The physical access control of commercial buildings has been discussed to great lengths. Yet often ignored is their cybersecurity, which is equally important especially amid the rise of connected, smart buildings.
The physical access control of commercial buildings has been discussed to great lengths. Yet often ignored is their cybersecurity, which is equally important especially amid the rise of connected, smart buildings. This article looks at some of the cybersecurity challenges facing smart buildings, and why it’s essential to have full visibility of connected devices in these buildings.
Smart buildings are all about leveraging the powers of IoT devices to achieve better security, efficiency and sustainability. Access control and building management integration allows HVAC and lights to turn on or off based on occupancy. Such integration also provides visitors with a seamless journey from the parking lot to the floor they visit.
Yet this connectivity, while convenient, also introduces security risks, especially if the connected devices are not properly monitored.
“Smart buildings are vulnerable due to IoT devices that are poorly secured. Examples include smart locks, cameras, HVAC systems; these types of technology are often designed for functionality and not security. Poor security practices, such as unchanged default passwords, are another major downfall and can invite unauthorized access and opportunities to tamper with sensitive data,” said Luke Bencie, MD, and Sasha Hossain, Junior Research Associate, at Security Management International.
“Managing the devices over their lifecycle and how they authenticate to the network is critical. The devices range from low-powered connected sensors and lightbulbs to devices with full IP stacks. The methods and policies are not well aligned and, even in the case of IP devices, many use self-signed certificates and keys that are too long-lived, not well managed and isolated from the IT infrastructure. Authentication and key management threats along with managing privileged users to these networks and devices are front and center threats,” said Salvatore D'Agostino, CEO of IDmachines.
Types of attacks
According to Bencie and Hossain, common attack types against smart buildings are ransomware, DDoS attacks, and unauthorized “remote” access. “A 2016 event caused two buildings in Finland to lose heat for two days during winter due to a DDoS attack on critical infrastructure that controlled the heating of the building. More recently in 2024, Omni Hotels were targeted in a cyberattack by the ‘Daixin gang’ who had the intention of leaking customer records on a dark website. Additionally, guests reported outages in Wi-Fi, keycards and check-in systems,” they said.
Severe consequences
Once a building suffers from a major cyberattack, the consequences can be dire. The building may incur financial losses, lose brand reputation, and even put tenants’ lives in danger.
“A situation such as a compromised building system could present both an operational and physical danger as it may fail to respond to emergencies and can put lives on the line. Data breaches may have long-term impacts with the leakage of personal information as one does not know how far reaching this information is. This type of information can be exploited as surveillance or blackmail (requests for ransom and more),” Bencie and Hossain said.
Mixed-use properties not exempted
Mixed-use properties, where multiple tenants share the same building, are also subject to cyberattacks which can severely affect the tenants.
“Mixed-use buildings present even more considerations as one breach can impact another office or resident. It can be a bit of a domino effect since the building systems are often connected and breaches are rarely isolated. Once the building data is accessed, the attacker can target personal data from multiple sources as well as other types of information such as camera feeds and bank information. This can present gaps in security such as a poorly secured POS terminal or an apartment’s smart home environment. These all serve as entry points that could present risks and opportunities for an attacker,” Bencie and Hossain said.
Defense and visibility essential
The aforementioned points underscore the need to well protect smart buildings from cyberattacks and threats. Especially, it’s essential for operator to have full visibility – knowing what devices exist, where they are, what they’re doing and how they communicate. Such visibility enables asset inventory, identification of unauthorized or forgotten devices, and detection of insecure legacy systems still online. Without visibility, operators cannot see what’s on the network, and they can’t protect what they cannot see.
Unfortunately, a lack of visibility remains a major challenge in securing smart buildings.
“In the case of smart sensors, and even physical access control system, the device monitoring is not as extensive as in the case of IT systems. For example, enterprise IT systems implement Security Information and Event Management (SIEM) systems which are fairly fine-grained. They also implement Simple Network Monitoring Protocols (SNMP). While physical access control systems have this ability, these are not always tied into security operations centers and dashboards. In the case of intelligent sensors and low-powered devices, Message Queuing Telemetry Transport (MQTT) could be used to carry back information to network and device monitoring systems, but this is not widely implemented,” D'Agostino said.
Today, various solutions and best practices exist to help smart building operators gain visibility and make buildings more cyber-secure. We’ll look at these in greater detail in an upcoming article.
Product Adopted:Building