The reality is that the Internet of Things is a blessing and a curse for commercial buildings. IoT connectivity powers many great technologies like building automation systems that enable more efficient and user-friendly buildings. But, the thousands of IoT endpoints in most commercial buildings also create weak links in the cybersecurity chain. There are plenty of examples of hacks through these weak links, and most experts agree they will likely get worse before they improve.
Businesses spend vast sums of money protecting their networks as they move to the cloud. A Bloomberg Intelligence report estimates that cybersecurity spending will surpass $200 billion annually by 2024. Yet, even with all that money spent on cybersecurity, many corporate occupiers leave their networks vulnerable to hundreds of thousands of unprotected IoT endpoints.
Security is simply not a priority for most when it comes to IoT devices. The biggest challenge is that most devices don’t have much built-in security, which is unsettling because 127 new IoT devices connect to the web every second, according to Stringify CTO Dave Evans. By 2025, experts predict there will be 75 billion connected IoT devices worldwide. Unlike laptops and other varieties of consumer electronic hardware, many of these devices don’t have big companies behind them (like Microsoft and Apple) that provide regular security updates. Smaller companies make building sensors with fewer resources and often weaker security protocols, presenting an ever-growing threat for property managers.
What makes matters worse is that some building managers don’t see all these IoT endpoints fully. The average executive thinks IoT devices account for 1 percent of their network when in fact, these devices make up about 43 percent of all endpoints, according to a report by IoT For All. And we are only at the beginning of the IoT hardware explosion. The compound annual growth rate for laptops is about 0.3 percent, while the growth rate for IoT is nearly 36 percent. What buildings don’t know about their network can hurt them massively, and there are a lot of unknowns with IoT connections. It’s far too easy to overlook the enormous variety of IoT devices in a corporate office, hence why hackers see a prime opportunity.
“The way it works is it’ll usually take a disaster to happen first,” said Jason Hong, a professor in the Computer Science Department at Carnegie Mellon University. “We’re going to see more IoT attacks and possibly some real nightmare scenarios,” Hong told me. Even though more webcams and smaller devices are often breached, many major tech manufacturers worldwide still prioritize marketability and ease of use over security.
The most significant recent advancement in IoT security was the Trump administration passing the bipartisan Internet of Things Cybersecurity Improvement Act in 2020. The law doesn’t specify requirements but instructs the National Institute of Standards and Technology (NIST) to do this. Technically, the law only covers IoT devices purchased with U.S. government money, but private-sector companies will likely have to adhere to the standard. The law requires standards and policies to be updated at least once every five years, but experts stressed it would probably only affect new IoT purchases. That will leave existing devices exposed. Either way, many think it’s a good start. “IoT is a Wild West today, and nobody cares,” Arun DeSouza, the CISO for auto-parts manufacturer Nexteer Automotive, told IoT World Today. “Nobody has thought it through. So whatever NIST is going to recommend will be a big improvement.”
Identifying network endpoints is critical for companies looking to beef up IoT security, but it’s not as easy as it sounds. If employees are allowed access to the network, a commercial building could have more connected devices than people occupying it. IT teams often know a device exists but know little about what it is. And even if they see the device on the network, they may not know where it is in the building. Overall, Hong, the computer science professor, told me it’s hard to manage and keep track of everything.
The security for most of these forgotten devices is astonishingly weak. Many devices get installed with default passwords, and, unlike most pieces of software, they don’t get regular automatic updates and patches. Some buildings and corporate occupiers have an IT person dedicated to checking IoT cybersecurity, but not all of them.
Manage, monitor, and secure
Various reports have indicated that IoT devices have vulnerable firmware. Many devices are five to seven years behind on updates, making them an easy target. Experts estimate that up to half of all IoT devices have default credentials, so it doesn’t take a genius hacker to guess the credentials and infiltrate the network. Regular patching, firmware updates, and credential changes for these devices are critical for corporate cybersecurity, but it’s debatable how many companies do this is.
Over the last year, one evaluation of more than 1 million customer IoT devices revealed that 26 percent were at their ‘end-of-life,’ meaning they’re no longer supported. The assessment showed that 18 percent of the devices had critical vulnerabilities, allowing hackers to take complete control without using credentials.
Devices like this should be taken off the network at most buildings or at least segmented to their own network. Segmentation used to be the best approach for IoT device security, but experts say it’s no longer the greatest measure available. With segmentation, devices are quarantined on a separate network, keeping insecure devices away from anything more substantial. Segmentation can help, but it’s not a permanent solution. Insecure devices still pose a threat even when they’re segmented if hackers use different types of entry techniques.
That’s why the best cybersecurity practice today is inoculating devices against vulnerability. Inoculation ensures an IoT devices’ patches and firmware are up to date, the credentials are regularly checked, and an accurate inventory is kept. Automation allows many property management IT teams to control and secure IoT on their networks. Still, even with automation in place, there needs to be a plan to manage, monitor, and secure IoT ecosystems against threats.
A fishy case study
Taking these measures to ensure IoT security is wise because breaches can have significant negative implications. Sometimes breaches happen through HVAC controls, but the most infamous case was a casino that got hacked through their fish tank. The high-tech fish tank installed in the casino lobby had an IoT connection allowing it to monitor temperature and salinity, among other things, remotely. The casino configured the tank to use an individual VPN to isolate the connection, but the device occasionally communicated with other connected devices in the building.
The casino’s threat systems noticed the fish tank device was exporting a large amount of data, but it was too late. By the time property management discovered the hack, the tank device had sent about 10 GB of data to Finland, an example of exfiltration. The fish tank hack is legendary in the cybersecurity community, and all the sources I talked to for this story mentioned it. It’s a clear example of just how vulnerable IoT devices are.
Any way you look at it, cybersecurity is a growing concern for corporate occupiers and property managers and garnering more attention lately, rightfully so. Cybersecurity conversations have become more prevalent in the media over several years, and even smaller businesses are beefing up security. But with IoT, we’re still mostly playing catch-up. Earlier generations of IoT devices didn’t put security at the forefront, as some smaller companies rushed to get products out to the market too quickly.
Bit by bit, the Internet of Things industry is shifting its focus to better security, and it can’t come soon enough. The U.S. government’s new IoT cybersecurity law should help. If a casino fish tank system can get hacked, nearly anything is vulnerable in a commercial building. IoT devices do wonders for property managers, enabling them to use smart building tech that vastly improves their assets. But if those devices aren’t secure and remain vulnerable to hacks, the tech can backfire in spectacular ways. IoT is by far the weakest link in commercial building security and needs more attention than ever.