Article

Smart and intelligent buildings: Cybersecurity considerations

Smart buildings consist of computer control system networks supported by IoT devices. We discuss the potential areas of risks that these systems may face and the potential considerations.

By Chris Beh ,

Risk Partner, Marsh Advisory UK, Consulting Solutions

22/11/2022 · 7 minute read

The connectivity of people, workplaces, and assets is becoming more commonplace in today’s society. Smart buildings and intelligent buildings consist of “computer control system networks” supported by Internet of Things (IoT) devices, such as sensors and actuators. These devices connect to, manage, or overview standalone building automation systems for elevators; heating, ventilation, and air-conditioning (HVAC); access control; security; fire protection; and lighting. In some instances, they control these various building systems directly.

Data from these sensors can provide a holistic overview of the building usage in various areas at different times of the day, month, and season, ultimately optimising energy usage and operational efficiency.

Aside from energy efficiency, several factors are driving the automation of the building environment. These include providing insights and analytics on usage (by who, when, and how much), improving building resource utilisation and preventative maintenance, minimising operational costs, and improving tenants’ wellbeing and satisfaction, making the property more desirable.

Furthermore, with a growing emphasis on sustainability, smart buildings directly support an organisation’s climate and environmental, social, and governance (ESG) initiatives and goals.

Over half of the world’s cities have a smart city roadmap. According to McKinsey, buildings produce 6% of global emissions. A smart building can contribute to a city’s goal to reduce its carbon footprint, improve energy efficiency, enhance citizens’ lifestyles, and support ESG initiatives and goals.

The virtual meets the physical

Like any new and emerging technology, additional risk considerations need to be identified and assessed. Cisco states that by 2025, more than 75% of new construction will be smart or intelligent buildings; this does not include the current portfolio of building stock with these technologies already fitted. Hence, the risk of cybersecurity breaches of connected control-system infrastructure is a real concern.

Consider an example from November 2016, when two buildings in Finland, lost heating for at least two days. This was due to a Distributed Denial of Service (DDoS) attack, which disabled the computers controlling the heating. In October 2021, a building-automation engineering firm in Germany also experienced a cyberattack. The attack locked the firm out of the system and rendered several hundred devices in the building non-operational, affecting the lighting, motion detectors, and window shutter controllers. The office building devices were restored after weeks of resorting to manual controls. The hackers had infiltrated the building automation system (BAS) through an unsecure user-datagram protocol (UDP) port on the public internet.

According to Kaspersky’s 2019 report, almost 40% of the computer systems used to control smart buildings were subject to some form of malicious attack in the first half of 2019. In most cases, computers that control BAS were compromised.

Around 26% of the threats came from the internet, 10% from portable storage, 10% from phishing links, and 1.5% from shared folders on corporate networks.
Common malware, such as ransomware, worms, and spyware, were used rather than malware with a specific purpose.
Many attacks exploit vulnerabilities in poorly protected IoT devices, like IP security cameras, which are often badly integrated into legacy systems without BAS.
Spyware (typically intended to steal sensitive customer account information) and worms were the most common form of attack, while phishing and ransomware were also reported.

Building automation standards

Building automation standards exist, such as KNX, LonWorks, and BACnet. BACnet, first introduced in 1995 and established as an International Organisation for Standardisation (ISO) standard in 2003, is a highly utilised criterion for smart building system design, with more than 60% market share of the building automation system sector. KNX and LonWorks are open standards for smart-building protocols permitting control of various building elements.

However, these building automation standards and protocols were developed without security in mind. KNX recognised this issue and, in 2021, released KNX Secure. This initiative includes a security checklist, a guide for manufacturers and installers, and a product security certification process that includes AES-128 encryption. BACnet standard was also amended to BACnet Secure Connect (BACnet/SC) in 2020 to include device authentication (widely accepted international security standard X.509 certificates and public key infrastructure, cybersecurity, and encryption framework that protects data transmissions), encrypted communications (based on TLS 1.3), and WebSockets protocol using secure TCP for internet interaction.

Potential areas of risk

Areas of risk with building control systems include the following:

Insecure passwords.
Software defects, errors, and deficiencies.
Non-encrypted communication.
No device authentication (for example, you can connect an IoT device to the network without being authorised/authenticated to do so).
Irregular software updates and patch management.
Security flaws, including none or improperly configured firewalls, lack of network security monitoring, and lack of or improperly configured access controls (internal and remote, including poor port security).
Poor security controls when connected externally; for example, a user-datagram protocol (UDP) which is susceptible to domain spoofing and denial-of-service (DOS) attack.
Complex, costly to develop, and difficult to manage security solutions, such as virtual private networks (VPNs) or virtual local area networks (VLANs) to integrate into the BAS system (noting that if the VLAN is compromised, a user will gain access to the BAS system). Integrating older or legacy systems, or standalone building automation systems, into the wider network and bringing in their inherent lack of security protocols.
Development of BAS with a focus on functionality and efficiency, yet little thought on the security aspects of the control system.
Management control of vendor access, third party maintenance, and other third parties that access parts or all of the BAS.
Connectivity to wider organisational systems such as financial, procurement, maintenance, asset management, and other corporate systems.
Connectivity to the wider internet (including secure websites and web/email messaging).
Rapid changes in technology. For example, the increasing use of 5G technology in the smart building market comes with new risks linked to larger and faster data flows and how building automation networks are structured for security.

Furthermore, an additional area of consideration for property owners is regulatory change for public protection against the risks associated with such technologies. Penalties for failure in regulatory compliance include the UK Government’s 2021 Product Security and Telecommunications Infrastructure (PSTI) Bill to better protect consumer IoT devices from hackers; the 2020 California IoT Bill; the European Union’s General Data Protection Regulation (GDPR); and the UK General Data Protection Regulation (UK GDPR), to name but a few.

Risk considerations, controls and mitigations

So, what should a property or building owner consider with regard to their building control system?

For existing BAS systems, review the security architecture and identify gaps. Where possible, upgrade the system to a more secure version or a more secure standard.
For current and future construction, consider using only secure BAS standards as part of the overall build.
Ensure that the BAS systems are designed and installed by competent, certified vendors.
Update passwords. Consider changing factory-set usernames and passwords and use strong password security practices (enforce complex long passwords and password vaults).
Limit the number of privileged accounts (including third party and vendor management and access) and enforce use of multi-factor authentication (MFA) for network access.
Categorise the building network connectivity into non-building automation networks and domains — such as corporate systems, external web, or internet — and wider area building automation systems within the building owner’s portfolio. Review whether a connection is required and if so, ensure security is in place, such as firewalls, transmission encryption, and access management.
Implement network monitoring, event logging, alerting, and automated response solutions.
Review the potential cybersecurity gaps or flaws of emerging and new technology before implementing. Ensure that security controls have been independently reviewed and tested.
Establish incident response plans, train personnel, and review, test, or simulate these plans annually.

Due to the rapidly changing technology environment, coupled with the growing use of BAS technologies, organisations should consult with their advisers during the design of a construction project using BAS systems to ensure that cybersecurity risk controls are identified and implemented. For those property owners with BAS control systems already installed, review the current architecture, the potential risks to be mitigated, and create a roadmap to get there.

Article