management via wireless connections (Wi-Fi or Bluetooth) but, because of their fast time-to-market, they often lack security features5. This situation directly affects the security of smart buildings: a vulnerability to an IoT sensor might let the attacker into a more critical (and far more fragile) network where great damage can be carried out.
Smart building security requires a new approach that considers the following main points:
- Be prepared for the unknown – While we do not know how smart buildings will be attacked in the future, we must keep in mind while building them, that no system is 100% secure. We need to think of an action plan ahead of time, to prepare for when specific subsystems fail or are attacked.
- Increase visibility – With ubiquitous connection, it is necessary to have visibility of the assets entering and leaving the network, and to have a clear footprint of their status and activities. Visibility is a precondition to spot misconfigurations, faults or anomalies that can lead to a security incident. Visibility can be achieved with continuous monitoring of network activities, providing a real-time view of the network status and enabling and assessing security controls.
- Establish cross-industry collaboration – Finally we need to make sure that all the different stakeholders sit at the same table. To develop viable security solutions, building managers, vendors, systems integrators, security experts and regulators need to communicate with each other and collaborate on a solution.
The security community needs to face these challenges to make sure that a smarter future is not a less secure one. To learn more about the current state of smart building cybersecurity, download our BAS report.
1 “Cyber Security in Smart Commercial Buildings 2017 to 2021.” Memoori, Meemoori Research AB. Q2 2017, memoori.com/portfolio/cyber-security-smart-commercial-buildings-2017-2021/
2 “State of Cybersecurity 2019, Part 1.” ISACA, https://cybersecurity.isaca.org/state-of-cybersecurity
3 “Could hackers really take over a hotel? WIRED explains.” Februaty 2, 2017. Wired. http://www.wired.co.uk/article/austria-hotel-ransomware-true-doors-lock-hackers
4 “Hackers leave Finnish residents cold after DDoS attack knocks out heating systems.” November 9, 2016. ibtimes. http://www.ibtimes.co.uk/hackers-leave-finnish-residents-cold-after-ddos-attack-knocks-out-heating-systems-1590639
5 “Wi-Fi passwords can be stolen by hacking smart lightbulbs.” July 8, 2014. Wired. http://www.wired.co.uk/article/crypto-weakness-lightbulbs