Smart buildings need smarter security

A growing number of buildings today feature smart technologies in their design and operations. Using an array of sensors and the Internet of Things (IoT) technology, these buildings offer tremendous convenience to tenants and landlords but also present significant security concerns.

Smart buildings operate IoT Building Management Systems (BMS) that control lights, power, HVAC controls, security cameras, fire safety and even parking spaces. These systems are integrated into the network to increase convenience and reduce the operating and facility management costs.

But IoT devices also pose significant risk exposure and challenges in securing smart buildings from being exploited by cyber attacks. According to one estimate, 20%1 of smart buildings will endure some form of digital vandalism by end 2018.

Most IoT devices and sensors lack or have extremely weak security built-in, use non-standard communication protocols and run old, unpatched software. This makes them challenging to maintain and secure from attacks as they are open to malicious activities and security threats that are much harder to detect.

Hackers often scan targets for these types of weaknesses to infiltrate the network and once inside, they can steal valuable data or take control of a facility. For example, if a cyber-criminal hacks into the building automation system (BAS), they could stop the passenger lifts from working, access security feeds from CCTVs, and disrupt power supplies to the whole or parts of the building. Multiplied by thousands of IoT-enabled sensors and devices in every smart building, the impact of such IoT-led security attacks pose a significant risk for security practitioners everywhere.

If they succeed in penetrating the information systems and servers that reside on the BAS network, they could create botnets for launching distributed denial-of-service (DDoS) attacks on other systems. An intrusion into a government or financial institution’s BAS could leverage an IoT gateway into their entire IT network, comprising personal information such as bank account information or medical documents.

The most common IoT-led smart building security exploit involves hacking and instructing vulnerable IoT devices into botnets, or getting onto a network through a weak IoT device for ransomware attacks. These are not usually targeted at stealing data.

But at a recent security conference, research firm Senrio demonstrated a simple but sophisticated lateral security attack2 on publicly exposed IoT devices in a smart office building. The attack allowed researchers to create an unregulated passage into file servers on the corporate network.

In the Senrio example, researchers exploited two vulnerabilities, one in an IP camera and the other in a router. They used an unpatched IoT bug called Devil’s Ivy to hack into the camera and gain root access to its internals by executing a factory reset. From that point, it was easy to penetrate the connected router and compromise it using a widely available hashing tool to recover the router’s password and credentials.

With the credentials in hand, researchers modified the network rules and proceeded to hack into a network attached storage (NAS) where they procured employee names, Social Security numbers, salaries, and corporate financial data.

Though the IP camera was segmented off from the rest of the network, the researchers were able to transmit coded instructions through the camera to the router to request data from the NAS. The NAS, responding to what it thought was regular network data requests, funnelled the corporate data out through an unused network tunnel to the awaiting attacker’s computer.

As the Senrio example demonstrates, keeping employees, corporate data, and clients safe is now a high priority for property and building managers who used to worry only about an intruder breaking into the facilities.

A well-planned lateral, daisy-chained attack involving readily-available IoT devices and sensors in any smart building could potentially expose sensitive data storage, servers, and even employee and customer information. Each of these will be subject to malware attacks, identity and data theft, bots, and hackers among other possibilities.

But there is much your organisation can do to mitigate an IoT-led attack:

● Deploy an automated threat response to reduce cybersecurity incident containment from months down to seconds.

● Limit network access to only users or corporate devices that are essential. Assign network micro-segments to limit access from viruses or hackers.

● Increase visibility with centralised viewing and granular control over what devices can connect to the network, and which meet the minimum connection and security requirements. Compile a complete record of every action taken by each endpoint to expedite security reviews.

● Authenticate every connected device each time it connects or re-connects to the network to eliminate spoofing. For unsecured IoT devices, allow controls to shut down access when alerted to suspicious activity on the individual device.

Ultimately, the best way to protect smart buildings from an IoT-led attack is to ensure cyber resilience throughout the facility. Facilities managers must work closely with an IoT security firm to identify gaps and risks in their BMS/BAS platforms. A reliable IoT security firm or a managed security services provider is one that has the expertise and training to identify programming, connectivity, and other cyber-threat risks on how to secure a smart buildings like a fortress.

If you wish to learn more about our IoT security capabilities, have a chat with us at GovWare 2018 (18 - 20 September) in Singapore. Register for a free trade visitor pass here or contact us for a chat.

1Memoori, Cyber Security in Smart Commercial Buildings 2017 to 2021, https://www.memoori.com/portfolio/cyber-security-smart-commercial-buildings-2017-2021/

2https://blog.senr.io/blog/rsa-2018-how-to-daisy-chain-vulnerable-iot-devices-to-hack-a-storage-device