Much attention is focused on IT and OT cyberattacks, but there is little press about the expanding threat landscape within building management systems. Rest assured that smart buildings are also under attack and that the problem is widespread, mission-critical in nature and demands attention.
Today, almost every new building larger than 100,000 sq/ft (or 10,000 sq/m) is engineered to be a smart building. To be competitive, marketable and energy efficient in the real estate industry, buildings are made capable of running autonomously. To accomplish this, they rely on a large array of computers, software, networks and smart sensors. This is true for all types of large buildings including manufacturing facilities, hospitals, data centers, government buildings, large retailers and universities.
Automation systems perform many functions in today’s smart buildings: climate control, lighting control, energy management, video surveillance, badge access, fire detection, elevator control and electric power distribution, to name the most common. Each of these subsystems is intelligent and relies on hundreds, and even thousands, of computers and smart sensors distributed across networks to make the building smarter. Most of the devices connect to local management servers, as well as to the Internet. To put this into perspective, the number of building control devices attached to the local enterprise network is typically three or four times the number of computers running on user desktops.
Building automation networks are typically deployed over a combination of Ethernet IP and twisted pair networks such as RS485. These networks most often run open protocols including BACnet and Modbus. Wireless IoT devices are also deployed on WiFi, ZigBee and Bluetooth mesh networks. One of the most common data layer protocols is BACnet. This popular standard is used extensively for HVAC control and is deployed in a clear, unencrypted format. (A secure version called BACnet/SC is an emerging standard and will be encrypted. However, it is not widely available.)
An important characteristic of smart building devices is that they need to be powerful enough to perform complex automation tasks while simultaneously being simple to maintain. There is most definitely a “set it and forget it” approach to the industry. To achieve this, the devices run embedded operating systems (often variants of Linux) on small micro-controllers or larger SoCs (Arm7 or Arm9 is typical). This combination of powerful yet simple devices connected over an open network creates a large and vulnerable attack surface.
In addition to inherent problems with the devices themselves, there are also risks inherent with the physical layout of large buildings. Devices are either located away from where people can inspect them, hidden in ceilings or mounted in equipment closets. Conversely, they can also be out in the open and exposed to hundreds of people (like smart thermostats). In all cases it is fairly simple for a bad actor to gain access. Once a device is compromised, it can be converted into a zombie to host man in the middle attacks. Because there are so many devices and because they operate in near physical obscurity, they can run undetected for months or years. As building management systems are increasingly connected to the Internet, it is no surprise that they are also subject to the full range of remotely initiated attacks including spyware, worms, phishing attacks and ransomware.
Ambiguous system ownership and inconsistent maintenance practices increase risk substantially. During the construction phase, the installation of building systems is usually awarded to the lowest bidder. These awards are further delegated down the construction chain to sub-contractors and system integrators. At some point the developer of the property turns the building over to the tenant to operate. In most organizations the facility management is outsourced to a third party property manager, yet the system is hosted on the tenant’s network (typically on a VLAN).
Corporate IT is usually not expected to maintain such large systems (because they are also controlling physical assets, IT does not have scope). Oftentimes the systems are located in satellite facilities where there is little or no direct IT support available. This creates a management and maintenance structure where the cybersecurity of building management systems tends to “fall between the cracks”. The result is that they are hosted on an enterprise VLAN operating under minimal supervision. To make the situation just a bit worse...building systems depend wholly on local service contractors to make programming changes and fix problems. This means that a steady stream of vendors is frequently logging in across the enterprise network or remotely across a VPN. Needless to say, endpoint security is scant in this set-up.
The benefits of smart buildings are many; they are physically safer, far more energy efficient, and healthier and more comfortable for workers. However, the industry is only beginning to understand the large attack surface inherent in these complex designs. It is essential that enterprise IT and OT security teams address these gaps and implement best practices, or serious consequences are bound to occur.
In the worst cases, physical assets such as elevators can be impacted, ventilation systems can be blocked, or fire detection and physical security can be compromised. Though, a more likely scenario is that building systems will be used to quietly and efficiently exfiltrate corporate trade secrets or valuable customer information. In either scenario, damages will be expensive and difficult to remedy after they have occurred. Through a series of upcoming blog posts, we will be exploring and recommending best practices designed to ensure that buildings are designed to be smart and also secure. We look forward to sharing more information on this important topic with you.
