New Smarts Also Means New Vulnerabilities for Connected Buildings

Finland is one of four European countries leading the push to incorporate smart technologies into building infrastructure. By adding automation, internet-connected devices, and new management capabilities, such smart buildings can significantly save management costs and add potential revenue streams.

Yet, like the rollout of any new technology, the deployments are not without drawbacks.

In early winter 2016, a denial-of-service attack on a building management company caused the systems that controlled heating for two buildings to repeatedly reboot. The cycle of restarts caused the heating system to stop working. The attacks—apparently instigated only because the systems were vulnerable—were not isolated, with similar packet floods shutting down heating in other buildings in the country.

The incidents highlight the lack of cyber security for building-automation systems and the problems that such vulnerabilities can cause. City and building managers are adding the technology to make their jobs easier, but often without considering the security implications first, said Patrick Gardner, vice president of advanced threat protection at Symantec.

“Cyber is a new fundamental domain for those involved in physical infrastructure,” he said. “We don’t have a good understanding of the issues at an executive level.”

For building owners, the move to more-connected technology can save significant costs on operations and maintenance. Lighting system managed by machine learning and using sensors that can detect workers' presence can save companies up to 90 percent of their current lighting costs. Because buildings—both commercial and residential—account for about 40 percent of total U.S. energy consumption, smarter buildings could help significantly reduce national energy needs.

Yet, a key component of the smarts in smart buildings is from the interconnectedness of the systems, making cyber security a primary concern. In particular, the systems that run critical building functions—known as operational technology or OT—have often been created without considering the ramifications of being connected to the internet.

"Since building automation emerged in the 1980s and development sped up in the 1990s, the reality is that buildings have always been the end case of what you would call the smart internet of things or the internet of everything," said Rawlson O'Neil King, communications director at the Continental Automated Buildings Association (CABA). "The building networks were specialized; those network technologies were specifically created for that application. When you have OT integrated with information technology, then you are opening it up to potentially the public internet and attacks."

The problem is that while the economics favor making buildings smarter, the technology and infrastructure is not very mature security-wise. In 2013, for example, an HVAC management company ended up being the pathway that hackers exploited to attack a retail store. Elsewhere, a 2014 video of Dubai's Burj Khalifa, the tallest building in the world, showed management terminals running Windows XP. Microsoft stopped supporting the operating system—at the time 12 years old—that year.

"As an industry, if someone is running Windows 95 right now, you would laugh them out of a room,” Symantec’s Gardner said. “If you have something like a car or a building, the lifespan of those systems is in multiple decades, so imagine a smart building was created 30 years ago and was running Windows 95—how can you upgrade that? We need to figure that out.”

Our (Increasingly) Connected Future

The problems continue to plague building management systems. In December 2018, the FBI reportedly told private sector firms that a port used to communicate with building control systems is regularly left open to attack.

In the future, buildings will only become more automated and more connected. Smart sensors are estimated to grow at a 79 percent annual rate until 2020, according to consulting firm Deloitte. Part of the allure of installing internet-of-things devices in buildings is the ability to collect data on tenants and visitors, but smart-building proponents also stress that adding technology and the ability to monitor tenant and consumers allows the development of additional sources of income beyond rental fees, such as direct marketing and add-on services.

Hotels will likely lead the smart building charge. Commercial buildings are typically renovated once every 25 or 30 years, but hotels are typically updated every decade, according to IHS Markit, a market intelligence firm.

The inexorable trend means that building management firms need to be more focused on cyber security. Unfortunately, many manufacturers of the systems have not learned enough of the risks and necessary defenses. In many ways, the companies making and deploying internet-of-things technology into buildings are making the same mistakes as information-technology providers in the early 2000s.

Many do not even have a proper security contact or policy in place to handle vulnerability reports. When security firms find a vulnerability, for example, they often have a hard time finding the proper channel to report the issue to a smart-building firm. And, when they do respond, it is often with hostility—similar to how many technology providers responded in the past to vulnerability researchers.

The result is that security researchers, penetration testers and attackers have all started focusing on the lack of security in these building systems, Symantec’s Gardner said.

“You do see penetration testers and red team focusing on this,” he said. “A big part of cyber security is physical security, and this is a flip side of that. Without a clear focus on cyber security, managers of these smart buildings are putting physical security at risk.”

Without a good vulnerability-disclosure policy in place, building owners and smart-building technology makers expose themselves to even greater risk. The attack on the building management systems was not for a payday, but because the system exposed a vulnerability. The risk that hackers and security researchers expose vulnerabilities in a smart-building technology only grows greater, if there is no easy way to report the issues, according to the Cybersmart Buildings report by consultancy Booz Allen Hamilton and industrial control maker Johnson Controls.

While CABA and other organizations urge building management firms and systems makers to focus on cyber security, the industry is not ready for standards, said CABA's King.

"There is a lot of innovation going on—that is one of the issues for us," he said. "We don't pick winners and losers, but the challenge is that when you have innovation, you don't necessarily have a focus on cyber security."

Several different groups are developing best practices for protecting smart buildings against cyber threats. Creating a culture focused on recognizing cyber security as a major issue is a start, said King.

"What is emerging is the idea of best practices, not just having cyber security as a secondary goal," he said. "The idea should be that we want to have continuous cycles for security—always trying to improve the product and constantly addressing threats."