By Jalal Bouhdada
The very concept of a smart building is a tantalizing one for building owners and managers alike.
Increased energy efficiency, enhanced physical security, and reduced operational costs are just a few of the benefits the buildings of tomorrow are expected to deliver. But the smart building is no longer a vision; with the growth of the Internet of Things (IoT), the smart building of the future is already upon us.
Not only are our buildings already smart, they are getting exponentially more advanced as the pace at which intelligent technology is being introduced to our homes, offices and factory floors continue to accelerate. The amount of money spent on networked lighting, physical security, infrastructure and comfort systems is set to increase in the next four years from what is currently a $7.42 billion market, to a predicted $31.74 billion by 2022.
The current pinnacle in smart building design is The Edge in Amsterdam. With a focus on sustainability, it has toilets that flush with rainwater; a robot security guard searching for intruders at night, and smart ceilings that can measure temperature, light, motion and humidity. Workers can control the temperature and lighting via mobile apps, meaning they can work in an environment that suits them, potentially leading to benefits such as increased worker happiness, and therefore productivity.
It sounds like the perfect set-up, but as buildings and technologies of this nature become more widespread, it is important all stakeholders in the design, building and operation of building management systems (BMS) commit to best practices in cybersecurity to protect against malicious third-parties, and make certain they have adequate counter-measures in place in case an attacker does manage to instigate an attack.
Rise of IoT
There is no denying the more systems and devices that are introduced to a network, the greater the attack surface that cybercriminals can look to exploit. This was made clear when researchers were able to take control of KNX network components, a network communications protocol for building management automation used in stadiums, hotels, airports and industrial facilities, to attack a Marriot hotel. Researchers took control of lighting, air conditioning, curtains and other equipment within in a hotel room.
The problem is this type of flaw could become much more common, with much greater ramifications, because many systems are being deployed in an ad hoc manner without proper consideration of their own security, let alone other parts of the network.
The list of IoT devices that have been deployed with weak security is endless.
In office environments, this could be access control systems, sensors or CCTV cameras, all of which are common attack vectors for malware developers. Opportunists are always on the lookout for careless technology deployments and design flaws in systems that leave backdoors open into other areas of a network. This is a problem that must be addressed, and quickly.
Smart Building Security
The first issue building owners and managers encounter when trying to secure the smart building is most are likely to contain a wide mix of new and legacy systems. While many legacy systems were never designed to connect to a network, even brand-new, state-of-the-art technologies may not have been designed, developed or deployed with a “secure by design” ethos in mind.
This secure by design approach is critical.
It encourages cybersecurity to be thought about at the beginning of the design, development and deployment process, whether that be for a new build, or the integration of Internet-connected systems to a pre-existing structure. Following best practices for assessing and mitigating against risk at every stage of the process is a must and could help prevent such attacks from becoming a regular occurrence.
This is where lifecycle management comes in, alongside a long-term plan for upgrading IoT devices once they are deployed. Likewise, proper network segregation should keep poorly secured IoT devices, if there are any left, a long way from servers containing customer data. A full security assessment by an independent advisor would highlight any potential risks and vulnerabilities before a potential incident becomes an accident.
Staff training is another vital piece of the puzzle when ensuring the ongoing security of a smart building. Often the first-line of defense, they must be aware of the dangers that could be encountered when connecting any device to a network without a proper risk assessment. This type of assessment, auditing and continuous testing is the only way to truly deliver security by design.
While these new processes are put in place, building owners, suppliers and managers need to act now to ensure the security of buildings and the private data they already hold, as well as the safety of those within them. Such efforts must be co-ordinated to ensure that whatever IoT devices they are planning to install, or have already introduced, follow secure by design principles.
Jalal Bouhdada is founder and principal ICS security consultant at security provider, Applied Risk.
Bouhdada has over 15 years’ experience in Industrial Control Systems (ICS) security assessment, design and deployment with a focus on Process Control Domain and Industrial IT Security. He has a B.S degree in Security Assurance from Amsterdam University of Applied Sciences and is an active member of the Industrial Internet Consortium (IIC), ISA99, NEN, CIGRE and other professional societies.