Smart buildings may be your cybersecurity downfall

According to a recent eEnergy report, 30 per cent of all purchased energy in the UK is currently wasted in commercial buildings, warehouses and education facilities. Whilst that’s quite a shocking number, it is, unfortunately, no surprise, as the majority of existing buildings in UK cities were constructed without energy efficiency as a key priority. Many UK organizations have started taking decarbonisation goals much more seriously, but there is still a long way to go, and the potential to drive further energy savings in commercial property remains remarkably high.

As business energy costs have skyrocketed in 2022, exacerbated by the current energy crisis, organizations are focusing attention on the energy consumption of systems such as heating, ventilation and air conditioning (HVAC). To achieve meaningful savings, it is important to understand how individual components of the building are contributing to expenditure and what can be done to identify specific areas that need improvement.

To gain a more in-depth understanding of the facility, benchmark a building’s performance, limit the overall operating costs and extend the life cycle of the equipment, organizations have been utilising the smart connectivity offered by the Internet of Things (IoT).

The deployment of wired or wireless sensors allows building managers to collect as much data as possible to identify the areas of wastage and opportunities to increase efficiency. However, considering the substantial infrastructure behind traditional building automation systems, applications, devices and networks, these digital transformation projects can open up potential cybersecurity vulnerabilities. It is critical that all systems be managed, maintained and gradually modernized, or organizations can be opening themselves up to cyber breaches.

IT, IoT and OT convergence

Today’s smart buildings have numerous systems and interconnections. Due to such an extensive attack surface, threat actors have the capacity to access sensitive information stored in one system via another.

With the rise of IoT, a wave of adoption of IT and IoT solutions at all levels of building system architecture poses a serious cyber security issue. As it becomes increasingly difficult to distinguish between building automation systems and other systems used in companies and their infrastructures, more “cyber holes” tend to be left unmonitored.

The use of insecure industrial protocols is another vulnerability that attackers take advantage of to disrupt smart buildings operations. This is especially the case for building automation systems. Popular protocols like BACnet and LonWorks are not implicitly secure and, like those used in the industrial production sector, tend to have their own vulnerabilities. The most sophisticated attackers are aware of these breaches and have no trouble accessing the documentation needed to develop commands to disrupt the operations of controllers and other devices.

As the cyber-physical equipment within buildings becomes increasingly distributed, especially due to the new trend of supervising building complexes from a central location, cyberattacks on smart buildings, as well as attacks on cities and other smart city infrastructures, can have a significant security impact for users.

Visibility as the key to cybersecurity of smart buildings

The key element of cybersecurity strategy, especially when it comes to automating smart buildings and adding to the connectivity of any environment, is complete and continuous visibility. After all, as the saying goes, “You can’t protect what you can’t see.”

And it is not just about visibility related to physical surveillance, but to all the potential entry points that an attacker can exploit to establish a beachhead within a building or its systems. Hackers are regularly found to exploit HVAC systems and other poorly defended office facilities and use them as entry points to access datacenters, business IT networks, and industrial control systems.

Controlling cyber risks

The risks and vulnerabilities present in smart budlings cannot be ignored. Complex connected networks present a unique opportunity for cyber criminals, as it only takes one breach for attackers to make their way through the entire system.

Visibility plays an essential role in upkeeping cybersecurity hygiene in smart buildings, therefore IT, IoT and OT must be seen as one entity. The adoption of security solutions that integrate IT, OT, and IoT is essential for gaining a complete view of environments within building automation systems, as they provide continuous monitoring and guard against vulnerabilities, threats, and anomalies within the automation environment.