Posts

With The Internet Of Things, Smart Buildings Pose Big Risk

, , , ,

In an Internet of Things (IoT) world, smart buildings with web-enabled technologies for managing heat, lighting, ventilation, elevators and other systems pose a more immediate security risk for enterprises than consumer technologies.

The increasing focus on making buildings more energy efficient, secure and responsive to changing conditions is resulting in a plethora of web-enabled technologies. Building management systems are not only more tightly integrated with each other, they are also integrated with systems outside the building, like the smart grid. The threat that such systems pose is two-fold, analysts said. Many of the web-enabled intelligent devices embedded in modern buildings have little security built into them, making them vulnerable to attacks that could disrupt building operations and pose safety risks. Web-connected, weakly protected building management systems also could provide a new way for malicious attackers to break into enterprise business systems that are on the same network.

The massive data theft at Target for instance, started with someone finding a way into the company’s network using the access credentials of a company that remotely maintained the retailer’s heating, ventilation and air conditioning (HVAC) system. In Target’s case, the breach appears to have happened because the company did not properly segment its data network.  Such issues could become more common as buildings and management systems become increasingly intelligent and interconnected, said Hugh Boyes, cybersecurity lead at the U.K.’s Institution of Engineering and Technology.

“It creates some interesting challenges for enterprise IT,” Boyes said. “They need to know there are some increasingly complex networks being put into their buildings that are running outside their control. “As one example, Boyes pointed to the growing use of IP-enabled closed-circuit security cameras at many buildings. In some cases, the cameras might be used instead of a motion sensor to detect whether someone is in a room, and whether to keep the lights or heat turned on. In such a situation, the camera, the lighting and the heating systems would all need to be integrated. Each of the systems could also have web connectivity linking them with an external third party for maintenance and support purposes. “You quickly get into a situation where a network that was just inside the building goes to locations outside the building,” Boyes said.

It’s not only heating, lighting and security systems that are integrated in this manner. An elevator manufacturer might stick smart sensors on all the elevators in a building to detect and spot a failure before it happens. Or, a building manager might have technology in place to monitor and conserve water use in a facility. Many of these technologies will have a path out of the building and over an IP network to a third-party supplier or service provider, Boyes said. Often the data from these systems are captured not only for real-time decision support but also for longer-term data analytics.

Exacerbating the situation is the fact that many of the communications protocols for building automation and control networks, such as BACnet and LonTalk, are open and transparent, said Jim Sinopoli, managing principal at Smart Buildings LLC. Device manufacturers have adopted these protocols for product compatibility and interoperability purposes, Sinopoli said. However, the openness and transparency also increase the vulnerability of building automation networks. “None of these systems are isolated any longer,” Sinopoli said. A security breach in one system could have a cascading effect on multiple building automation systems and networks, he said.

The threat is not only about someone penetrating a building system to cause serious disruptions. There is also a potential impact on IT, such as a loss of communications due to a building system outage or unauthorized access to enterprise data because of poor segmentation between the building automation network and the IT network. “The penetration of IT into building systems is an issue that is front and center,” at a growing number of companies, Sinopoli said.

As buildings have become smarter, vendors of consumer devices have begun entering the space, said Rolf von Roessing, president of German security consulting company Forta AG and a member of ISACA’s Professional Influence and Advocacy Committee. ISACA is a trade group focused on IT governance issues, with 128,000 members. “Building automation, including critical functionality, is now readily available through web shops and hardware or electronics stores. While professional solutions usually feature in-built security and protection against hacking, consumer offerings are less well protected,” von Roessing said.

In terms of preparation, IT practitioners should extend their information security and cybersecurity management processes to cover buildings and building management systems, he said. “In many cases, these will be controlled through a Windows-based or compatible interface, using standard PC equipment and network connectivity via standard IP,” von Roessing said. “Where remote control is a known or desired feature, security practitioners should look long and hard at mobile devices, the remote control apps and underlying processes. If and where critical building functionality can be controlled and manipulated from an unprotected mobile device, there is a significant risk of breaches,” he said.

For a growing number of companies, the issue is already upon them, said John Pescatore, director of emerging security trends at SANS. In a SANS survey on the security of the Internet of Things, smart buildings and industrial control systems were the second most frequently cited near-term concern behind consumer devices, Pescatore said. Often, IT has little idea of the sheer scope of the issue, Pescatore said, He gave the example of one university’s chief information security officer at a recent SANS conference who ran a security scan of a new building on the campus. “In a single six-story building, he found nearly 1,500 sensors,” in elevators, doors, camera systems, lighting and heating systems and elsewhere, Pescatore said.

