Security

Buildings Can Do Much More To Reduce Their Cyber Security Risk

The ultimate vision of mass hyper-connected smart buildings hosting hundreds of interconnected devices will not be possible without addressing a wide range of building specific cybersecurity issues. Each system, device, router, server, and gateway, including their multiple versions and iterations, introduces its own cyber security risk to the building. And, without strict segmentation, unauthorized access to any one of this broad range of vulnerabilities could expose the entire network. Buildings were not designed to evolve at this speed and new smart buildings will have to learn about cyber security quickly. “The smart buildings industry remains largely behind the curve in its understanding of the increasingly large attack surface that their systems represent. Facilities management teams generally still often lack the IT skills required to manage cyber security, poorly secured IoT devices still flood the market at attractive prices, and technology continues to increase in buildings despite cyber security concerns,” explains our latest research. “A holistic, multi-disciplinary defence […]

Stay ahead of the pack

with the latest independent smart building research and thought leadership.

Have an account? Login

Subscribe Now for just $200 per year per user (just $17 USD per month) for Access to Quality Independent Smart Building Research & Analysis!

What Exactly Do you Get?

  • Access to Website Articles and Notes. Unlimited Access to the Library of over 1,700 Articles Spanning 10 Years.
  • 10% discount on ALL Memoori Research reports for Subscribers! So if you only buy ONE report you will get your subscription fee back!
  • Industry-leading Analysis Every Week, Direct to your Inbox.
  • AND Cancel at any time
Subscribe Now

The ultimate vision of mass hyper-connected smart buildings hosting hundreds of interconnected devices will not be possible without addressing a wide range of building specific cybersecurity issues. Each system, device, router, server, and gateway, including their multiple versions and iterations, introduces its own cyber security risk to the building. And, without strict segmentation, unauthorized access to any one of this broad range of vulnerabilities could expose the entire network. Buildings were not designed to evolve at this speed and new smart buildings will have to learn about cyber security quickly.

“The smart buildings industry remains largely behind the curve in its understanding of the increasingly large attack surface that their systems represent. Facilities management teams generally still often lack the IT skills required to manage cyber security, poorly secured IoT devices still flood the market at attractive prices, and technology continues to increase in buildings despite cyber security concerns,” explains our latest research. “A holistic, multi-disciplinary defence approach will be required for each of the different elements that make up the smart building ecosystem to effectively mitigate the cyber threat.”

Building technology’s historical lack of focus on cyber security is best symbolized by previous iterations of open communication standards used for building automation. The likes of BACnetLonWorks, and KNX used to lack basic encryption, authentication, or integrity protection features as they were all designed to operate as part of closed networks. This situation has of course now been addressed with, for example, BACnet/SC.

“Due to the extended life cycles of many smart building solutions, the industry still has a considerable installed base of these legacy building automation systems and devices that remain riddled with security flaws and configuration issues,” reads our new cyber security study. “Legacy systems clearly pose significant cyber risks to building operations, sophisticated attackers are aware of the gaps in security created by legacy systems and are becoming more active in taking advantage of known vulnerabilities to disrupt operations and steal sensitive data.”

Modern IoT and building automation devices have also quickly gained a reputation for vulnerability to issues like injection and memory corruption due to poor coding practices which allow attackers to bypass their security features and gain full control of them. In addition, too many connected devices still ship with default usernames and password settings. Then, users also often fail to regularly change passwords, use the same passwords for multiple systems or choose simple easy-to-guess passwords. Many newer IoT devices are also being shipped with default settings that communicate over unencrypted protocols, opening them up to traffic sniffing and tampering of sensitive information.

“It should be noted that the fact that devices are exposed to a simple search on the internet should not necessarily be considered as the fault of the supplier or systems integrator responsible for their install, ultimately it is the responsibility of building staff and enterprise IT departments to ensure that their devices are safe from prying eyes,” says the report. “Ultimately, the networking of different building systems means that they are only as secure as the weakest device on the network. Therefore, to determine potential system vulnerabilities in a modern networked smart building, it is necessary to fully assess the range of systems, devices and networks that are connected to building automation and control systems.”

To conduct a comprehensive cyber risk evaluation of all of the devices on a particular network, a complete audit of all of the device and system connections is necessary. However, automated network scanning tools and technologies that are commonly deployed in IT environments to facilitate this audit process are ill-suited to OT environments like buildings. As smart building OT devices and systems often run on outdated legacy protocols, they are not equipped to respond to the kinds of messaging protocols used by IT scanning processes that report back on the device status, firmware, and so on. Indeed, such scanning approaches can be positively damaging for OT environments.

Publicly available IoT device search engines, such as ShodanBinaryEdge, or Censys, can be used to identify the scale of the threat and the sheer number of exposed devices. A 2019 study by Forescout Technologies aggregated data from searches on Shodan and Censys to discover that of the 22,902 devices discovered, 9,103 (39.3%) were vulnerable to zero-day attacks, with vulnerable devices including access control and HVAC controllers, as well as protocol gateways. For IP-connected cameras, Forescout’s research found a staggering 91.5% of which it found to be vulnerable to exploits. Checking installed devices on these search engines is a must for building managers but means they will then have to deal with the problems they find.

“It takes no cyber security knowledge or networks expertise to conduct a search on Shodan and other equivalent search engines, a wealth of data related to exposed devices including the IP address of the device, geographic location (including latitude and longitude coordinates), owner, service port header information, firmware details, and available protocols are readily available to anyone with two minutes of time to spare,” explains our new cyber security report. “All the information was obtained from publicly available sources, which means the information is available for anyone motivated enough to look for it.”

Most Popular Articles

Schneider Electric Smart Buildings 2023
Smart Buildings

Schneider Electric Smart Buildings Business & Financials 2023 Examined

In this Research Note, we examine the Smart Buildings business of Schneider Electric, based on their 2023 Full Year Results, presentations, Q3 and Q4 earnings calls. Significant partnerships, acquisitions and divestments in the smart buildings space are also highlighted throughout 2023. Schneider Electric Energy Management Division The Buildings end market of Schneider Electric is addressed […]

ABB Smart Buildings 2023
Smart Buildings

ABB Smart Buildings Business 2023 Examined

In this Research Note, we examine the Smart Buildings business of ABB, based on their February 2024 Factsheet and building automation portfolio, acquisitions, divestments and investments throughout 2023. This article updates our 2022 Examined article published in March 2023 and the Capital Markets Day update for Smart Buildings in December 2023. The Smart Buildings division, […]

UK Green Building Council Progress Report
Energy

“Our Industry is Not Moving Fast Enough” – UK Green Building Council

The United Kingdom (UK) is falling behind in its projected green building roadmap according to the UK’s Green Building Council’s (UKGBC) progress report. The initial 2021 roadmap demanded a 19% drop in emissions over the past four years but the latest data shows just a 13% fall, more than 30% short of the target reduction. […]

Subscribe to the Newsletter & get all our Articles & Research Delivered Straight to your Inbox.

Please enter a valid email

Please enter your name

Please enter company name

By signing up you agree to our privacy policy