Smart buildings are no longer a figment of our futuristic imaginations. This $6B USD market is projected to grow to $24.73B USD by 2021, and today nearly every large enterprise or government facility has some level of “smart” functionality.
Harnessing the connected world, these innovative buildings use sensors and digital controllers to automate, manage and optimize HVAC (Heating, Ventilation and A/C), lighting, electricity, gates, surveillance systems, and more. As a result, they conserve less energy, are easier to manage, and more comfortable to live and work in.
This progress and convenience comes with increased risks as the controllers and Internet of Things (IoT) devices used in smart buildings typically run on legacy operating systems that have not been patched for years. What’s more, they communicate in non-standard protocols.
Today’s security systems are not equipped to understand these non-standard protocols and as a result, fail to detect malicious activity or potential threats. The potential damage of tampering with smart building systems is endless.
For example, cyber-attackers can put elevator systems out of service, heat up a building, disconnect the entire electric system, hack into IP cameras or turn them into a botnet. In critical buildings such as government facilities or financial institutions, the Building Automation System (BAS) can be the gateway into the entire corporate IT network.
Cyber-attackers seek to maximize damage and profit, while minimizing their effort, leaving smart buildings as an excellent target. Therefore, we can anticipate that attacks on smart buildings will surge in the coming decade. Unlike IT environments, which have developed mature workflows and technologies to address cyber threats, smart building cybersecurity lags years behind, specifically as it relates to the converged attack surfaces.
Converging Threats vs. Discrete Security Approaches
Smart buildings combine operational technology (OT), information technology (IT) and IoT devices. Despite advancements that have been made throughout the industry, current offerings are not positioned to address this converged attack surface effectively as they often address a narrow subset of problems.
Here are two different examples. OT systems communicate in SCADA protocols and use programmable logic controllers (PLCs) that run proprietary operating systems. Attackers may go after the PLC to reconfigure it and cause damage, as seen in the well-publicized Stuxnet and Havex attacks. From an IoT standpoint, systems such as surveillance cameras often run old and unpatched Linux versions, which attackers could seek to exploit to take control of them.
Looking at these examples, it is clear that each system requires a specialized approach, and also an understanding of its unique protocols, operating systems and attack vectors. Furthermore, each one requires unique disciplines and an understanding of regulation and certification issues. For example: client-based software, such as endpoint security agents, can be installed on a laptop, but not on sensitive OT devices, so OT security vendors must use passive monitoring to detect OT threats. All these approaches should work in tandem to ensure cyber-resilience.
Traversing IT/OT and IoT
Assisted by the complexity and convergence of IT/OT and IoT systems, cyber-attackers can take advantage of smart building weak spots to cross into better protected areas. Taking the example of critical infrastructure attacks mentioned above, Stuxnet used a USB device to compromise nuclear centrifuges, while Havex used an infected website as the attack vector.
Similarly, with smart buildings attackers can exploit the vulnerabilities of BAS to enter the IT network and get hold of restricted data located on servers and computers. Or, they can use internet-connected IT devices as their entry point, and move into sensitive OT systems, where they can cause critical damage to physical systems.
The Need for Full-Stack Security
In the long run, cybersecurity disciplines will have to change dramatically to address the converging attack surface. We can no longer rely on hyper-focused, non-integrated solutions to solve a broad problem. An attack on a building’s power system can be detected months in advance, once the attacker has infected a computer and started scanning for controllers. This requires a new security architecture that provides visibility across IT and OT networks.
This architecture will be based on a suite of sensors designed for the various protocols and devices. These sensors will continuously monitor and record activity on endpoints, controllers, and networks, and deliver it to a central big-data repository at the security operations center (SOC). There, it will be analyzed to detect threats and provide centralized situational awareness across the facility. Private buildings and small businesses will manage their SOCs externally, while large organizations will use their in-house SOC which will evolve into a data driven facility.
In the near term, smart building managers should start with awareness to the cybersecurity threat. They should plan for cyber resilience from day-one, and engage with reputable consultancies and integrators to design and implement it. Large organizations should be aware of the OT and IoT risks and factor in these potential risks when implementing their security infrastructure. Moreover, they should be integral parts of their incident response: workflows, processes, staff training, and SIEM integration.
Smart buildings introduce new risks to physical and digital assets. We should increase awareness to these risks and initiate a change in our approach to security architecture which will address the IT/OT/IoT landscape in a converged approach, just like the attackers see it.