Smart Buildings

Is Cyber Security in Smart Buildings being taken Seriously Enough in the IoT Age?

In a Memoori Webinar in March, Laconicly's Billy Rios spoke extensively on the topic of cyber security in the rapidly evolving smart building sector. Last week the cyber security firm released a white paper highlighting building automation systems (BAS) vulnerability to cyber attacks. On January 14th, 2015, Laconicly discovered a total of 64,003 IP addresses pointing to a device or system that supports a BAS deployment. Of the 64,003 IP addresses discovered, 41,308 IP addresses could be reached and were considered live on the Internet. 19,583 of the 41,308 (47%) devices that were accessible via the Internet offer one or more interfaces (excluding login pages and static content) that are accessible without any authentication. These exposures do not even require a username to be provided. 7,282 devices (25%) provided enough identifying information to associate the device with a specific industry or a specific organisation. Attackers infiltrating such systems could, potentially, gain access to control systems […]

Stay ahead of the pack

with the latest independent smart building research and thought leadership.

Have an account? Login

Subscribe Now for just $200 per year per user (just $17 USD per month) for Access to Quality Independent Smart Building Research & Analysis!

What Exactly Do you Get?

  • Access to Website Articles and Notes. Unlimited Access to the Library of over 1,700 Articles Spanning 10 Years.
  • 10% discount on ALL Memoori Research reports for Subscribers! So if you only buy ONE report you will get your subscription fee back!
  • Industry-leading Analysis Every Week, Direct to your Inbox.
  • AND Cancel at any time
Subscribe Now

In a Memoori Webinar in March, Laconicly's Billy Rios spoke extensively on the topic of cyber security in the rapidly evolving smart building sector.

Last week the cyber security firm released a white paper highlighting building automation systems (BAS) vulnerability to cyber attacks.

Cyber Security 3

On January 14th, 2015, Laconicly discovered a total of 64,003 IP addresses pointing to a device or system that supports a BAS deployment. Of the 64,003 IP addresses discovered, 41,308 IP addresses could be reached and were considered live on the Internet.

19,583 of the 41,308 (47%) devices that were accessible via the Internet offer one or more interfaces (excluding login pages and static content) that are accessible without any authentication. These exposures do not even require a username to be provided. 7,282 devices (25%) provided enough identifying information to associate the device with a specific industry or a specific organisation.

Attackers infiltrating such systems could, potentially, gain access to control systems for HVAC, lighting and even security systems. Such access, in the wrong hands, could lead to significant disruption and could potentially aid physical security breaches. Leading Laconicly and other firms to question if BAS security is being taken seriously enough in the Internet of Things (IoT) age. Our extensive research into The Internet of Things in Smart Buildings 2014 to 2020 clearly shows how the industry is redefining itself using IoT technology.

Traditionally building systems including BAS have been protected partially through obscurity, and largely through physical protection. Gaining access to a building control system and enabling or disabling systems, or even changing set points used to require access to the building and entry to mechanical and electrical rooms; which are typically secured.

However as we have moved toward control systems that are network enabled, it is now possible to access these systems through the building network or even remotely through the Internet. At the same time the systems have become increasingly less obscure.

Older, proprietary BAS systems could only be accessed through a desktop computer application. This was typically located in a secured area and was protected by user name and password. As we have moved to open systems including those that utilize BACnet, LonTalk, and Tridium Niagara, it becomes possible to access the systems using tools other then a workstation leading to more paths for potential breaches.

In fact one of the goals of an open protocol control system is to make communications easy, which in turn can make these systems potential targets for attacks. Cyber security experts, such as those at Laconicly, have long been aware of this potential vulnerability, but recent developments are leading to a broader awareness of this issue.

[contact-form-7 id="3204" title="memoori-newsletter"]

There is work going on within the industry to better protect systems including changes to the open protocol standards, as well as software patches and improvements from suppliers and new products coming on the market intended to provide added protection. However, greater attention must be paid by BAS integrators, and building owners, to ensure such security protocols are actually present and active.

“System integration is a critical component for deploying, operating, and maintaining a robust BAS deployment. Integrators play a critical role in selecting technologies, commissioning deployments, configuring devices, operating complex systems, troubleshooting issues, and maintaining automation systems. Given the enormous operational responsibilities placed on BAS integrators, many cyber security responsibilities will fall squarely on the integrators shoulders”, the report outlines.

Building Automation Systems are generally too complex for most end users to take a leading role in protecting their buildings from cyber attack, but greater attention on the potential threat would put pressure on integrators to provide such security.

Laconicly’s report suggested that “in most cases, the end user organization had no idea their facilities were online and Internet facing within a commercial ISP IP address space”.

As building automation evolves within an IoT environment more emphasis must be placed on educating end users on the vulnerability of their systems. In parallel, greater responsibility must be placed on the integrator for failing to secure systems, either through physical network connection or layers of virtual protection, or both.

Billy Rios and the Laconicly team provide detailed guidance for end users to address security concerns with their BAS integrators, suggesting that pressure from user to integrator will lead to vital security reform. “Given the critical nature of the work integrators are responsible for, it is important to verify that the integrator isn't putting your business at unnecessary risk. In these circumstances, the age old advice applies: Trust, but verify”.

Most Popular Articles

Honeywell Acquisition of Carrier’s Global Access Business
Smart Buildings

Honeywell Strategy Update: Building Automation Business Acquires Carrier’s Global Access Solutions

On 10th October 2023, Honeywell announced plans to realign its business segments around three megatrends: automation, the future of aviation, and energy transition. This Research Note focuses on what this means for the smart buildings market. The US conglomerate’s perspective for organic and inorganic growth was further highlighted on a 1st December webcast, together with […]

Access Control MultiFactor Authentication
Security

The Multifactor Future of Access Control Authentication

In recent decades, the access control market has seen the introduction of numerous different forms of authentication to enhance security and the user experience. Our latest research does not expect this fragmented technology landscape to be solved by a single form of authentication, however. Instead we expect to see the continued rise of multifactor authentication […]

Complimentary Article AI + Memoori = AIM!
Smart Buildings

AI + Memoori = AIM!

Here is the recording and presentation from our live stream, discussing AIM, an artificial intelligence chatbot service we have developed to simplify the way our clients access & engage with smart building market analysis. We walk through how AIM was Developed, potential use cases & why we think it is a tool that will dramatically […]

Subscribe to the Newsletter & get all our Articles & Research Delivered Straight to your Inbox.

Please enter a valid email

Please enter your name

Please enter company name

By signing up you agree to our privacy policy