According to Idan Udi Edry of Nation-E, the smart buildings industry has evolved past a dutiful attitude towards cyber-security, and instead displays “an attraction and curiosity” for the topic. “This year there was a change”, Edry says.
“For a quarter of a century the BAS industry has been working hard at delivering full connectivity across all the different building services. More recently with the introduction of IP Networked product across many of the services improved solutions have been made possible”, explains our recent report on the Transformation of BAS into the Building Internet of Things.
“With the advent of IoT we now have the capability to join “things” together more efficiently and cost effectively in a building. This technology can collect data from all the sensors and devices and with Big Data software, analyze all of this data and immediately optimise and fully automate the buildings performance”, continues the report.
However, this increased connectivity also brings about vulnerability to cyber-attack. With so many entry points to a building management system (BMS) in a modern smart building, it becomes crucial to build cyber-security into the system architecture from an early stage, in order to reduce the risk of attack.
If a cyber-attacker zeroes in on a BMS system, “The target is not necessarily the building,” says Edry. The BMS system may integrate facility access controls, surveillance, HVAC, lighting, power, elevators, fire safety, and even scheduling. Any of these elements could be the target of the attack, but any of them may also be the entry point for the attack; each of these systems is at a different level of smart development and the responsibility of each lies in different departments.
Therefore Edry’s bigger concern is that OT and IT teams don’t work together to spend enough time thinking about each other. Despite all the advancements in IT technology, for example, “OT still hasn’t changed,” he says. “Whether you bought your generator today or 10 years ago” (or longer) “the communication protocols are the same”. Everything still has a serial port, Edry says, and that creates a vulnerability that IT professionals might not think about.
Ethical hackers from IBM’s X-Force tested a smart buildings automation system and encountered numerous serious security issues. The researchers identified several security holes that provide hackers with a backdoor into corporate networks through the office’s climate control systems. “We did it old-school, just probing the firewall, finding a couple of flaws in the firmware”, said Chris Poulin, research strategist for IBM’s X-Force. “Once we had access to that, we had access to the management system of one building”.
It doesn’t matter how much you invest in securing your IT, Edry says. If you don’t also take into account the OT, you’re missing something, and leaving yourself vulnerable. So as a first step in smart buildings cyber security strategy, Edry’s advises to map all the building’s assets, both IT and OT alike, in one place. “There is always going to be a conflict between the IT and the engineering” departments. The direction must come from the top.
Cyber security has become second nature to IT companies, which is not to say they’ve mastered it, but that it has become a daily element in their businesses. Like power supply, or data processing capacity, the limitations created by cyber-security represent the limitations on the product or service as a whole. The same need to be true of OT in buildings and these two elements need to work together, according to Billy Rios of Cylance, one of the two men responsible for finding flaws in the BAS at Google’s Australian headquarters back in 2013.
“The attack highlights the increasing vulnerability in our modern interconnected world. As the excitement and development continues in the Smart Building and IoT space, it leaves us vulnerable to attacks not only on our private information, but also on the built environment around us”, Rios explained in a Memoori Webinar last year.
The increasing focus on making buildings more energy efficient, secure and responsive to changing conditions is resulting in a plethora of web-enabled technologies. BMS’s are not only more tightly integrated with each other, they are also integrated with systems outside the building, like the Smart Grid. Highlighting potential threats to entire cities and regions as connectivity expands beyond the smart building.
Edry says that a fundamental change of attitude is now beginning to happen. Because regulations and cyber insurance policies are now mandating certain protections on “critical assets”, including cyber-physical systems in smart buildings, OT engineers are now talking to their boards of directors about cyber-security. “Real change”, says Edry. “The strategy has changed.”
[contact-form-7 id="3204" title="memoori-newsletter"]