In an Internet of Things (IoT) world, smart buildings with web-enabled technologies for managing heat, lighting, ventilation, elevators and other systems pose a more immediate security risk for enterprises than consumer technologies.
The massive data theft at Target for instance, started with someone finding a way into the company’s network using the access credentials of a company that remotely maintained the retailer’s heating, ventilation and air conditioning (HVAC) system. In Target’s case, the breach appears to have happened because the company did not properly segment its data network. Such issues could become more common as buildings and management systems become increasingly intelligent and interconnected, said Hugh Boyes, cybersecurity lead at the U.K.’s Institution of Engineering and Technology.
“It creates some interesting challenges for enterprise IT,” Boyes said. “They need to know there are some increasingly complex networks being put into their buildings that are running outside their control. “As one example, Boyes pointed to the growing use of IP-enabled closed-circuit security cameras at many buildings. In some cases, the cameras might be used instead of a motion sensor to detect whether someone is in a room, and whether to keep the lights or heat turned on. In such a situation, the camera, the lighting and the heating systems would all need to be integrated. Each of the systems could also have web connectivity linking them with an external third party for maintenance and support purposes. “You quickly get into a situation where a network that was just inside the building goes to locations outside the building,” Boyes said.
It’s not only heating, lighting and security systems that are integrated in this manner. An elevator manufacturer might stick smart sensors on all the elevators in a building to detect and spot a failure before it happens. Or, a building manager might have technology in place to monitor and conserve water use in a facility. Many of these technologies will have a path out of the building and over an IP network to a third-party supplier or service provider, Boyes said. Often the data from these systems are captured not only for real-time decision support but also for longer-term data analytics.
Exacerbating the situation is the fact that many of the communications protocols for building automation and control networks, such as BACnet and LonTalk, are open and transparent, said Jim Sinopoli, managing principal at Smart Buildings LLC. Device manufacturers have adopted these protocols for product compatibility and interoperability purposes, Sinopoli said. However, the openness and transparency also increase the vulnerability of building automation networks. “None of these systems are isolated any longer,” Sinopoli said. A security breach in one system could have a cascading effect on multiple building automation systems and networks, he said.
The threat is not only about someone penetrating a building system to cause serious disruptions. There is also a potential impact on IT, such as a loss of communications due to a building system outage or unauthorized access to enterprise data because of poor segmentation between the building automation network and the IT network. “The penetration of IT into building systems is an issue that is front and center,” at a growing number of companies, Sinopoli said.
As buildings have become smarter, vendors of consumer devices have begun entering the space, said Rolf von Roessing, president of German security consulting company Forta AG and a member of ISACA’s Professional Influence and Advocacy Committee. ISACA is a trade group focused on IT governance issues, with 128,000 members. “Building automation, including critical functionality, is now readily available through web shops and hardware or electronics stores. While professional solutions usually feature in-built security and protection against hacking, consumer offerings are less well protected,” von Roessing said.
In terms of preparation, IT practitioners should extend their information security and cybersecurity management processes to cover buildings and building management systems, he said. “In many cases, these will be controlled through a Windows-based or compatible interface, using standard PC equipment and network connectivity via standard IP,” von Roessing said. “Where remote control is a known or desired feature, security practitioners should look long and hard at mobile devices, the remote control apps and underlying processes. If and where critical building functionality can be controlled and manipulated from an unprotected mobile device, there is a significant risk of breaches,” he said.
For a growing number of companies, the issue is already upon them, said John Pescatore, director of emerging security trends at SANS. In a SANS survey on the security of the Internet of Things, smart buildings and industrial control systems were the second most frequently cited near-term concern behind consumer devices, Pescatore said. Often, IT has little idea of the sheer scope of the issue, Pescatore said, He gave the example of one university’s chief information security officer at a recent SANS conference who ran a security scan of a new building on the campus. “In a single six-story building, he found nearly 1,500 sensors,” in elevators, doors, camera systems, lighting and heating systems and elsewhere, Pescatore said.
Traditionally, building management systems have not been considered IT systems. They are not selected by the CIO and have long been considered operational technology under the purview of building and facilities management teams. That attitude will have to change. Building management and IT organizations will need to work together to identify and mitigate potential risks, said Robert Stroud, the incoming international president of ISACA. But any response will need to be based on a thorough understanding of the risks, Stroud said. Companies will likely have to pay more attention to practices like network segmentation, strong authentication and network monitoring. Vendor management processes will need special attention, Stroud noted.
Many of the devices integrated in smart buildings have little security built into them and come from vendors that are unfamiliar to most IT organizations. Suppliers in the building automation world don’t have the same kind of processes in place that IT vendors do for responding to vulnerabilities in their products. Few have any notification process to let customers know about security threats to their products. IT organizations will need to work with building management teams to update vendor lists, build a register of contacts and know who to reach out to in case a response needs to be escalated, Stroud said.