Smart Buildings and Cybersecurity

Learn more about smart buildings and cybersecurity, protecting your companies information.

What are Smart Buildings?

Smart Buildings refer to structures incorporating a network of interconnected devices, sensors, and systems to gather and share data, aiming to enhance different facets of building operations such as efficiency, sustainability, occupant comfort, and overall experience. These interconnected elements encompass heating, ventilation, and air conditioning (HVAC) systems, lighting, access control, elevators, life safety, and other components. The seamless integration of these systems enables centralized control and automation, leading to benefits like improved energy efficiency, cost savings, and enhanced occupant comfort. Smart Buildings exemplify the convergence of the digital and physical domains.

The Goals, Core Opportunities, and Foundations of Building Controls
Artistic representation of cyber threats and cybersecurity

What is Cybersecurity?

Cybersecurity is the practice of safeguarding networks, devices, and data from unauthorized access or illicit use, with a focus on ensuring confidentiality, integrity, and availability of information. In today’s interconnected world, where computers and the internet permeate various aspects of daily life such as communication, entertainment, transportation, shopping, and even healthcare, the risks are numerous and diverse. These threats range from relatively minor issues like malware infections to severe breaches where unauthorized individuals manipulate files, launch attacks, or steal sensitive information like credit card details. While absolute assurance against such threats is elusive, proactive measures can be taken to mitigate risks, including implementing robust security protocols, regularly updating software, educating users about safe practices, and employing advanced threat detection and response mechanisms.

Why Cybersecurity in Smart Buildings?

Cybersecurity is of paramount importance in the realm of smart buildings due to the inherent vulnerabilities present in building control communication protocols. The incidence of cyber threats against smart buildings is witnessing a surge, with a notable 38 percent of smart buildings having experienced a cyberattack, as reported by Kaspersky in 2019[1]. These vulnerabilities, often exacerbated by poor security practices such as unchanged default passwords, pose significant risks ranging from unauthorized access to tampering with environmental controls and compromising sensitive data. As smart buildings rely on interconnected devices and cloud-based services, they become prime targets for exploitation by malicious entities, highlighting the urgent need for robust security measures to mitigate cyber threats. The surge in cyberattacks against smart buildings underscores the criticality of enhancing security protocols, with organizations increasingly recognizing cybersecurity as a top concern amidst the rapid adoption of IoT and digital transformation initiatives.

Cyber attack at Johnson Controls

An Example

An illustrative example of the repercussions of inadequate cybersecurity measures in smart buildings is the cyber attack on Johnson Controls International[2] in September 2023. This attack, orchestrated by the Dark Angels ransomware gang, resulted in substantial financial losses amounting to $27 million for the company. The breach led to unauthorized access, data exfiltration, and ransomware deployment, highlighting the severe consequences of overlooking cybersecurity in smart building infrastructure. This incident serves as a stark reminder of the imperative for organizations to prioritize cybersecurity measures to safeguard against potential cyber threats and mitigate financial and reputational risks associated with such attacks.

Threats:

Siegeware and BAS Attacks

Siegeware represents a fusion of ransomware tactics with vulnerabilities in Building Automation Systems (BAS). In a Siegeware attack, the attacker seizes control of a building and disrupts critical operations, such as heating, cooling, alarm systems, and physical access, to give the control back only upon payment of a ransom. They exert control over the entire structure by manipulating the automated system governing the building’s functions. This control extends to disabling ventilation, heating, and fire suppression systems, and potentially influencing other digital functionalities within the building.

Phishing

Fraudulent attempts to obtain sensitive information by disguising oneself as a trustworthy entity in digital communication. Phishing often involves sending emails that appear to be from reputable sources to trick individuals into revealing personal information, such as passwords and credit card numbers.

Malware

Short for malicious software, this encompasses any software intentionally designed to cause damage to a computer, server, client, or computer network. Examples include viruses, worms, Trojan horses, and spyware.

Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks

These attacks aim to shut down a machine or network, making it inaccessible to its intended users. DoS attacks accomplish this by overwhelming the target with a flood of internet traffic, while DDoS attacks use multiple compromised computer systems as sources of attack traffic.

Man-in-the-Middle (MitM) Attacks

This occurs when attackers intercept and relay messages between two parties who believe they are directly communicating with each other. MitM attacks can capture and modify the information being sent, allowing attackers to steal sensitive data or inject malicious content into the communication.

SQL Injection

An attack that involves inserting malicious SQL code into a database query. This can allow attackers to access and manipulate the database, steal data, alter database information, and execute administrative operations on the database.

Zero-Day Exploit

This involves exploiting a vulnerability in software or hardware that is unknown to the vendor or has no patch available at the time of the attack. Attackers exploit this “zero-day” vulnerability to affect computer programs, data, additional computers, or a network.

Cross-site scripting (XSS)

An attack that injects malicious scripts into benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser-side script, to a different end user.

