Article

Smart & Intelligent Buildings: Cyber Security Considerations

Smart buildings consist of computer control system networks supported by IoT devices. We discuss the potential areas of risks that these systems may face and the potential considerations.

Skyscrapers in a smart city

The connectivity of people, workplaces and assets are becoming more commonplace in today’s society. Smart buildings and intelligent buildings consist of “computer control system networks” supported by Internet of Things (IoT) devices, such as sensors and actuators. These devices connect to, manage, or overview standalone building automation systems for elevators; heating, ventilation, and air-conditioning (HVAC); access control; security; fire protection; and lighting. In some instances, they control these various building systems directly. 

Data from these sensors can be used to provide a holistic overview of the building usage in various areas at different times of the day, month, and season, ultimately optimising energy usage and operational efficiency. 

Aside from energy efficiency, there are a number of factors driving the growing automation of the building environment. These include providing insights and analytics on usage (by who, when, and how much), improving building resource utilisation and preventative maintenance, minimising operational costs, and improving tenants’ wellbeing and satisfaction, making the property more desirable. 

Furthermore, with growing emphasis on sustainability, smart buildings directly support an organisation’s climate and environmental, social and governance (ESG) initiatives and goals. 

Currently, over half of the world’s cities have a smart city roadmap. While according to Mckinsey buildings produce 6% of global emissions, a smarter building can contribute to a smart city’s goal to reduce carbon footprint. This would improve energy efficiency and enhance citizens’ lifestyles, as well as, support an organisation’s ESG initiatives and goals. 

The Virtual Meets the Physical

Like any new and emerging technology, additional risk considerations need to be identified and assessed. Cisco states that by 2025, more than 75% of new construction will be smart or intelligent buildings; these do not include the current portfolio of building stock with these technologies already fitted. Hence, the risk of cyber security breaches of connected control system infrastructure is a very real area of concern. 

Consider the example in November 2016 where two buildings in Lappeenranta, Finland, lost heating for at least two days. This was due to a Distributed Denial of Service (DDoS) attack, which disabled the computers that were controlling heating in the buildings. In Germany, October 2021, a building-automation engineering firm also experienced a cyberattack. It locked them out of the system and rendered three-quarters of several hundred devices in the building non-operational, affecting the lighting, motion detectors, and window shutter controllers. The office building devices were restored after weeks of resorting to manual controls. The hackers had infiltrated the building automation system (BAS) through an unsecure user datagram protocol (UDP) port on the public internet. 

According to Kaspersky’s 2019 report, almost 40% of the computer systems used to control smart buildings were subject to some form of malicious attack in the first half of 2019. In most cases, computers that control BAS were compromised.

  • Around 26% of the threats came from the Internet, 10% from portable storage, 10% from phishing links, and 1.5% from shared folders on corporate networks.
  • Common malware as ransomware, worms, and spyware were generally used, rather than malware with a specific purpose.
  • Many attacks exploit vulnerabilities in poorly protected IoT devices, like IP security cameras, which are often poorly integrated into legacy systems without BAS. 
  • Spyware (typically intended to steal sensitive customer account information) and worms were the most common form of attack, while phishing and ransomware were also reported.

Building Automation Standards

There are some building automation standards, such as KNX, LonWorks, and BACnet. BACnet, first introduced in 1995 and established as an internal ISO standard in 2003, is a highly utilised standard for smart building system design, with more than 60% market share of the building automation system sector. KNX and LonWorks are open standards for smart building protocols permitting control of various building elements. 

However, these building automation standards and protocols were developed without security in mind. KNX, for example, recognised this issue and, in 2021, released their KNX Secure initiative. This includes security checklist, a guide for manufacturers and installers, and a product security certification process that includes AES-128 encryption. BACnet standard was amended to BACnet Secure Connect (BACnet/SC) in 2020 to include device authentication (widely accepted international security standard X.509 certificates and public key infrastructure (PKI), cybersecurity and encryption framework that protects data transmissions), encrypted communications (based on TLS 1.3), and WebSockets protocol using secure TCP for Internet interaction.

Potential Areas of Risk

Some areas of risk and issues with these building control systems include the following:

  • Insecure passwords.
  • Software defects, errors, and deficiencies.
  • Non-encrypted communication.
  • No device authentication (for example, you can connect an IoT device to the network without being authorised / authenticated to do so).
  • Irregular software updates and patch management.
  • Security flaws, such as none or improperly configured firewalls, lack of network security monitoring, and lack of or improperly configured access controls (internal and remote including poor port security).
  • Poor security controls when connected externally; for example, implementation of user of datagram protocol (UDP) which is susceptible to domain spoofing and denial-of-service (DOS) attacks.
  • Complex, costly to develop, and difficult to manage security solutions, such as virtual private networks (VPNs) or virtual local area networks (VLANs) to integrate into the BAS system (noting that if the VLAN is compromised, a user would gain access to the BAS system).Integrating older or legacy systems, or integrating standalone building automation systems, into the wider network and bringing in their inherent lack of security protocols.
  • Development of BAS with a focus on functionality and efficiency, with little thought on the security aspects of the control system.
  • Management control of vendor access, third party maintenance, and other third parties that access parts or all of the BAS.
  • Connectivity to wider organisational systems such as financial, procurement, maintenance, asset management, and other corporate systems.
  • Connectivity to the wider internet (including secure websites and web/email messaging);
  • Rapid changes in technology. For example, the increasing use of 5G technology in the smart building market to considerably enhance the usage of wireless edge devices providing rich multimedia experiences, comes with new risks linked to the larger and faster data flows and how building automation networks are structured for security.

Furthermore, an additional area of consideration for property owners is regulatory change for public protection against the risks associated with such technologies. Penalties for failure in regulatory compliance include the UK Government’s 2021 The Product Security and Telecommunications Infrastructure (PSTI) Bill to better protect consumer IoT devices from hackers; the 2020 California IoT Bill; European Union’s General Data Protection Regulation (GDPR); and the UK General Data Protection Regulation (UK GDPR), to name but a few. 

Risk Considerations, Controls & Mitigations

So, what are the considerations for a property or building owner with regard to their building control system?

  • For existing BAS systems, review the security architecture used and identify gaps. Where possible, upgrade the system to a more secure version or to a more secure standard.
  • For current and future construction, consider using only secure BAS standards as part of the overall build.
  • Ensure that the BAS systems are designed and installed by competent, certified vendors.
  • Update passwords. Consider changing factory-set usernames and passwords and using strong password security practices (enforce complex long passwords (for example, longer than 14 characters) and/or password vaults). 
  • Consider utilising limiting the number of privileged accounts (including third party and vendor management and access) and enforce use of Multi-Factor Authentication (MFA) for network access.
  • Categorise the building network connectivity into non-building automation networks and domains — such as corporate systems, external Web or Internet — and wider area building automation systems within the building owner’s portfolio. Review whether connection is required and if so, ensure security is in place, such as firewalls, transmission encryption, and access management.
  • Implement network monitoring, event logging, alerting, and automated response solutions.
  • Review the potential cyber security gaps or flaws of emerging and new technology before implementing and ensure that security controls have been independently reviewed and tested.
  • Ensure incident response plans are established, personnel are trained in their use, and that these are reviewed and tested or simulated at least annually.

Due to the rapidly changing technology environment,  coupled with the rapid use of BAS technologies, organisations should consult with their advisers during the design of a construction project using BAS systems. This could ensure that cyber security risk controls have been identified and implemented. For those property owners with BAS control systems already installed, review the current architecture, the potential risks to be mitigated, and create a roadmap to get there.

Related insights