Things that make a buildings “smart” have been around for a while. Typically they are things like door locks, alarms, security camera systems (CCTV and the like), and HVAC systems. Just like any network-attached device, the growing implementation of more advanced building systems and the connected web of devices we are calling the Internet of Things causes both direct and indirect security threats.
Every day there are direct threats from new vulnerabilities. These include poor patch management, manufacturers not providing updates, improper activity due to cyberattacks, or merely a system fault. Indirectly, the devices could be jump points for lateral movement and could be utilized as a part of a more significant internal or external attack by targeting other systems and networks. Facility managers and developers need to think about cybersecurity from the start when deploying advanced technologies. Significant advancements have been made in securing our newly intelligent buildings from the threats they will bring. How you implement cybersecurity best practices will have everything to do with the safety of your building and your organization.
The emergence of more sophisticated and powerful building automation systems (or BAS for all of us techies that like to talk in acronyms) presents significant risks to critical systems. Since BAS uses interlinked networks of software and hardware to monitor and control a building’s mechanical and electrical systems (HVAC, lighting, fire systems, etc.), all of these functions are vulnerable to cyber threats.
Direct attacks to automated building systems are possible, the more capabilities the building has, the more it can be used to cause havoc on the physical environment. Think about the amount of control someone could get has over elements of the building’s functions like lights, HVAC, elevators, CCTV, fire suppression, door locks or alarms if they were able to get into the main building system control. What would happen if these become modified in an unauthorized manner?
With the growing risks associated with automated management systems, it’s crucial to have a grasp on all that could go wrong in order to best prepare. One concern is losing power and having to switch over to backups, which are often not sized for full operations, just essential resources. This could lead to elevators going to the ground floor and no longer being available. Additionally, if you rely on a generator that has limited fuel supply, power will eventually be lost entirely, never mind the expenses associated with the fuel.
Another physical threat that could emerge from a cyberattack is the control of a fire suppression system. Imagine losing control of that function, and the damages that would arise from thousands of gallons of water dumped onto computers, servers, and even furniture.
So, how do we best prepare against physical damage from cyberattacks? Use best practices and evaluate these risks when making source selections.
Ask the following questions about software, hardware, and firmware lifecycle:
- What options for centralized access controls exist?
- Are there software-defined policy enforcement controls?
- Does the solution have standard log formats that can be sent to a Security Information and Event Manager (SIEM, a log management computer that can actively respond to detected threats to stop them)?
- Can you change the default system passwords in the OS that run BAS applications? Most IoT and network appliances run some version of Windows or Linux like Android or CentOS
- What does the ongoing support process look like?
- Do they publish discovered vulnerabilities to the National Institute of Standards and Technology (NIST)/US-Cyber Emergency Readiness Team (US-CERT) for inclusion in the National Vulnerability Database? The NVD is a resource most security assessment solutions rely on to detect weaknesses. US-CERT alerts all subscribers of recently published vulnerabilities, giving them a chance to mitigate and secure their systems.
- What are the fail-safes? Do the exit doors have crash bars or other physical overrides to locks? Can elevators default back to a separate standard controller if the BAS fails?
- What about backup, recovery, and continuity planning? If the BAS or any components are damaged, hacked, or otherwise need to be replaced, can you quickly restore the configuration or recover lost data?
- Can we limit the kinds and amount of information collected about personnel and routine behavior?
- How do the components communicate with each other, and is that communication using secure encryption? Can it be easily spoofed?
Advancements to building management systems are accelerating, for example, The Edge Amsterdam is a smart building that’s occupied by Deloitte and monitors movements and activities of employees, among other things. Employees use an app that connects them to the building, which can direct them to available working spaces, parking spaces, their colleagues, it can even help to remember coffee orders!
Connecting workers and employees to buildings through IoT is becoming a reality. However, this is not to keep better tabs on employees. Providing better means of safety and security are the primary goals of most smart devices used to monitor employees. Beyond the general threats of all IoT and BAS/BMS listed above, wearable threats pose more dangers than simple “1984” levels of employee micromanagement. Wearables have the ability to become a concern in the case of physical threats.
Employee wearables with tracking systems have some inherent faults. Their location tracking systems can give intruders the means to know where potential targets are, or even let thieves know people’s habits. When computer systems have access to an overwhelming amount of information on a person’s behaviors, doors are opened to risks and threats of social engineering along with subsequent threats. For example, if two employees can be traced having coffee together one morning, a cybercriminal could send an enticing email to one of those employees to “share those files we discussed over coffee.”