Advanced Persistent Threats (APTs)

These are prolonged and targeted cyberattacks in which an attacker infiltrates a network and remains undetected for an extended period. The intention is usually to steal data rather than cause damage to the network or organization.

Social Engineering

Manipulative tactics that trick users into making security mistakes or giving away sensitive information. Unlike other attacks, social engineering exploits human psychology rather than technical vulnerabilities.

Artistic representation of Phishing

Measures that can be Employed:

There are free resources that guide cybersecurity, such as the US Federal Trade Commission (FTC), the US National Institute of Standards and Technology (NIST), and the US Department of Homeland Security (DHS). Here are some best practices that can be implemented to prevent cybersecurity risks.

  1. Limit network access: The NIST-developed Zero Trust architecture is now being increasingly applied to secure building controls in Smart Buildings. This approach eliminates inherent trust in any entity, necessitating continuous verification for every user and device, even within the network perimeter.
  1. Use complex and unique passwords: Adopt passwords that are a mix of letters, numbers, and symbols, and ensure they are unique to each account to prevent unauthorized access.
  1. Store passwords in a secured database: Utilize encrypted databases for storing passwords, protecting them from theft and unauthorized disclosure, and setting up notifications for login attempts.
  1. Multi-factor authentication: Implement multi-factor authentication to add an extra layer of security, and integrate lockout mechanisms on failed password attempts.
  1. Monitor network activity: Allow VPN-only access from the building’s IP, encrypt connections, and continuously monitor network activity to detect and respond to unusual or unauthorized actions that could indicate a cybersecurity threat.
  1. Regular tests for vulnerabilities: Conduct regular vulnerability assessments and penetration tests to identify and address security weaknesses before attackers can exploit them. Tools such as the NIST MEP Cybersecurity Assessment Tool and Cyber Security Evaluation Tool (CSET) should be leveraged to conduct assessments on a regular basis.
  1. Secure physical media and devices: Implement security measures for physical devices and media, such as locking server rooms and encrypting hard drives, to prevent physical theft and tampering.
  1. Dispose of sensitive data securely: Use methods such as shredding physical documents and securely wiping electronic files to ensure sensitive information is irrecoverable after disposal.
  1. Dedicate Time to Learn About Threats and Mitigation: Allocate regular time to stay updated on the latest cybersecurity threats and strategies for mitigation to protect your organization.
  1. Educate Your Employees: Provide ongoing cybersecurity training to employees to help them recognize threats and understand safe practices for handling data.
  1. Implementation of an Information Security Framework: Implement a firewall and adopt a comprehensive information security framework, such as ISO/IEC 27001, to guide the establishment and maintenance of security policies and procedures.
  1. Implementation and Maintenance of an Information Security Program: Develop and maintain an information security program that encompasses all aspects of data protection, from digital security to physical and employee training.
  1. Implement policies and procedures for change management, commissioning, and patching: Establish clear guidelines for safely implementing changes, adding new equipment, and updating software to secure your infrastructure.
  1. Updating firmware and system security: Regularly update all software and systems to the latest versions to protect against known vulnerabilities and security flaws.
  1. Consider Joining InfraGard: Network intrusions often go unreported to law enforcement agencies. InfraGard is a partnership between the FBI and the private sector and is an association of persons who represent businesses, academic institutions, state, and local law enforcement agencies, and other participants dedicated to sharing information and intelligence to prevent hostile acts against the U.S. Each InfraGard Members Alliance (IMA) is geographically linked with an FBI Field Office, providing all stakeholders immediate access to experts from law enforcement, industry, academic institutions, and other federal, state and local government agencies.
Logos of Government Bodies that provide cybersecurity services

Conclusion

The intersection of smart buildings and cybersecurity introduces opportunities for efficiency and risks of cyber threats. Cybersecurity is crucial for safeguarding networks, devices, and data in our increasingly interconnected world. Smart buildings, integrating diverse technologies for improved efficiency and occupant experience, face specific vulnerabilities that can be exploited by various cyber threats.

As organizations contemplate investments in IoT and digital transformation projects, the recognition of cybersecurity as a critical factor is growing. The surge in spending on cybersecurity reflects the awareness of the risks associated with modern technological advancements. Ensuring the security of connected buildings requires ongoing vigilance, adherence to evolving cybersecurity best practices, and alignment with regulatory frameworks. Ultimately, a proactive and comprehensive approach to cybersecurity is essential for the sustained functionality and safety of smart buildings in our digitally-driven era.

References

https://www.kaspersky.com/about/press-releases/2019_smart-buildings-threat-landscape

https://www.bleepingcomputer.com/news/security/johnson-controls-says-ransomware-attack-cost-27-million-data-stolen/

Image Sources (in order)

Energy.gov

Generated Using Copilot Designer

Bleeping Computer

Public Domain Pictures

Official Sites