Smart buildings, offices and homes are all the rage these days. According to Zion Research, the global smart building market was valued at $7 billion in 2014 and is expected to reach $36 billion by 2020.

More specifically, smart buildings promise to be a key piece of the smart cities puzzle, holding the promise of better energy use and of smaller carbon footprints, reduced inefficiencies, costs savings, vast improvements in comfort and enhanced tenant experience. But are these technologies ready to tackle the escalating threats landscape? Do they benefit from a modern security model?

Smart building technology and building automation systems (BAS) were born out of the advancements and incredible progress made in the realms of composite materials, sensors, embedded systems, mechanical miniaturization and software. Advancements in protocols and communications have also made connections between objects and the Internet, giving birth to the much-touted Internet of Things (IoT). Manufacturers such as Nest, Honeywell and even Apple will be rushing to get a slice of the billion-dollar pie.

That’s all very exciting, but to quote Dr. Christian Szell from “Marathon Man,” “Is it safe? … Is it safe?” Well, it turns out it’s not quite safe yet.

Smart Buildings Aren’t Secure

Let me backtrack a bit: All the wonderful advancements in sensors, miniaturization, embedded systems, etc. has unleashed a torrent of innovations making smart buildings possible. Ubiquitous — and cheap — wireless communication technologies and protocols connect these systems and devices to each other and to the Internet. But their security model is still stuck in the ’70s. As in, it’s vastly inadequate.

To further illustrate this, IBM Security’s X-Force Ethical Hacking team (full disclosure: I work for IBM) recently conducted a penetration test that aimed to hack into a BAS at the request of the building management group. IBM’s team was able to exploit simple vulnerabilities and basic design flaws in connected devices’ embedded software to gain access to the building’s central command server. If this were a real penetration situation conducted by a malicious actor, important material damages — perhaps leading to real danger for the tenants — could have ensued.

This exercise showed that, unsurprisingly, different types of vulnerabilities are found in the smart building ecosystem — at the device and sensor level, at the gateway and controller levels and up to the data, application and network levels. This situation exists because manufacturers traditionally involved in designing systems and devices for smart buildings and homes (e.g., HVAC, electrical systems, sensors, controllers, etc.) have not considered their products as potential attack targets.

As a result, they often implement lightweight protection measures or sometimes even none. Engineers and programmers involved in the development of these connected devices don’t often have to manage complex security requirements. “Add a password” is probably as much as some of them see on their requirements list!

Security Has Its Own Challenges

Today, the sheer range of device types, manufacturers, integration ranges, conflicting and incompatible standards and complex protocols makes securing these systems a daunting task. To make matters worse, once deployed, these devices and systems are very hard to update, patch or upgrade remotely. Vulnerabilities may linger around for years, often requiring complex coordination and the ultimate visit of a technician armed with very specialized equipment before being patched.

Attackers break through conventional IT safeguards every day. In the coming months and years, the number of threats and malicious actors will only grow exponentially, and their techniques will become more sophisticated and pernicious. These rogue actors will increasingly turn their attention toward targets outside their usual theaters of engagement: cars, homes, buildings, public infrastructures and more.

The response to these perils should be to apply the best tenets of IT security to the smart building and BAS ecosystems. As for any security posture, things like strong authentication and access control should be the first step with regard to protection, followed by best-of-breed network, device and application security.

Analytics May Be Able to Help

Analytics, as well as context-aware event and anomaly detection, should become the foundations upon which smart, integrated and proactive defense postures are adopted by organizations that own smart building technologies. An open sharing of security and threat intelligence pertaining to IoT and smart buildings will also need to be part of the solution. The more intelligence all stakeholders share about these topics, the more robust the ecosystem.

Now, this might indubitably seem to be an expensive proposition for organizations that own smart buildings. However, if we instead see this from the point of view of adopting a holistic security posture that includes a layered approach to protecting one’s entire ecosystem, from intellectual property down to HVAC systems, this becomes an integral part of an organization’s DNA. Security becomes not something you slap on top of systems, processes, operations and buildings, but rather an immune system for your organization.

Buildings and homes are, after all, where we live and work. We should protect them as well as our organizations’ brands or intellectual property and not have to worry about the latest attacks on elevator controllers.

More from Identity & Access

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

An IBM Hacker Breaks Down High-Profile Attacks

On September 19, 2022, an 18-year-old cyberattacker known as "teapotuberhacker" (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website Gamers got an unsanctioned sneak peek of game footage, characters, plot points and other critical details. It was a game developer's worst nightmare. In addition, the malicious actor claimed responsibility for a…

What is the Future of Password Managers?

In November 2022, LastPass had its second security breach in four months. Although company CEO Karim Toubba assured customers they had nothing to worry about, the incident didn’t inspire confidence in the world’s leading password manager application. Password managers have one vital job: keep your sensitive login credentials secret, so your accounts remain secure. When hackers compromise these software applications, the entire industry of identity and access management (IAM) takes notice. As an alliance of tech giants leads a global push…

Beware of What Is Lurking in the Shadows of Your IT

This post was written with contributions from Joseph Lozowski. Comprehensive incident preparedness requires building out and testing response plans that consider the possibility that threats will bypass all security protections. An example of a threat vector that can bypass security protections is “shadow IT” and it is one that organizations must prepare for. Shadow IT is the use of any hardware or software operating within an enterprise without the knowledge or permission of IT or Security. IBM Security X-Force responds…