Security

Buildings Can Do Much More To Reduce Their Cyber Security Risk

The ultimate vision of mass hyper-connected smart buildings hosting hundreds of interconnected devices will not be possible without addressing a wide range of building specific cybersecurity issues. Each system, device, router, server, and gateway, including their multiple versions and iterations, introduces its own cyber security risk to the building. And, without strict segmentation, unauthorized access to any one of this broad range of vulnerabilities could expose the entire network. Buildings were not designed to evolve at this speed and new smart buildings will have to learn about cyber security quickly. “The smart buildings industry remains largely behind the curve in its understanding of the increasingly large attack surface that their systems represent. Facilities management teams generally still often lack the IT skills required to manage cyber security, poorly secured IoT devices still flood the market at attractive prices, and technology continues to increase in buildings despite cyber security concerns,” explains our latest research. “A holistic, multi-disciplinary defence […]

Stay ahead of the pack

with the latest independent smart building research and thought leadership.

Have an account? Login

Subscribe Now for just $200 per year per user (just $17 USD per month) for Access to Quality Independent Smart Building Research & Analysis!

What Exactly Do you Get?

  • Access to Website Articles and Notes. Unlimited Access to the Library of over 1,700 Articles Spanning 10 Years.
  • 10% discount on ALL Memoori Research reports for Subscribers! So if you only buy ONE report you will get your subscription fee back!
  • Industry-leading Analysis Every Week, Direct to your Inbox.
  • AND Cancel at any time
Subscribe Now

The ultimate vision of mass hyper-connected smart buildings hosting hundreds of interconnected devices will not be possible without addressing a wide range of building specific cybersecurity issues. Each system, device, router, server, and gateway, including their multiple versions and iterations, introduces its own cyber security risk to the building. And, without strict segmentation, unauthorized access to any one of this broad range of vulnerabilities could expose the entire network. Buildings were not designed to evolve at this speed and new smart buildings will have to learn about cyber security quickly.

“The smart buildings industry remains largely behind the curve in its understanding of the increasingly large attack surface that their systems represent. Facilities management teams generally still often lack the IT skills required to manage cyber security, poorly secured IoT devices still flood the market at attractive prices, and technology continues to increase in buildings despite cyber security concerns,” explains our latest research. “A holistic, multi-disciplinary defence approach will be required for each of the different elements that make up the smart building ecosystem to effectively mitigate the cyber threat.”

Building technology’s historical lack of focus on cyber security is best symbolized by previous iterations of open communication standards used for building automation. The likes of BACnetLonWorks, and KNX used to lack basic encryption, authentication, or integrity protection features as they were all designed to operate as part of closed networks. This situation has of course now been addressed with, for example, BACnet/SC.

“Due to the extended life cycles of many smart building solutions, the industry still has a considerable installed base of these legacy building automation systems and devices that remain riddled with security flaws and configuration issues,” reads our new cyber security study. “Legacy systems clearly pose significant cyber risks to building operations, sophisticated attackers are aware of the gaps in security created by legacy systems and are becoming more active in taking advantage of known vulnerabilities to disrupt operations and steal sensitive data.”

Modern IoT and building automation devices have also quickly gained a reputation for vulnerability to issues like injection and memory corruption due to poor coding practices which allow attackers to bypass their security features and gain full control of them. In addition, too many connected devices still ship with default usernames and password settings. Then, users also often fail to regularly change passwords, use the same passwords for multiple systems or choose simple easy-to-guess passwords. Many newer IoT devices are also being shipped with default settings that communicate over unencrypted protocols, opening them up to traffic sniffing and tampering of sensitive information.

“It should be noted that the fact that devices are exposed to a simple search on the internet should not necessarily be considered as the fault of the supplier or systems integrator responsible for their install, ultimately it is the responsibility of building staff and enterprise IT departments to ensure that their devices are safe from prying eyes,” says the report. “Ultimately, the networking of different building systems means that they are only as secure as the weakest device on the network. Therefore, to determine potential system vulnerabilities in a modern networked smart building, it is necessary to fully assess the range of systems, devices and networks that are connected to building automation and control systems.”

To conduct a comprehensive cyber risk evaluation of all of the devices on a particular network, a complete audit of all of the device and system connections is necessary. However, automated network scanning tools and technologies that are commonly deployed in IT environments to facilitate this audit process are ill-suited to OT environments like buildings. As smart building OT devices and systems often run on outdated legacy protocols, they are not equipped to respond to the kinds of messaging protocols used by IT scanning processes that report back on the device status, firmware, and so on. Indeed, such scanning approaches can be positively damaging for OT environments.

Publicly available IoT device search engines, such as ShodanBinaryEdge, or Censys, can be used to identify the scale of the threat and the sheer number of exposed devices. A 2019 study by Forescout Technologies aggregated data from searches on Shodan and Censys to discover that of the 22,902 devices discovered, 9,103 (39.3%) were vulnerable to zero-day attacks, with vulnerable devices including access control and HVAC controllers, as well as protocol gateways. For IP-connected cameras, Forescout’s research found a staggering 91.5% of which it found to be vulnerable to exploits. Checking installed devices on these search engines is a must for building managers but means they will then have to deal with the problems they find.

“It takes no cyber security knowledge or networks expertise to conduct a search on Shodan and other equivalent search engines, a wealth of data related to exposed devices including the IP address of the device, geographic location (including latitude and longitude coordinates), owner, service port header information, firmware details, and available protocols are readily available to anyone with two minutes of time to spare,” explains our new cyber security report. “All the information was obtained from publicly available sources, which means the information is available for anyone motivated enough to look for it.”

Most Popular Articles

Axis Communications Financials 2023
Security

Axis Communications Video Surveillance Business & 2023 Financials Examined

In this Research Note, we examine the Axis Communications video surveillance business. This analysis is based on Canon’s 2023 Results Presentation 30 January 2024, Axis Communications 2023 Sustainability Report, 22 May 2024, and Memoori analysis. Founded in 1984 with headquarters in Lund, Sweden, Axis Communications offers products and services for video surveillance and analytics, access […]

Complimentary Article You Can't Design a Truly Smart Building Without Human Resources!
Smart Buildings

#Podcast 31: You Can’t Design a Truly Smart Building Without Human Resources!

In our Podcast series “Sh*t You Wish Your Building Did!”, Memoori explores the intersection between technology and commercial buildings through interesting conversations. For Episode 31, we were joined by Tomás Mac Eoin from Master Systems Integrator (MSI) Hereworks to Discuss their Swift HR Concept. The Swift HR concept envisions a cross-functional team, led by Human […]

Smart Building Startups Landscape 2024
Smart Buildings

Who Are the Smart Building Startups Gaining Traction in 2024?

While funding levels are a good measure of a startup’s potential, growth may be the best measure of a startup’s success. That is the focus of our latest research study, which identifies and explores the 100 smart building startups we believe have gained the most growth traction in the past year. The global smart buildings […]

Subscribe to the Newsletter & get all our Articles & Research Delivered Straight to your Inbox.

Please enter a valid email

Please enter your name

Please enter company name

By signing up you agree to our privacy policy