Smart buildings are popping up in towns and cities all over the world. Using a set of Building Automation Systems (BAS) to control their internal and external environments, smart buildings can save organizations lots of money and help the environment. For example, a BAS may control air conditioning and ambient lighting, resulting in a significant reduction in electricity bills.
If you’re a tech enthusiast, you may have joined a free community website and taken part in the increasing number of discussions around smart buildings. One of the hottest topics at the moment is smart building security. Experts believe many smart buildings aren’t adequately protected from cyberattacks, and the tech industry needs to act quickly to address this risk.
Why are smart buildings vulnerable?
A smart building may contain many BAS, which share information and control various aspects of the environment. Striking a balance between connectivity between devices and safeguarding data from leaks or hacks is a big challenge. In a network of dozens or hundreds of sensors, there are numerous opportunities for attackers to break into a system.
Specific threats include malware, which can be used to take control of a computer system that controls automated systems, spyware, phishing scams, and worms. Cybersecurity firm Kaspersky says that at least 40% of smart buildings are at risk of attack.
Shodan, a search engine that locates unsecured devices that are connected to the internet, is a useful tool for hackers. Using Shodan, cyber attackers can identify system components within smart buildings. Armed with this information, a hacker can find the BAS IP address, locate a login page online, and access the system.
Having taken control of a BAS, a hacker can then hold a company to ransom by asking for money in exchange for relinquishing their control over a building’s systems. Other hackers may be motivated by a desire to frighten the public, disrupt services, steal valuable information, or simply prove themselves smarter than cybersecurity staff.
How can we improve cybersecurity for smart buildings?
A smart building may contain hundreds of devices from various manufacturers, who may not design their components to be compatible with those from other suppliers. Organizations should scrutinize their supply chains when setting up smart systems, ensuring that they choose high-quality components that can be incorporated into a safe, secure network.
An organization needs to know how many devices are in operation and how they connect to others in the network. They need to establish a baseline for routine operations – any sudden deviation is a useful early warning signal that the network may be under attack.
Technology is a rapidly changing landscape, and security staff needs to stay abreast of the latest threats to BAS. Setting aside a budget for ongoing training and development will pay off in the long run; recovering from an attack is costly in terms of time and money.
Every organization needs to establish its risk tolerance, both in terms of general strategy and with regards to specific systems. It’s likely that some systems will need more protection than others. For example, in a high-security environment that houses expensive or dangerous equipment, automated camera systems will warrant a higher investment than climate control in the bathrooms. Conducting an asset audit is the first step to prioritization of resources.
All software needs to be patched and updated on a regular basis; attackers make a point of exploiting known vulnerabilities, so organizations need to keep up. When working with vendors, they need to understand when and how the vendor will update the system. Both parties also need to agree on how long the system will be in use before it needs to be replaced completely. Systems should be subjected to regular stress tests to ensure security measures are working correctly.
Communication is key to strong security
Finally, to keep data and systems safe, all stakeholders – not just those working in IT or cybersecurity – need to appreciate the importance of security. Everyone from the boardroom to cleaning staff needs to appreciate the importance of security and privacy, and what to do in the event of a known or suspected cyberattack. Only when everyone is willing to be held accountable and adhere to best practices will we be able to use smart buildings with confidence.