Almost 4 in 10 (37.8%) computers used to control smart building automation systems were subject to some kind of malicious attack in the first half of 2019. That’s according to the results of a study of smart building threats conducted by global cybersecurity firm Kaspersky. The study, which was released during the Kaspersky Industrial Cybersecurity 2019 event being held in Sochi, Russia, showed that while it is unclear if such systems were deliberately targeted, they are, one way or another, becoming a common destination for various generic threats.
"While these figures are relatively low in comparison to the wider threat landscape, their impact should not be underestimated," said Kirill Kruglov, security researcher at Kaspersky ICS CERT, in a press release to highlight the study.
"Imagine if credentials from a highly secured building are stolen by a generic piece of malware and then sold on the black market, or a sophisticated building's life support system is frozen because essential processes have been encrypted by yet another ransomware strain," Kruglov said. "The list of possible scenarios is endless."
The smart building is a broad and complex threat landscape with hundreds or thousands of digital endpoints, all connected to centralized systems that control critical services. Technology from numerous manufacturers, communicating through a variety of protocols, and often managed by people with limited cybersecurity experience, all further increase the risk of attack. For all the health, productivity, cost-saving, and environmental benefits of smart buildings, the greater connectivity they demand comes at a cost.
“More connectivity certainly means a greater potential vulnerability to attack,” David Emm, Principal Security Researcher with Kaspersky Labs’ Global Research & Analysis Team, told Memoori in a 2017 interview. “Thinking offline for a second, the more time you spend on the street, the bigger the opportunity to get mugged or knocked down on the road. It’s no different online, the more points of connection you have with the internet, the more of an attack surface you present. It’s not inevitable, however, if you’re wary and use pedestrian crossings, you can limit your exposure. It’s the same online,” he continued.
According to the H1 2019 research, of the 37.8% protected smart building systems management computers targeted, more than 11% were attacked with variants of spyware - malware aimed at stealing account credentials and other valuable information. Worms were detected on 10.8% of workstations, while 7.8% received phishing scams and 4.2% encountered ransomware. For many of these attack types, we need to look beyond technical solutions and start considering some human security upgrades.
“I would be more concerned by the lack of awareness [rather than increasing connectivity]. We absorb road safety and city safety information from a young age, it’s almost intuitive. If you grow up in a city, you’re very aware of the dangers. It is not the same with connectivity. Most people think of their smartphone as a phone, not as the fully-fledged computer it is. There’s an attack surface but people don’t realize it’s there,” Emm told Memoori in the context of the BYOD (bring your own device) culture.
“In recent years I have been grappling with the BYOD trend, which offers excellent productivity benefits. BYOD could end up meaning bring your own vulnerability. Your device could be infected on your home network and then you walk straight into your office with it, putting your whole company at risk,” Emm continued. “I think we’re seeing the further end of de-perimeterization, as the Jericho Forum called it – I am the network wherever i happen to be, so if you want to secure the network you have to secure me.”
The majority of threats came from the internet, however, with 26% of infection attempts being web-born. Removable media including flashsticks and external hard drives were only responsible for 10% of cases, the same percentage that faced threats from email links or attachments. While just 1.5% of smart building computers were found to have been attacked from sources within the organization network, such as shared folders.