IoT Security Foundation (IoTSF), an international and vendor-neutral members' initiative based in the UK, recently published a
whitepaper on security issues of
smart buildings.
The whitepaper listed possible security threats for smart buildings, and how every shareholder in the ecosystem can contribute in a way to prevent these issues from occurring.
Vulnerabilities in smart buildings
Security threats to smart buildings stem from various sources, such as financially motivated cyber criminals, states and state-sponsored groups, hacktivists and malicious insiders.
Poor installation by electricians and
HVAC engineers who don't have sufficient knowledge about IoT security, leaving the BMS controllers to be exposed on the internet is a major concern, in regards to becoming vulnerable to attacks according to a security research whitepaper by Pen Test Partners. Possible threats of attack come from, hackers wanting to sabotage HVAC devices, thereby giving the hackers the ability to close offices, or to cause life-threatening situations at healthcare institutions.
Building Automation Systems (BAS) can also be attacked by malware, which exploits vulnerabilities in the system as well as several older flaws previously known to the public, according to the whitepaper. It gives attackers the ability to take over the controls for freezers and chillers in hospitals and supermarket chains.
Other issues listed by the whitepaper include data leakage due to a casino thermometer being hacked, video surveillance cameras being attacked by Mirai and used for DDoS attacks, and the WannaCry ransomware attack, which infected over 200,000 devices in more than 150 countries including FedEx, Spanish telecoms, Renault French and the U.K. National Health Service.
General building managers might think that hackers wouldn't be interested in hacking them since they're not banks or government institutions. The possibility that smart buildings might become the unintended victim of collateral damage remains high, as was the case with the WannaCry attack.
In order to improve
cybersecurity protection for smart buildings, the whitepaper has listed some suggestions for building owners and managers to remain more vigilant:
Step 1: Risk assessment
Risk assessment should be the fundamental first step in securing a building. A building manager or owner should ask what risks are posed to the tenants, staff, visitors, assets, and premises from vulnerabilities in internet connected building systems and devices. Costs should also be evaluated; what would be the return on investment of implementing security systems in the building?
Step 2: Connection protocol
Devices and systems in smart buildings communicate with each other via communications
protocols. Therefore, the whitepaper suggests that system designers, integrators and installers, need to understand cybersecurity protections associated with each protocol to decide which should be adopted. Integrators and installers should be concerned about what each protocol does or doesn't offer, such as, encryption, authentication and non-repudiation in their original form.
Step 3: Participation from every stakeholder
Cybersecurity flaws aren't apparent in a single process. The causes can come from every aspect of smart buildings. As a result, the whitepaper listed possible responsibilities of every stakeholder in a table, to help open the dialogue on cybersecurity needs and hand-offs between stakeholders.
For instance, building architects and engineers should be responsible for a building's cybersecurity goals and standards, what cybersecurity functions will be delivered, and by which systems; while the occupants and facilities manager should focus on the integration of security status reporting and management with cybersecurity.
The whitepaper stated that the
cyber-safety of people and assets in smart buildings requires support from the board and executive directors, plus implementation of the best security practices across an organization including the whole supply chain. Every stakeholder should collaborate to tackle the responsibility of cybersecurity together.