Does continued growth of the IoT open up cybersecurity concerns for building automation?
Every day when we arrive at the office we take some things for granted – the lights will be on, the heat or air conditioning will be working and the building entry system will be up and running. However, with many of these everyday systems now connected through the “internet of things,” could they actually pose a cybersecurity threat to the company?
In the past, the building automation systems, which include heat, lighting and air conditioning, were stand-alone systems, never meant to be connected to the public internet. Now, in the age of IoT, these systems have joined the billions of other connected devices. In fact, smart homes and offices represent 45% of total “connected things” in use in 2015.
There are advantages to these modern “smart building” automation systems. For example, operators can control a building’s physical environment remotely or configure it to make automatic adjustments, lowering costs and adapting dynamically to occupants’ needs and building conditions. Unfortunately these smart building features also pose an increasing cybersecurity threat, creating an internet-connected network of devices that flies under the radar of traditional information technology – creating a “shadow IoT.”
Without the appropriate security measures in place, these systems are vulnerable to basic hacking techniques – just like a traditional computer or network – that can allow a hacker to gain access to the systems that control the building’s heating, lighting and air conditioning.
What are the dangers?
While the ability for hackers to control the lights and temperature of a building may not sound like cause for major alarm, the implications of such a hack would extend well beyond coating employees in a sheen of sweat; IT systems, such as critical servers, can be shut down or damaged by overheating. On the other end of the thermometer, if a heating system is shutdown in the winter, it can lead to burst water pipes. Or, if building fire alarms are set off, the sprinkler system may be triggered. While these scenarios may not be top of mind for IT managers, they can all cause major property and IT damage.
Seem far from reality? Unfortunately, it’s not. In fact, recently a team of IBM ethical hackers were able to hack into a building automation system and gain the ability to tamper with various physical aspects of not just the building they originally compromised, but other buildings that were managed by the same system. Fortunately in this case, these security flaws were brought to the attention of the building operators and ultimately patched.
Of even greater concern is that in a recent survey of building automation system managers, 43% of respondents indicated their building automation systems were connected to the enterprise IT network. This means if a hacker can access the light or air conditioning system, they likely can uncover a path to access critical company data as well.
New framework needed
Gartner estimates 206.2 million connected devices are currently being used in commercial “smart buildings” – a number that is expected to grow to 648 million devices by 2017. As smart buildings become more common, companies and building managers must start paying attention to the potential cybersecurity risks within their physical spaces in order to protect their building, employees and data.
It is worrisome, however, that in a recent survey of BAS operators, only 29% indicated they had taken action or were in the process of taking action to improve cybersecurity for their systems.
Building managers can take simple steps to ensure improved network protections are implemented to guard against attacks. These include segmenting building automation devices and systems from the IT infrastructure and restricting access across the divide to minimally support the business use cases, such as gathering telemetry from building automation systems into a log management system, also known as security information and event management. The building automation systems also should be protected from the internet by an enterprise-grade firewall, with remote access granted only through strong authentication – with one-time passwords or out-of-band authentication recommended – and restricted to a small set of IP addresses or through a virtual private network.
Companies that rent office space need to start paying attention to the potential cybersecurity risks within their physical spaces. Check if the building systems are connected to the internet, and if so, ensure that proper cybersecurity testing has been done. Ask for a vulnerability assessment report and/or results of a third-party security audit. Larger companies renting space or subcontracting building management should incorporate cybersecurity into their contracts.
The next time you’re the last one in the office and the lights automatically turn off, think about the trigger that just flipped – and realize that, without the proper security protocols, those lights may expose the company to serious security issues.
Editor’s Note: In an attempt to broaden our interaction with our readers we have created this Reader Forum for those with something meaningful to say to the wireless industry. We want to keep this as open as possible, but we maintain some editorial control to keep it free of commercials or attacks. Please send along submissions for this section to our editors at: dmeyer@rcrwireless.com.