Light Dark
March 9, 2016 By Robert B. Razavi 3 min read
Identity & Access

Smart buildings, offices and homes are all the rage these days. According to Zion Research, the global smart building market was valued at $7 billion in 2014 and is expected to reach $36 billion by 2020.

More specifically, smart buildings promise to be a key piece of the smart cities puzzle, holding the promise of better energy use and of smaller carbon footprints, reduced inefficiencies, costs savings, vast improvements in comfort and enhanced tenant experience. But are these technologies ready to tackle the escalating threats landscape? Do they benefit from a modern security model?

Smart building technology and building automation systems (BAS) were born out of the advancements and incredible progress made in the realms of composite materials, sensors, embedded systems, mechanical miniaturization and software. Advancements in protocols and communications have also made connections between objects and the Internet, giving birth to the much-touted Internet of Things (IoT). Manufacturers such as Nest, Honeywell and even Apple will be rushing to get a slice of the billion-dollar pie.

That’s all very exciting, but to quote Dr. Christian Szell from “Marathon Man,” “Is it safe? … Is it safe?” Well, it turns out it’s not quite safe yet.

Smart Buildings Aren’t Secure

Let me backtrack a bit: All the wonderful advancements in sensors, miniaturization, embedded systems, etc. has unleashed a torrent of innovations making smart buildings possible. Ubiquitous — and cheap — wireless communication technologies and protocols connect these systems and devices to each other and to the Internet. But their security model is still stuck in the ’70s. As in, it’s vastly inadequate.

To further illustrate this, IBM Security’s X-Force Ethical Hacking team (full disclosure: I work for IBM) recently conducted a penetration test that aimed to hack into a BAS at the request of the building management group. IBM’s team was able to exploit simple vulnerabilities and basic design flaws in connected devices’ embedded software to gain access to the building’s central command server. If this were a real penetration situation conducted by a malicious actor, important material damages — perhaps leading to real danger for the tenants — could have ensued.

This exercise showed that, unsurprisingly, different types of vulnerabilities are found in the smart building ecosystem — at the device and sensor level, at the gateway and controller levels and up to the data, application and network levels. This situation exists because manufacturers traditionally involved in designing systems and devices for smart buildings and homes (e.g., HVAC, electrical systems, sensors, controllers, etc.) have not considered their products as potential attack targets.

As a result, they often implement lightweight protection measures or sometimes even none. Engineers and programmers involved in the development of these connected devices don’t often have to manage complex security requirements. “Add a password” is probably as much as some of them see on their requirements list!

Security Has Its Own Challenges

Today, the sheer range of device types, manufacturers, integration ranges, conflicting and incompatible standards and complex protocols makes securing these systems a daunting task. To make matters worse, once deployed, these devices and systems are very hard to update, patch or upgrade remotely. Vulnerabilities may linger around for years, often requiring complex coordination and the ultimate visit of a technician armed with very specialized equipment before being patched.

Attackers break through conventional IT safeguards every day. In the coming months and years, the number of threats and malicious actors will only grow exponentially, and their techniques will become more sophisticated and pernicious. These rogue actors will increasingly turn their attention toward targets outside their usual theaters of engagement: cars, homes, buildings, public infrastructures and more.

The response to these perils should be to apply the best tenets of IT security to the smart building and BAS ecosystems. As for any security posture, things like strong authentication and access control should be the first step with regard to protection, followed by best-of-breed network, device and application security.

Analytics May Be Able to Help

Analytics, as well as context-aware event and anomaly detection, should become the foundations upon which smart, integrated and proactive defense postures are adopted by organizations that own smart building technologies. An open sharing of security and threat intelligence pertaining to IoT and smart buildings will also need to be part of the solution. The more intelligence all stakeholders share about these topics, the more robust the ecosystem.

Now, this might indubitably seem to be an expensive proposition for organizations that own smart buildings. However, if we instead see this from the point of view of adopting a holistic security posture that includes a layered approach to protecting one’s entire ecosystem, from intellectual property down to HVAC systems, this becomes an integral part of an organization’s DNA. Security becomes not something you slap on top of systems, processes, operations and buildings, but rather an immune system for your organization.

Buildings and homes are, after all, where we live and work. We should protect them as well as our organizations’ brands or intellectual property and not have to worry about the latest attacks on elevator controllers.

 |  | 
Robert B. Razavi
Security Architect, IBM

More from Identity & Access
October 23, 2023

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

September 13, 2023

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

August 1, 2023

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature