Smart Buildings, Dumb Security
Smart buildings, offices and homes are all the rage these days. According to Zion Research, the global smart building market was valued at $7 billion in 2014 and is expected to reach $36 billion by 2020.
More specifically, smart buildings promise to be a key piece of the smart cities puzzle, holding the promise of better energy use and of smaller carbon footprints, reduced inefficiencies, costs savings, vast improvements in comfort and enhanced tenant experience. But are these technologies ready to tackle the escalating threats landscape? Do they benefit from a modern security model?
Smart building technology and building automation systems (BAS) were born out of the advancements and incredible progress made in the realms of composite materials, sensors, embedded systems, mechanical miniaturization and software. Advancements in protocols and communications have also made connections between objects and the Internet, giving birth to the much-touted Internet of Things (IoT). Manufacturers such as Nest, Honeywell and even Apple will be rushing to get a slice of the billion-dollar pie.
That’s all very exciting, but to quote Dr. Christian Szell from “Marathon Man,” “Is it safe? … Is it safe?” Well, it turns out it’s not quite safe yet.
Smart Buildings Aren’t Secure
Let me backtrack a bit: All the wonderful advancements in sensors, miniaturization, embedded systems, etc. has unleashed a torrent of innovations making smart buildings possible. Ubiquitous — and cheap — wireless communication technologies and protocols connect these systems and devices to each other and to the Internet. But their security model is still stuck in the ’70s. As in, it’s vastly inadequate.
To further illustrate this, IBM Security’s X-Force Ethical Hacking team (full disclosure: I work for IBM) recently conducted a penetration test that aimed to hack into a BAS at the request of the building management group. IBM’s team was able to exploit simple vulnerabilities and basic design flaws in connected devices’ embedded software to gain access to the building’s central command server. If this were a real penetration situation conducted by a malicious actor, important material damages — perhaps leading to real danger for the tenants — could have ensued.
This exercise showed that, unsurprisingly, different types of vulnerabilities are found in the smart building ecosystem — at the device and sensor level, at the gateway and controller levels and up to the data, application and network levels. This situation exists because manufacturers traditionally involved in designing systems and devices for smart buildings and homes (e.g., HVAC, electrical systems, sensors, controllers, etc.) have not considered their products as potential attack targets.
As a result, they often implement lightweight protection measures or sometimes even none. Engineers and programmers involved in the development of these connected devices don’t often have to manage complex security requirements. “Add a password” is probably as much as some of them see on their requirements list!
Security Has Its Own Challenges
Today, the sheer range of device types, manufacturers, integration ranges, conflicting and incompatible standards and complex protocols makes securing these systems a daunting task. To make matters worse, once deployed, these devices and systems are very hard to update, patch or upgrade remotely. Vulnerabilities may linger around for years, often requiring complex coordination and the ultimate visit of a technician armed with very specialized equipment before being patched.
Attackers break through conventional IT safeguards every day. In the coming months and years, the number of threats and malicious actors will only grow exponentially, and their techniques will become more sophisticated and pernicious. These rogue actors will increasingly turn their attention toward targets outside their usual theaters of engagement: cars, homes, buildings, public infrastructures and more.
The response to these perils should be to apply the best tenets of IT security to the smart building and BAS ecosystems. As for any security posture, things like strong authentication and access control should be the first step with regard to protection, followed by best-of-breed network, device and application security.
Analytics May Be Able to Help
Analytics, as well as context-aware event and anomaly detection, should become the foundations upon which smart, integrated and proactive defense postures are adopted by organizations that own smart building technologies. An open sharing of security and threat intelligence pertaining to IoT and smart buildings will also need to be part of the solution. The more intelligence all stakeholders share about these topics, the more robust the ecosystem.
Now, this might indubitably seem to be an expensive proposition for organizations that own smart buildings. However, if we instead see this from the point of view of adopting a holistic security posture that includes a layered approach to protecting one’s entire ecosystem, from intellectual property down to HVAC systems, this becomes an integral part of an organization’s DNA. Security becomes not something you slap on top of systems, processes, operations and buildings, but rather an immune system for your organization.
Buildings and homes are, after all, where we live and work. We should protect them as well as our organizations’ brands or intellectual property and not have to worry about the latest attacks on elevator controllers.