The pressure is growing on commercial buildings to become smarter. The continuing fight against climate change is driving stronger regulation on energy efficiency, demanding greener building systems governed by data from broad sensor networks. The gradual return to work after COVID lockdowns demand higher health and safety standards, which also drives buildings toward smart technology. As does the hybrid workplace, the flexible, analytics-driven, and seemingly inevitable future of the office. These factors, in addition to general productivity and cost-saving benefits, are making an increasing number of buildings smart, connected, and vulnerable to cyberattacks.
“IoT holds the promise of transformation, but it is a double-edged sword. The same technologies that are enabling organizations to maximize the benefits of IoT are exponentially increasing the security threat to the network’s integrity and placing valuable information at risk,” says Vishal Gupta, Global CTO & CIO, SVP Connected Technology at Lexmark. “With high-profile breaches making headlines, corporate America has come to realize that the operational and reputational damage caused by a breach is very real, and they must act fast in order to not be the next victim. To prevent cyberattacks, organizations must ensure they efficiently manage IoT devices, defend them from hackers, and protect critical information.”
Attacks can happen at the device level, where poorly secured connected devices can provide hackers with an easy route into the wider building system, and any connected device can be a threat. In 2018, hackers even utilized weaknesses in a connected fish tank thermometer to gain access to confidential information on high-rollers in a Las Vegas casino database. These devices can also be used as ammunition for an attack to shut down the system, through distributed denial of service (DDoS) attacks, such as the Mirai botnet in 2016, which used connected printers and cameras to take down many of the world’s most popular websites.
“In a relatively short time we’ve taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters,” Salesforce head of security for global business service, Jeff Jarmoc, famously tweeted after the Mirai incident.
To tackle these hardware-layer attacks, smart buildings typically opt for cryptography to ensure secure updates and protect against software spoofing through verification. Strong cryptography can provide device protection; the challenge is ensuring all connected devices, however trivial, are kept to the same cryptographic standards. Even if all devices are protected, the data will need to be transferred between those devices and the building’s analytical platforms, which creates another surface of attack for hackers —wireless communication.
Wireless communication is an essential part of the smart building solution, offering installation and operational flexibility while also making investments more affordable and less disruptive for buildings. Most wireless protocols, such as Bluetooth Low Energy or Zigbee, include some form of built-in encryption, but they are also known to have vulnerabilities. These encryption protocols can be added to the application layer for an extra layer of device security, but with the continuous advances of technology and approaches from a widening cyber-criminal landscape, hardware and communications technology will remain a concern for smart buildings.
The fundamental issue with cybersecurity is that it is basically impossible to be 100% secure. In order to deal with this issue, the most progressive smart buildings apply network segmentation approaches. This architectural method creates more granular network segments for different departments and user types. Digital access control and authentication can then be used to limit risk and manage infiltrations. While segmentation does not directly help prevent an external attack, it does reduce the risk of that attack spreading to more critical parts of the system. This pragmatic approach has become a necessary addition to the range of holistic cybersecurity solutions entering the market.
On the 23rd of June, building automation giant Johnson Controls announced the acquisition of cybersecurity provider Tempered Networks with the aim of developing its holistic view of smart building cybersecurity. Tempered Networks developed its Airwall technology that uses the host identity protocol and a cloud-based policy orchestration platform to create new overlay networks built on encrypted and authenticated communication. The system’s policy manager defaults to “zero trust” and can enforce configured digital policies within the cloaked overlay system, allowing data to flow only through an encrypted tunnel between continuously authenticated and authorized entities.
"When it comes to buildings, we must create easily implementable cybersecurity defenses as we're often dealing with critical infrastructure, including assets such as data centers and hospitals," said Vijay Sankaran, vice president and chief technology officer, Johnson Controls. "Tempered Networks Airwall approach is purpose-built for our sector as it's designed around principles of zero trust, securing device communications as data moves between devices and the cloud – so enabling remote building optimization in the most trusted way possible."
The acquisition of Tempered Networks builds on the previously announced selection of the company as a core component of Johnson Controls OpenBlue platform and services. The integration of Tempered Networks' security technology further builds on other recent acquisitions including edge AI provider Foghorn and complements the firm’s digital trust partnerships with Pelion and DigiCert. Johnson Controls are not the only major building automation company stepping up its cybersecurity game through relationships with specialized security providers.
Schneider Electric announced the launch of its Cybersecurity Solutions for Buildings, co-developed with cyber-physical systems security company Claroty. The new offering provides an automated asset discovery and network mapping solution that identifies and catalogs all system assets, including BMS, IoT, UPS, and various power systems. It promises continuous threat detection by constantly monitoring building networks to identify, assess, and alert at the earliest indicators of network and asset level anomalies. And, like Johnson Controls, the system creates secure tunnels to connect to and maintain specific resources and assets in the building network easily and without introducing additional risk.
“The integration of IoT in buildings is sparking an exciting shift across the sector, but like with any innovation, it also presents new risks,” said Annick Villeneuve, Vice President Digital Enterprise Solutions, Schneider Electric. “For threat actors looking to disrupt operations, benefit financially and/or achieve other objectives, and in so doing to put individuals at risk, buildings can appear to be the perfect target. It is with this in mind that we are partnering with Claroty to bring our customers a comprehensive, industry-leading solution that meets the unique security and operational risks facing buildings of today and of the future.”
The pressure is growing on commercial buildings to become smarter, but in the rush to seize return-to-work opportunities and keep up with regulations many buildings are getting connected without adequate cybersecurity. The situation is primed for a huge rise in cyberattacks against buildings as criminals gradually develop the best ways to infiltrate and/or monetize smart building attacks. Emerging solutions represent the resistance, however, utilizing holistic and pragmatic approaches to not just reduce the risk of attack but to accept the inevitability of attack and reduce its impact. This holistic pragmatism may be the most sustainable approach to the never-ending issue of cybersecurity in smart buildings.