Smart buildings and IoT sensors and devices have revolutionized the traditional way of living. Smart building benefits like energy efficiency, cost reduction and improved tenant comfort and security have spurred increased demand worldwide — with the number of smart buildings expected to increase 9.9 percent by 2028.
Today’s smart buildings rely on hundreds to thousands of IoT sensors and computers connected to local servers and the internet to automate functionalities like controlling lighting, climate and elevators, as well as fire detection, video surveillance and badge access. These sensors, used in conjunction with Building Automation System (BAS), provide a mountain of valuable insights and actionable data about building condition and performance. Yet, they often lack basic cybersecurity features, making them prone to cyberattacks. For example, BACnet, the data communication protocol for HVAC control, is deployed in an unencrypted format, making it vulnerable to be exploited by attackers.
In addition, BAS systems are typically managed by engineers and building management firms, not IT departments or security firms. That can be problematic — especially if the BAS system is hacked.
Weaponization of IoT devices
Every IoT sensor has a unique IP address, enabling it to communicate and exchange data with other machines and serving as a potential access point for hackers to exploit. With the soaring number of IoT devices and converged operational technology (OT), an organization’s entry points have increased exponentially and its attack surfaces are especially vulnerable to malicious cyber threat actors. With a single compromised IoT device, an attacker can gain access into a corporate network and possibly the entire IoT/OT network.
With a foothold in the network, cybercriminals can wreak havoc by disabling a building’s critical services, such as turning off the water, setting off fire alarms or keeping a hotel from issuing keycards to guests upon arrival, as in the Romantik Seehotel Jägerwirt cyberattack.
While the Romantik Seehotel Jägerwirt cyberattack focused more on earning cash through ransomware, it shows the capabilities that cybercriminals maintain. On a more severe scale, these threat actors could weaponize the multitude of compromised IoT devices as botnets to launch brute force distributed denial of service attacks against the organization’s own infrastructure causing them to lose access to critical systems or steal confidential data. Armed with malware, the “enslaved” botnets could also be commanded to launch massive attacks on other organizations. One of the largest DDoS attacks involved a network of botnets comprised of compromised IoT devices that included CCTV cameras and personal video recorders.
Fighting back and keeping IoT devices secure
The proliferation of IoT devices could open the floodgates for cyberattacks threatening the security of smart buildings. A recent report indicated that in 2019 nearly 40 percent of 40,000 smart buildings were impacted by a cyberattack. That in mind, it’s critical that organizations get ahead of the onslaught of threats by implementing security best practices including:
Strong password policies: It can’t be stated enough that one of the easiest ways that attackers compromise an IoT device is due to its weak, guessable or default passwords. In fact, 70% of IoT devices are still using the factory-set default passwords. Having strong password policies that entail long and unique passwords help prevent cyberattacks.
Robust patch management: The biggest security hurdle with IoT devices is the inability to easily upgrade or patch them. Most IoT devices are often too critical to stop operations for software updates. Developing policies to define processes for different types of upgrades from bug fixes to new releases to emergency updates will help to make your IoT update process more robust.
Segment your network: Organizations can minimize the impact of an IoT attack from spreading to other parts of the network by separating out critical systems, such as BAS systems, from the rest of the network.
Most of the attacks on smart buildings were due to malicious actors attempting to compromise computers controlling the BAS. To secure the BAS system, organizations should hide the BAS system from the rest of the network and the internet. If an IoT device is compromised, hackers will not be able to access the BAS system and other critical systems in the network.
These efforts go a long way in helping prevent unauthorized access to devices, network and data.