Smart buildings security: Who’s in charge?

As the Internet of Things became an accepted reality, and the security community realized that they have to get involved in securing it, days without news about the insecurity of this or that Smart Thing are few and far between.

Hacking a building automation system

One of the latest attempts to shine a light on the problem was a recently published report by the IBM X-Force Ethical Hacking Team. The document detailed the team’s successful attempt to penetrate a building automation system (BAS) that controlled sensors and thermostats in a commercial office, and to ultimately access the central BAS server that controls building automation in this and several other locations.

Smart buildings security

They found that basic hacking techniques were quite enough to perform this type of attack, and were surprised about the number of security issues they encountered and were able to exploit: software security vulnerabilities, poor password practices, exposed router administration ports, and so on.

“If compromised, smart-building devices could have a profound impact on our physical surroundings and could allow a malicious actor to cause damage without any physical access to the building,” Paul Ionescu, IBM X-Force Ethical Hacking Team Lead, points out.

“For example, cybercriminals could gain control of the devices that regulate data center temperatures, causing fans to shut down and servers to overheat. Not only do these connected devices impact our physical surroundings, but if they share connections with enterprise IT networks, they could also open a backdoor to company data.”

Security issues and solutions

“The vulnerabilities we used to gain access in this test could have been prevented by the software manufacturer employing secure coding practices to sanitize input, prevent remote execution of commands (in both the firewall and building management software), and provide strong password storage (encrypt it in the first place, in the case of the firewall, and use a one-way encryption algorithm with a random string appended),” Chris Poulin, Research Strategist, IBM X-Force Security, told Help Net Security.

He also advises admins to make sure not to expose building management systems directly to the Internet. If they really have to do it, they should employ a VPN and two-factor authentication for added protection and, if possible, apply a whitelist so that only a small set of IP addresses on the Internet can access the building management system.

“Safer password practices would have gone a long way to prevent the hack we were able to perform on the BAS we tested,” he says. In this particular case, the password for the firewall and the building management system was the same.

Patching and upgrading firewalls, building management systems, and any device or system that runs software or firmware is a good security practice. It can be a drag, he admits, as IoT and building management devices don’t push patches or even have a formal notification process that a new patch or version is available, but still, admins should make the effort.

He advises strict controls to be put in place about what should pass between the IT network and the building system network(s).

“As security oversight for many of these systems is currently lacking, keeping the building automation system on a separate network than the company / IT network is one way to limit the risk of hackers breaking into the company network through the building automation network,” he notes.

“However as we move forward to a more secure model, the people operating and securing IT systems should begin to have oversight into the BAS network as well. Note that the building management system we tested did not provide access to the IT systems; however, a malicious hacker could affect IT systems by heating up the data center. While the IoT and IT may not converge at the infrastructure level, everything eventually interacts in the physical world.”

Using endpoint protection on devices used by the building management team to access the BAS should be a must, and these operators should be regularly trained and tested when it comes to phishing.

Finally, hiring security professionals to pen-test the system is also a good idea, but admins should keep in mind that securing a building automation system is not a one time job nor is there one easy way to secure a building.

“It must be an ongoing process, as the businesses requirements, the facility itself and the environment in which it lives change over time, and new security issues arise on a regular basis. It takes extensive work and coordination to not only get vulnerabilities patched, but also to ensure those fixes actually make their way into the affected devices in the building,” Poulin explained.

Smart Buildings security: Who’s in charge?

Gartner estimates that the number of connected devices used in “Smart Commercial Buildings” will reach 518.1 million this year, and over 1 billion in 2018.

One of the questions that many employees in IT departments of companies housed in these buildings are surely asking themselves is: “Should we and will we eventually be in charge of overseeing smart office technology, or will that be left to the building/office management operators?”

“In the past, traditional voice providers (PBX systems) would connect to the IT network to print call logs. Then VoIP systems blurred the lines between voice and data, resulting in many IT departments taking responsibility for it,” notes Poulin.

“It’s easy to foresee large server clusters monitoring energy rates and running CPU and disk intensive operations when more electricity is available on the grid and is not priced at a premium. Servers could also dynamically call for more cooling and ventilation in preparation for heat-generating operations. Physical security systems are already being integrated with anomaly detection systems, for example to ensure that when a user physically logs into a workstation that they security system positively identifies them as having entered the facility (or room, depending on the granularity of the badging system). In short, IT will want to use facilities data and building management will want to avail themselves of IT resources, and it makes sense for IT to inform and govern building management on infrastructure security.”

“Whether IT departments or building management operators want to interact with each other or not on a human level, the technology they both manage will connect – and already is – to solve business problems,” he added. “So while it may not be that IT has complete control of smart office technology, the two groups will have to work together and broaden their scope of knowledge and experience to encompass the other’s technology.”

This will be a big cultural shift and he predicts that many will protest, but ultimately some of the IT staff will have to be trained on physical systems and vice versa.

Securing the IoT

It can be very frustrating to observe the seemingly glacial pace at which IoT manufacturers improve the security of their products (if they make any effort at all).

Historically, increased attacks and incidents pushed the public to ask for better security, and ultimately regulatory mandates and contractual obligations with business partners and big customers have been required.

“However, we have an opportunity to take a different tack with the IoT – instead of regulatory pressures, we can define and provide a secure framework to makers,” Poulin opines.

Such a framework would prescribe a standard set of building block with security baked in at all levels: encryption at rest and in motion, strong authentication, reduced attack footprint, stringent permissions, firmware integrity guarantees, over the air updates, and so on.

“Whether commercial or open source, the framework would also have to provide a functional benefit for makers, such as ease, speed, and flexibility. Ultimately, makers have traditionally been sensitive to inherent costs of production; keeping those costs down while facilitating compliance is a win for both makers and operators,” he concluded.

Don't miss