Traditionally, building management systems have not been considered IT systems. They are not selected by the CIO and have long been considered operational technology under the purview of building and facilities management teams. That attitude will have to change. Building management and IT organizations will need to work together to identify and mitigate potential risks, said Robert Stroud, the incoming international president of ISACA. But any response will need to be based on a thorough understanding of the risks, Stroud said. Companies will likely have to pay more attention to practices like network segmentation, strong authentication and network monitoring. Vendor management processes will need special attention, Stroud noted.

Many of the devices integrated in smart buildings have little security built into them and come from vendors that are unfamiliar to most IT organizations. Suppliers in the building automation world don’t have the same kind of processes in place that IT vendors do for responding to vulnerabilities in their products. Few have any notification process to let customers know about security threats to their products. IT organizations will need to work with building management teams to update vendor lists, build a register of contacts and know who to reach out to in case a response needs to be escalated, Stroud said.

 

Source: CiteWorld

/by

Smart Buildings Are Getting Smarter, More User-Friendly

,

Advances in building and information technologies have brought a new “big data” analytics-based approach to facilities management—one that ushers in a new era of operational control, reliability and productivity for businesses and workers. Smart buildings can increase employee comfort, engagement and productivity, according to Jones Lang LaSalle’s latest report, The Changing Face of Smart Buildings: The Op-Ex Advantage.

Technological advances have finally converged with long-existing and significant opportunities for improving energy efficiency and the user experience within buildings. We are seeing tenant satisfaction improve while building operating costs are reduced, especially when tenants are actively engaged with controlling energy usage.

The Big Data generated by smart building systems is a major force shaping the human experience within buildings. Building data analytics provides unprecedented insight into energy use and facilities operations.

Today’s computer-controlled “smart” building systems can be programmed to accommodate the needs of building occupants. Lighting and temperature, for instance, can automatically adjust during peak and off-peak occupancy periods. Smart building technologies can be used to provide a more customized and energy-efficient experience for building users—think, better temperature, lighting or security control for offices, and more reliable power for manufacturing facilities.

In addition, these automated systems generate reams of data that a smart building management service can transmit to a remote data center for analysis by facilities professionals. Using predictive analytics, facilities managers can anticipate and address user needs and requests related to heating, ventilation, lighting, way-finding, security and more.

Affordable new technologies driving smart building progress

Recent significant price reductions in cloud computing-based building management technologies have made these systems affordable. For example, wireless sensors used in smart building managed services are now available for less than $10 per unit. These sensors can transmit data from smart systems in hundreds of buildings to far-flung remote cloud-computing platforms where advanced analytics can turn data into actionable intelligence to improve building performance.

Building occupants’ growing expectations

Smart buildings can boost tenant satisfaction and productivity, according to The Changing Face of Smart Buildings. Along with next-generation buildings comes a new generation of building occupants, with new workplace preferences and expectations for their work facilities. Companies increasingly rely on mobile workers, and smart buildings are able to adapt more readily to new flexible workplace models. Clean, green, efficient buildings are gaining a marketing advantage for landlords.

The trend for employees to connect from anywhere, or to bring their own devices to custom-fitted work settings, will profoundly change the way building owners lease space. Demand for more network sophistication that can adapt to changing work patterns will play to the advantage of smart building owners.

Smart buildings also can help companies use sustainability as a hook for engaging employees. In a major Empire State Building energy retrofit, for example, the project team added smart building components to the landmark office property. Real-time energy displays enable Empire State Building tenants to better monitor and control their energy consumption, and even compete with other tenants in the building to achieve energy savings.

Looking ahead is Fraunhofer CSE’s Building Technology Showcase in Boston that houses Fraunhofer’s building science research facilities, designed to consume half the energy of a comparable structure. In the lobby, an iPad-driven display shows the building’s internal smart building technology at work, with digital read-outs showing real-time energy gains in lighting, cooling and heating, water use and energy generation. It’s a simple but powerful idea that potentially could be applied in every smart building lobby.

Jones Lang LaSalle’s report, The Changing Face of Smart Buildings: The Op-Ex Advantage, provides a comprehensive, state-of-the-market view on smart buildings, providing the first multi-dimensional business case for smart technology investment. The full report can be downloaded here: http://bit.ly/HvhSx6

 

 

Source: NREI

/by