In October 2021, a rare form of a cyberattack took place on building automation system (BAS) devices at an office building in Germany. Unauthorized access into a building automation engineering firm’s BAS system locked the owners out of the system and rendered three-quarters of several hundred BAS devices in the building nonoperational, affecting the lighting, motion detectors, window shutter controllers and more. There was no ransomware demand, nor any trace of digital footprints left behind.
The office building BAS devices were able to be restored after weeks of resorting to manual controls, without any other reported damages. But cyberattacks on smart buildings have the potential to wreak much larger havoc and even loss of life, as many BASs also connect to systems for security and alarm systems, elevator operations and fire safety.
Similar cyberattacks on BAS systems based on KNX technology (a building automation standard commonly used in Europe) have been reported to Limes Security, the industrial control system (ICS) security firm that recovered and restored the infected BAS system.[1] However, many cyberattacks on smart buildings may go unreported. As shared by David Olive, Founder and Principal of Catalyst Partners, government officials at the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigations (FBI) have repeatedly acknowledged the reluctance of individuals, businesses and even cities to disclose cyberattacks when they happen, often due to their difficulty in understanding the type, technical impact and cause of the attack and because of concerns about legal liability exposure where the ability to mitigate the impact of customer disruption and potential litigation is too uncertain.
Again, reports of BAS cyberattacks are considered rare, as of now. However, smart buildings have serious potential to be a ransomware target. Smart buildings bridge cyber and physical security, and with the many benefits that such connectivity brings is also the potential for catastrophic damages.
Olive pointed to the relatively small cost to attackers in return for the ransomware amounts they seek, especially when it comes to critical infrastructure owners and operators. In June 2021, CISA published a fact sheet on the growing ransomware threat to operational technology (OT) for critical infrastructure owners and operators. There was a 150 percent increase in ransomware attacks in 2020 compared to 2019, and ransomware payouts rose even higher to 300 percent.[2]
As with many critical infrastructure sectors, the threat of ransomware is also growing as a significant concern in the Commercial Facilities Sector. The Real Estate Information Sharing and Analysis Center (RE-ISAC), overseen by The Real Estate Roundtable, is a public-private partnership between the U.S. Commercial Facilities Sector and Department of Homeland Security (DHS) officials that disseminates information about potential physical and cyber security threats and vulnerabilities to the Commercial Facilities Sector specifically.
However, while the RE-ISAC as well as other organizations and federal agencies such as the National Institute of Standards and Technology (NIST) do issue best practices and security recommendations for cyber risk management, it is ultimately on the smart-building stakeholders involved to designate who shall be responsible to implement security recommendations and maintain the quality of the system over the lifetime of the building.
In this particular cyberattack on the BAS in an office building in Germany, the hackers infiltrated the BAS through an unsecure port, a vulnerability that could have easily been mitigated. The KNX Association has long warned against leaving ports open among their security recommendations for customers.
This gives prominence to an often-overlooked challenge with securing smart buildings. Scott Tousley, former Deputy Director of the Cyber Security Division at DHS Science and Technology, noted that in addition to the technical challenge of securing BASs lies the second challenge of governance gaps and confusion. Who bears the responsibility of managing the cybersecurity and maintenance of BASs in smart buildings? Aside from larger skyscrapers, many buildings are not operated as active enterprises, and are not well prepared or equipped to properly secure these more complex systems.
Facilities management staff and IT personnel may likely be unknowledgeable in the other’s field of expertise, and knowledge of both is essential to adequately secure smart buildings. A study by Phobos Group reported that more than 38,000 BASs in the United States were exposed on the internet – without even a default password. Other statistics shared by security companies are just as concerning, with an audit revealing that nearly 60 percent of BAS customers did not have a firewall installed.[3] This lack of the most basic cybersecurity measures for BASs is beyond troubling.
As emphasized by Tousley, upholding quality levels in smart buildings will require decades of maintenance, and sustaining quality operations over the lifetime of the building will be a real challenge. Believe it or not, some of the legacy IT systems still used by government agencies and commercial entities date back to the 1980s or even older; and the numerous problems associated with such outdated systems include billions of wasted dollars, system outages, malfunctions and defects, and critical vulnerabilities to cyberattacks resulting in data breaches and ransomware attacks.[4]
As reported in Forbes, critical vulnerabilities exist within IT, OT and ICS supply chains; and there are many entry points and vulnerabilities in legacy OT systems.[5] Aside from disrupting building operations, OT systems are also targeted as an entry point to compromise corporate IT systems for data breaches. An early known case of this was the Target store hack in 2013, when hackers used the HVAC vendor as an entry point to steal over 40 million customers’ payment card information. Another example reads like a blend of a Mr. Robot TV episode and the Ocean’s Eleven movie, when hackers infiltrated a casino’s mainframe in 2017 to steal 10 gigabytes of data via sensors in a fish tank connected to the Internet.
Fortunately, as of now, reported cyberattacks on BASs have not resulted in loss of life or significant physical damages. But the escalating threats to smart buildings may not always be “just” data breaches or ransomware demands for payment in exchange to restore data. Unfortunately, as history has shown us, it often takes a catastrophe to trigger action. Hopefully, smart-building stakeholders will take action now to implement the proper cybersecurity measures before a tragic cyber incident occurs.
[1] See Kelly Jackson Higgins, https://www.darkreading.com/attacks-breaches/lights-out-cyberattacks-shut-down-building-automation-systems
[2] See Richard Tracy, https://www.forbes.com/sites/forbestechcouncil/2021/07/20/turning-up-the-heat-a-ransomware-attack-on-critical-infrastructure-is-a-nightmare-scenario/
[3] See William Hughes, https://facilityexecutive.com/2021/05/cybersecurity-concerns-continue-for-building-systems/
[4] See Robert N. Charette, https://spectrum.ieee.org/inside-hidden-world-legacy-it-systems
[5] See Chuck Brooks, https://www.forbes.com/sites/chuckbrooks/2021/04/12/3-key-cybersecurity-trends-to-know-for-2021-and-on-/
