The ultimate vision of mass hyper-connected smart buildings hosting hundreds of interconnected devices will not be possible without addressing a wide range of building specific cybersecurity issues. Each system, device, router, server, and gateway, including their multiple versions and iterations, introduces its own cyber security risk to the building. And, without strict segmentation, unauthorized access to any one of this broad range of vulnerabilities could expose the entire network. Buildings were not designed to evolve at this speed and new smart buildings will have to learn about cyber security quickly.

“The smart buildings industry remains largely behind the curve in its understanding of the increasingly large attack surface that their systems represent. Facilities management teams generally still often lack the IT skills required to manage cyber security, poorly secured IoT devices still flood the market at attractive prices, and technology continues to increase in buildings despite cyber security concerns,” explains our latest research. “A holistic, multi-disciplinary defence approach will be required for each of the different elements that make up the smart building ecosystem to effectively mitigate the cyber threat.”

Building technology’s historical lack of focus on cyber security is best symbolized by previous iterations of open communication standards used for building automation. The likes of BACnet, LonWorks, and KNX used to lack basic encryption, authentication, or integrity protection features as they were all designed to operate as part of closed networks. This situation has of course now been addressed with, for example, BACnet/SC.

“Due to the extended life cycles of many smart building solutions, the industry still has a considerable installed base of these legacy building automation systems and devices that remain riddled with security flaws and configuration issues,” reads our new cyber security study. “Legacy systems clearly pose significant cyber risks to building operations, sophisticated attackers are aware of the gaps in security created by legacy systems and are becoming more active in taking advantage of known vulnerabilities to disrupt operations and steal sensitive data.”

Modern IoT and building automation devices have also quickly gained a reputation for vulnerability to issues like injection and memory corruption due to poor coding practices which allow attackers to bypass their security features and gain full control of them. In addition, too many connected devices still ship with default usernames and password settings. Then, users also often fail to regularly change passwords, use the same passwords for multiple systems or choose simple easy-to-guess passwords. Many newer IoT devices are also being shipped with default settings that communicate over unencrypted protocols, opening them up to traffic sniffing and tampering of sensitive information.

“It should be noted that the fact that devices are exposed to a simple search on the internet should not necessarily be considered as the fault of the supplier or systems integrator responsible for their install, ultimately it is the responsibility of building staff and enterprise IT departments to ensure that their devices are safe from prying eyes,” says the report. “Ultimately, the networking of different building systems means that they are only as secure as the weakest device on the network. Therefore, to determine potential system vulnerabilities in a modern networked smart building, it is necessary to fully assess the range of systems, devices and networks that are connected to building automation and control systems.”

To conduct a comprehensive cyber risk evaluation of all of the devices on a particular network, a complete audit of all of the device and system connections is necessary. However, automated network scanning tools and technologies that are commonly deployed in IT environments to facilitate this audit process are ill-suited to OT environments like buildings. As smart building OT devices and systems often run on outdated legacy protocols, they are not equipped to respond to the kinds of messaging protocols used by IT scanning processes that report back on the device status, firmware, and so on. Indeed, such scanning approaches can be positively damaging for OT environments.

Publicly available IoT device search engines, such as Shodan, BinaryEdge, or Censys, can be used to identify the scale of the threat and the sheer number of exposed devices. A 2019 study by Forescout Technologies aggregated data from searches on Shodan and Censys to discover that of the 22,902 devices discovered, 9,103 (39.3%) were vulnerable to zero-day attacks, with vulnerable devices including access control and HVAC controllers, as well as protocol gateways. For IP-connected cameras, Forescout’s research found a staggering 91.5% of which it found to be vulnerable to exploits. Checking installed devices on these search engines is a must for building managers but means they will then have to deal with the problems they find.

“It takes no cyber security knowledge or networks expertise to conduct a search on Shodan and other equivalent search engines, a wealth of data related to exposed devices including the IP address of the device, geographic location (including latitude and longitude coordinates), owner, service port header information, firmware details, and available protocols are readily available to anyone with two minutes of time to spare,” explains our new cyber security report. “All the information was obtained from publicly available sources, which means the information is available for anyone motivated enough to look for it.”