Why ‘smart’ buildings are often dumb when it comes to cybersecurity

As building control increasingly moves into the IT sphere, the importance of cyber security is growing in tandem. Gartner recently predicted that, by 2020, more than 25% of all identified attacks in enterprises will come from the Internet of Things.

Worldwide spending on smart security will reach $348m in 2016, a 23.7% increase from 2015 spending of $281.5m. By 2018, this figure will be closer to $547m.

The security implications of putting buildings ‘online’ should not be shied away from. Physical infrastructure is inherently more vulnerable once connected to the digital world.

Understandable, then, that 87% of facilities managers, security personnel and others involved in the management and protection of buildings are at least ‘somewhat concerned’ about the cyber security vulnerabilities posed by smart tech. Polled as part of IFSEC Global’s recent survey on smart buildings, a further 43% professed to being ‘very concerned’. Nevertheless, that even 13% insist they are ‘not concerned at all’ might alarm some observers given widespread reports about the vulnerabilities of internet-connected ‘things’.

Vulnerabilities laid bare

IBM’s ethical hacking team, X-Force, recently conducted a penetration test of a remote building automation system that controlled sensors and thermostats in several commercial offices. X-Force found a way into one of the building’s networks via a vulnerable router.  Poor password management meant the team easily accessed the local Building Automation System (BAS) controller and eventually wrested complete control of the central BAS server.

IBM’s penetration test illustrates the enormous potential for disaster in this new world of smart things. However, X-Force was only able to access the BAS due to a series of security lapses. It is a mistake to assume that the buck always stops with the vendor.

“The vendors have a responsibility to ensure that their solutions meet the expectations of the customer,” says Stuart Higgins, head of digital impact for Cisco UK and Ireland. “That they are up to date in terms of the vulnerability landscape and that they are patching both their hardware and software on a regular basis. But,equally, the customer can’t wash their hands of responsibility. It’s no one individual or organisation’s responsibility; it’s a collective duty.”

In 2014, security consultant Jesus Molina told US cyber security conference Black Hat that he had commandeered control of the lighting, HVAC and entertainment systems of 200 rooms at a hotel in Chinese city Shenzhen.

A year before that, the US Department of Homeland Security revealed hackers had broken into a “state government facility” and made it “unusually warm”. Google’s Sydney office was hacked through its building management system in the same year. Two cyber security experts discovered the vulnerabilities via IoT search engine Shodan.

Speaking to the BBC, one of these ‘benign’ hackers, Billy Rios, claimed there are 50,000 buildings currently connected to the internet, 2,000 of which lack any kind of password protection. Conducted by more malevolent actors, the consequences of such breaches could be significant, with disruption to office buildings that costs thousands of pounds in lost productivity sitting at the less serious end of the scale. If the heating system in a hospital or care home was disabled, for example, the upshot could even be loss of life.

Disruption

Hacks of building systems have already caused profound disruption. In 2013, the theft of millions of customers’ credit card data from US retailer Target was traced back to the heating and ventilation system. More alarming still, a Ukrainian power station was disabled immediately before Christmas in 2015 by a spear-phishing attack – where an employee is duped into downloading malware, usually via email – leaving around 80,000 Ukrainian citizens without power.

Martyn Thomas, a professor of IT at Gresham College, told the BBC “that attempts to attack building management systems are happening all the time […] These BMS systems have hundreds of thousands of lines of code, and yet the average programmer makes 20 mistakes in every 1,000 lines of code, so there are lot of bugs there.” Respondents to our survey were polarised over the magnitude of the hacking threat to building management systems. Those who were more relaxed about the risk seemed to have one of two main reasons. The first, expressed by an office-based facilities manager, was that their system “had no physical connection to the outside world”. Similarly, a senior executive in the industrial/warehouse sector said, “no life-critical applications will go on publicly connected networks”.

But even if hackers could access a BMS network, it doesn’t follow that they would have a compelling motive for doing so, according to one integrator: “I work solely in the residential market. My view is that if anyone has the capability to hack my home then they would be more inclined to hack a company for political reasons, or a bank for money. Security is important, but if I worry about this I’d never install any smart equipment. I rely on the hardware purchased for this purpose.”

But can you rely on the hardware? Not so, said one security consultant who believes that ‘security by design’ has only “been addressed in a limited way as only a few leaders recognise the issue and manufacturers do not ensure the products are secure, despite the PR”. A company director cited cyber risk as “one of our main reasons for inaction” when it comes to installing smart technologies.

A health and safety professional offered a balanced view of the risk, saying that “while no critical systems are likely to be integrated” into smart networks “anytime soon, outside influences potentially being able to make changes via networked tech, even if it only means switching the lights off, can be a costly nuisance”.

Adam Bannister Editor of FSEC Global