Building security and automation is all about connected devices working together to improve a building’s security and operational efficiency. Yet such connectivity introduces cybersecurity concerns as well.
Building security and automation is all about connected devices working together to improve a building’s security and operational efficiency. Yet such connectivity introduces cybersecurity concerns as well. This article looks at cybersecurity risks in
building security and automation and ways to mitigate them.
Cyber risks
Building security and automation is meant to make buildings secure, comfortable and sustainable by way of interconnected security and IoT devices. This interconnectivity, however, can also lead to various challenges, one of them being
cybersecurity risks.
Among possible cyberattacks in building security and automation are denial of service attacks, man-in-the-middle attacks and ransomware attacks. Imagine the scenario where a hostile actor plants a ransomware into the building management system, rendering lights, HVAC, locks and elevators useless and inoperable, and demands a ransom to get everything back to normal – and imagine if the affected end user entity is a renter and the building owner refuses to pay the ransom. Or imagine if such scenario happens at a critical infrastructure or nuclear facility. The very thought of that makes people shudder.
If you think this is just a science fiction or horror movie plot, think again – as at least one cyberattack has taken place in building security and automation. According to a
report by Dark Reading, a building automation engineering firm lost control of hundreds of devices in a building automation system it had constructed for an office building client in Germany, due to a cyberattack. To make sure the building remains operational during the attack, the firm had to revert to manually turning on and off the central circuit breakers in order to power on the lights in the building. The problem was eventually resolved, with the firm able to reprogram the BAS devices and get the building's lighting, window shutters, motion detectors, and other systems back up and running.
The incident speaks volumes of the threats that smart buildings are faced with. "With the increasing interconnectedness of building systems, cybersecurity has become a major concern as vulnerabilities in building automation systems can be exploited by malicious actors, leading to data breaches and operational disruptions,” said Nick Mercer, Marketing Manager at TDSi.
According to Bryan Montany, Principal Analyst for Access Control and Physical Security Technologies at Omdia, the impact of a successful cyberattack will be much more significant against fully integrated systems. “A successful cyberattack against an isolated domain can only disrupt that domain within a building; a successful cyberattack against a fully integrated BMS platform can adversely affect building operations and provide an entry point into an enterprise’s broader IT network,” he said.
Best practices to follow
To prevent potential cyberattacks, precautions and certain best practices such as securing device software, transmissions, and network architectures should be followed to make sure vulnerabilities will not be exploited.
“Regular software upgrades help address threats. Network isolation – using dedicated networks for building automation equipment – also reduces exposure. Utilizing cloud or edge computing further enhances security; cloud solutions can quickly apply patches, while edge computing minimizes direct exposure to IP networks,” said Ivy Sun, Research Manager for Smart Buildings at Omdia. “As building automation systems rely more on software, IT departments are becoming crucial stakeholders in maintaining cybersecurity, focusing on strict data access controls and network segmentation.”
“User role management and enforcing least privileged access, where only identities that need access get it, should also be applied,” said James Clark, Director of Sales for EMEA & APAC at AMAG Technology. “This access should also be regularly audited to ensure that an identity does not keep the access if they no longer require it. In addition, users should configure the systems to store only the data they need to store. Systems should enforce current best practices for password protection or better utilizing single sign-on or new concepts such as passkeys."