All employees need to be trained on their roles in IT security for the organization. Simple safeguards, like being able to identify threats or not click on a phishing email, can save your company from a much larger issue. We suggest our cybersecurity training to help employees prepare against sophisticated cyber threats.
Much larger risks can be mitigated by securing the configuration of the management systems so that the features are fully utilized before purchase. This includes SIEM integration, network isolation and firewall configuration, communication encryption, centralized access control, and identity management.
A cybersecurity strategy should not merely focus on the prevention of a compromise. To be truly effective, security should also be able to detect unusual activity within the system and raise alarms of a compromise or potential abuse of the monitoring capabilities. This can be achieved by integration with solutions like a SIEM.
To prevent excessive monitoring and oversight that comes with wearables and location tracking, the answer is simple, do not enable active monitoring and prevent managers from directly accessing the history. A multi-party approach for reviewing activity should be used instead. For example, if a manager suspects an employee is not performing as well as they should due to excessive time away from their desk, the investigation should involve HR and security. Access to employee data is less likely to be abused if more people need to be involved in the analysis process. Justification for this limitation involves employee and visitor privacy. Once you introduce technology into the building, privacy laws like GDPR and other government rules begin to apply.
Buildings will only continue to become more connected by collecting an overwhelming amount of information and data, which is required to make the building the smartest it can be. Currently, most IoT devices are designed for the home market, which has fewer cybersecurity concerns. Privacy concerns at facilities like Class A office buildings or hospitals are much more critical.
Specific threats to public and Class A buildings are an enormous concern, the property industry needs to consider this. While homeowners might not care about an overcollection of personal data, work environments and hospitals collecting data could compromise occupants’ rights to privacy, especially if the building’s IoT cloud is hacked.
Perhaps the most significant privacy concern is within healthcare facilities, which house critical data on patients and visitors. Vulnerabilities in the system or data breaches of IoT devices could lead to private healthcare information being collected, misused, and abused, which would violate healthcare-related privacy laws like HIPAA. When it comes to concerns related to healthcare information remember even something as simple as identifying frequent visits to locations of known medical facilities and the specialties could reveal protected health information. Unfortunately (in this instance) the internet doesn’t forget. If logs are exposed, they could enable unlawful abuse and prejudice for years to come. If your building monitors more than biomonitors, like speech, you need to ask yourself what nonmedical information could be collected and unlawfully retained? What about liability if threats are recorded but not acted upon?
The risks associated with data collection in public environments is extensive and has a direct impact on the welfare and safety of society. There are implications for industries across the board. For the police and fire departments facilities are impacted by critical outages or damages caused by BAS failures or compromises, their disaster and emergency response capabilities are weakened. For hospitals and health care facilities, fife-threatening harm from cybercrime has been demonstrated with IoT enabled implanted defibrillators and pacemakers.
Facilities where security is particularly important (healthcare facilities, educational institutions, Class A buildings, commercial buildings),managers need to follow a model for cybersecurity best practices. On a high-level, they should understand the NIST Cybersecurity Framework for the ongoing lifecycle and security management: plan, identify, detect, respond, recover. This framework is designed to mitigate the constant threats and evolution of IT by:
- Categorizing IT systems and potential risks/damages,
- Selecting the best solutions to minimize risk and a variety of controls to secure the solution/service
- Implementing services and variety of security controls to entirely negate or mitigate the risks
- Assessing and testing the controls to ensure they work and preventing the threats and/or raise the appropriate alarms/alerts (and the procedures to the responses are satisfactory; also, that security controls do not adversely impact productivity)
- Authorizing formal documentation and approval of the use of the service or solutions along with the corresponding security controls
- Monitoring the security controls to remain effective and current against the evolving threat landscape
Smart building technology is great, it allows our buildings to do things they never could before. But, it is also complicated. Organizations need to identify potential cyber risks and threats that accompany this technology when creating IoT development plans. This is the only way to build security into your organization and be able to evolve with the ever changing security landscape. Proactively implementing cybersecurity safeguards is the most efficient way to keep your building secure. Trust us, you don’t want to have to think about your cybersecurity strategy once it’s already too late.