Smart Buildings

The Very Real Cyber Security Threat in Smart Buildings

Next week, in Memoori’s Interactive Webinar, we will be joined by Billy Rios, one of the two men responsible for hacking into the Building Automation System at Google’s Australian headquarters back in 2013. The planned cyber assault was designed to test the internet giant’s resolve against malicious hacking; it also raises concerns over cyber security in our increasingly online and smart buildings. Despite Google's implementing a relatively high level of authentication, researchers Billy Rios and Terry McCorkle, from information security company Cylance, were able to bypass these restrictions easily, primarily because the system was not kept up to date. From here, Rios and McCorkle had full run of Google's Building Management System, and stated that they could have rooted the device. Rooting would provide the pair of researchers with access to a machine from which they could conduct further attacks. Google, however, disagreed with Cylance’s claim, a Google spokesperson announcing that the device accessed by […]

Stay ahead of the pack

with the latest independent smart building research and thought leadership.

Have an account? Login

Subscribe Now for just $200 per year per user (just $17 USD per month) for Access to Quality Independent Smart Building Research & Analysis!

What Exactly Do you Get?

  • Access to Website Articles and Notes. Unlimited Access to the Library of over 1,700 Articles Spanning 10 Years.
  • 10% discount on ALL Memoori Research reports for Subscribers! So if you only buy ONE report you will get your subscription fee back!
  • Industry-leading Analysis Every Week, Direct to your Inbox.
  • AND Cancel at any time
Subscribe Now

Next week, in Memoori’s Interactive Webinar, we will be joined by Billy Rios, one of the two men responsible for hacking into the Building Automation System at Google’s Australian headquarters back in 2013.

The planned cyber assault was designed to test the internet giant’s resolve against malicious hacking; it also raises concerns over cyber security in our increasingly online and smart buildings.

Cyber Security
Despite Google's implementing a relatively high level of authentication, researchers Billy Rios and Terry McCorkle, from information security company Cylance, were able to bypass these restrictions easily, primarily because the system was not kept up to date.

From here, Rios and McCorkle had full run of Google's Building Management System, and stated that they could have rooted the device. Rooting would provide the pair of researchers with access to a machine from which they could conduct further attacks. Google, however, disagreed with Cylance’s claim, a Google spokesperson announcing that the device accessed by the researchers was capable only of managing the air conditioning system and nothing more.

Rios and McCorkle chose not to root the device, but instead reported the issue to the company via its Vulnerability Rewards Program. However, Google stated the issue was not eligible for a reward. The official statement read “Google is grateful when researchers report their findings, and that it has taken appropriate action to resolve the issue”. According to Cylance, the system was then pulled offline.

As Memoori explored in an article last year, Google’s Australian headquarters uses a building management system that’s built using the Tridium Niagara AX platform.

Rios and McCorkle had previously contacted Tridium regarding a directory traversal vulnerability in July 2012, which could allow access to restricted files within the management system. The company quickly issued an alert to its customers to take precautionary steps.

Tridium then released a security patch to further address the issue in August, and noted in a security alert that a specific file, config.bog, could be a security risk if attackers were able to access it. A second patch against directory traversal was released in February this year.

The attack highlights the increasing vulnerability in our modern interconnected world. As the excitement and development continue in the Smart Building and Internet of Things (IoT) space, it leaves us vulnerable to attacks not only on our private information, but also on the built environment around us.

Do you have any questions for Billy Rios? Join us on Thursday, Mar 19, 4PM GMT for our interactive webinar entitled "Cyber Security in Smart Buildings - The Elephant in the Room!"

The increasing focus on making buildings more energy efficient, secure and responsive to changing conditions is resulting in a plethora of web-enabled technologies. Building Management Systems are not only more tightly integrated with each other, they are also integrated with systems outside the building, like the Smart Grid.

The threat that such systems pose is twofold, analysts said. Many of the web-enabled intelligent devices embedded in modern buildings have little security built into them, making them vulnerable to attacks that could disrupt building operations and create safety risks.

Web-connected, weakly protected building management systems also could provide a new way for malicious attackers to break into enterprise business systems that are on the same network.

The massive data theft at, US retail giant, Target for example, started with hackers finding their way into the firm’s network using the access credentials of a company that remotely maintained the retailer's heating, ventilation and air conditioning (HVAC) system. In the Target example, the breach appears to have happened because the company did not properly segment its data network.

Such issues seem set to become more common as buildings management systems become increasingly intelligent and interconnected, suggested Hugh Boyes, cyber-security lead at the Institution of Engineering and Technology, a UK based professional organization promoting science and engineering.

"It creates some interesting challenges for enterprise IT" Boyes said. "They need to know there are some increasingly complex networks being put into their buildings that are running outside their control".

Many of the devices integrated in smart buildings have little security built into them and come from vendors that are unfamiliar to most IT organizations. Suppliers in the building automation and consumer electronics industries don't have the same kind of processes in place that IT vendors do for responding to vulnerabilities in their products.

Cyber security has become second nature to Internet and IT companies, which is not to say they’ve mastered it, but that it has become a daily element in their businesses. Like power supply, or data processing capacity, the limitations created by cyber security represent the limitations on the product or service as a whole.

If building and automation firms want to enter this space, then surely they must place the highest regard to the dynamic world of cyber security, because the threats are all too real.

Do you have any questions for Billy Rios? Join us on Thursday, Mar 19, 4PM GMT for our interactive webinar entitled "Cyber Security in Smart Buildings - The Elephant in the Room!"

Most Popular Articles

Mobile Access Control Market Research
Security

What is the Key to Rapid Evolution in Access Control Technologies?

Until the late 20th century, people primarily relied on lock-and-key systems to control access in buildings. In the last 40 years, however, we have been introduced with new access control technologies that promise improved security and a range of features that elevate the occupant experience. From various versions of card and fob technology to QR […]

Napco AirAccess Access Control
Security

Napco Security Business & FY 2023 Financials Examined

In this Research Note, we examine NAPCO Security Technologies, Inc., a building security products manufacturer of alarms & connectivity, locking and access control solutions. This article focuses on NAPCO’s competitive strengths, fiscal 2023 financials, recurring service revenues and their long-term goals. The company has a significant security presence in commercial settings, with around 80% of […]

Energy

Siemens Buildings Business & FY 2023 Financials Examined

In this Research Note, we examine the Buildings business of Siemens, which operates within the Smart Infrastructure (SI) division, based on their Q4 earnings release and investor presentations of 16th November 2023. This article focuses on the latest financial results, revenue mix, recent Building X software/Xcelerator platform announcements and the outlook for FY 2024. Siemens […]

Subscribe to the Newsletter & get all our Articles & Research Delivered Straight to your Inbox.

Please enter a valid email

Please enter your name

Please enter company name

By signing up you agree to our privacy policy