Building automation systems deploy thousands of smart devices across open networks, and the increased connectivity to the worldwide web, combined with unclear system ownership creates a large and vulnerable attack surface. In this article we will examine what’s behind the weak cybersecurity levels in smart buildings, including how these threats can manifest through a combination of attack vectors and complex human factors that are creating a perfect storm of people, process and technology challenges.
In one of the first (and highly publicized) breaches involving building automation, Target Stores exposed 40 million of their customers’ credit cards to hackers. Ultimately, this resulted in an $18 million lawsuit and a much larger loss in revenue. Though never confirmed publicly, this infamous hack is purported to have been engineered through the connection of a local HVAC service company to a Target virtual private network (VPN). This in itself is not news, but what is unsettling is that this incident occurred in 2013. While Target has undoubtedly improved their security practices, threats have become far more sophisticated since then, and the growth of smart buildings has increased substantially.
As with Target, support by third parties is essential for maintaining all types of building systems. This includes HVAC, lighting control, physical security, fire detection, energy, elevator control and many other business critical platforms. In smart buildings, each of these functions is customized for the particular building where it is installed, making it practically impossible for facility management and information technology (IT) teams to maintain without support from a specialist. In the case of Target, it is likely that a service technician’s computer was unwittingly infected via a phishing attack, and once they connected to the Target network, the seeds were planted for the broader exploit involving point of sale systems.
But third-party maintenance technicians aren’t the only avenue of attack. The stage is set for cyber problems during construction because of the way projects are managed via a complex chain involving investors, project designers, contractors, subcontractors and system installers.
The goal of the construction contracting chain is to produce a building on time, on spec and within budget. The systems that make the building smart are only one facet of the project. In most cases the only one remotely concerned with cybersecurity is the system integrator, and they are often the lowest-cost bidder at the end of the chain. Most integrators have increased cyber competency in recent years, but there is only so much they can do given the way buildings are constructed and managed.
Following construction, ownership of the systems becomes the next hurdle. Considering a multi-tenant office tower, when construction is finished and the building is opened, the project developer will be the owner. Within a few years, they will sell the building to a permanent owner-operator. The backbone building network, installed during construction, will then become a shared utility hosting both the building management systems, or operational technology (OT), and the tenant’s business systems (IT). Though these networks are partitioned using virtual local area networks (VLANs), access privileges to the network are often shared across a series of owners, vendors and tenants.
In owner-occupied buildings, such as universities or hospitals, there may be more involvement by the owner during construction. However, these buildings are also delegated to the contractor, resulting in an installation which is cyber compromised from the onset.
For the life of the building, it is the operator’s facility management team that will oversee the systems, though in recent years, the trend is to outsource this to third parties who specialize in building maintenance. While facility teams are expert users of building automation systems, they are not experts in programming. As a result, they will outsource most of the technical work to local integrators. This complex process creates a patchwork of third-party facility managers hiring third-party integrators to work on a system. Maintaining robust cybersecurity practices in this environment requires specialized processes and automation.
With much of the service outsourced, and because enterprise IT is often unable or unwilling to support these mission-critical OT systems, cybersecurity may only receive tacit attention, or be ignored altogether. When this happens, the entire corporate network becomes vulnerable.
Most large companies operate wide area networks (WANs). It is typical for WANs to have flat architectures (common corporate domain and no internal firewalls), which makes it very convenient for users and applications to connect internally. However, this convenience also means that malware and other threats can spread quickly and deeply from local sources across the global enterprise. Smart building systems have three to four times as many computers on the network as user computers. Without defensive measures, these large OT networks become the soft underbelly for launching enterprise-wide exploitations.
Considering the landscape today, it is apparent that the global pandemic has increased adoption of remote facility services. As customers and service companies moved quickly to establish remote support, it’s likely shortcuts were taken, resulting in control systems connected directly to the internet (without firewalls to protect them). Researchers report that probes using programs such as Shodan and making use of vendor’s default internet protocol (IP) addresses and passwords have identified thousands of smart building devices. These days, the average time for malware to discover a new unprotected device is a matter of minutes.
Though less common, we also need to consider that it is relatively easy to connect to physical ports on a smart device. Given the thousands of devices and hundreds of people moving in and out of large buildings each day, unauthorized physical access is difficult to detect. The trend today is for vendors to include several ports on their smart controllers including ethernet, Bluetooth and USB, all of which can be accessed through open protocols including BACnet.
This perfect storm of threats and surge of devices combined with human factors is impacting smart buildings and enterprises alike. Smart buildings are the future, and the market is growing. When operating properly, they are healthier, safer and more energy efficient. This is why improving cybersecurity for these systems is essential.