Understanding the Security Risk
By Andrea Carcano, Nozomi Networks Co-founder and CPO
Smart Buildings: Understanding the Security Risks
Today many of the world’s most forward-thinking workplaces are deploying smart technologies into their offices to help optimize functions, increase productivity, and improve overall working life.
These new ‘smart buildings’ boost smart thermostats, which can measure the temperature of the building and turn on the heating or the air-conditioning when required, as well as intelligent lighting, which can be controlled remotely and adjusted to suit the time of day. When turning a building into a smart building, one of the key attributes is taking the data from the technology deployed and using it to make intelligent decisions.
Smart buildings can significantly improve the lives of those occupying them and can also play a key role in helping the environment, however, as we have seen time and time again, when internet-connectivity is added into any piece of equipment it makes it accessible to the outside and by intruders. This ultimately means that when offices turn their workplaces into smart buildings, attackers have an even larger array of entry points to attack the organization.
A world of opportunity for attackers
According to a report from IDC, Internet-of-Things spending is expected to reach $745 billion globally this year. This shows just how popular smart technology is becoming, and not just among consumers.
Smart technology within buildings offers huge benefits and not just for occupants. It can also be used to significantly reduce costs and reduce the environmental footprint of the building, by intelligently analyzing data and understanding when, for instance, energy consumption can be reduced.
An example of this was recently reported in Forbes when it was revealed that the New York Times head office in Manhattan managed to reduce its lighting power per square foot from 1.28 watts to 0.4 watts, which is an energy-saving of 70 percent. This was as a result of the media powerhouse implementing smart technology to control lighting and sensor blinds, among other things.
However, along with the many benefits smart buildings offer, the convergence between operational technology and IT systems this is required to support them also opens smart facilities up to an increased threat of hacking.
If a hacker is able to gain access to a smart building it potentially presents a world of opportunities to the hacker. For instance, because these new smart technologies are connected to the building’s IT network they open up new entry paths into corporate networks. Attackers could use these new devices as new ways to install malware on the corporate network or recruit the devices into botnets or even launch ransomware attacks against the organization.
This ultimately means that security for every single internet-enabled appliance, from lighting to refrigerators, must be forethought before they are introduced into smart buildings.
Making security a priority
While most people would not look at their lighting or sensor blinds as attractive targets for attackers, the fact that these appliances are connected up to corporate networks, which also connect to sensitive information, means they are. Research and experience have shown repeatedly when things are connected to the internet, they become a target for malicious hackers. As a result, it is imperative that smart building operators make security a priority.
To reap the full benefits of connectivity within smart buildings it is important that all networks and devices are comprehensively accounted for and secured, as each device could be a potential entry point for attackers. In addition to maintaining an up-to-date and accurate inventory of devices on the network, it is also essential to ensure all software and hardware is updated with the latest patches and not hosting any vulnerabilities which could be exploited by attackers.
Organizations should also train staff on security threats and teach them about the dangers of email phishing campaigns, including how to recognize malicious emails and attachments.
Finally, it is crucial for organizations to ensure that multiple levels of protection are in place – from securing the network itself to monitoring it in real-time for anomalies that could indicate a cyber threat is present.
Today’s smart buildings are a variety of sensors, control systems, networks, and applications. While these technologies are being introduced into workplace environments to improve efficiencies, help drive down costs, and of course, improve our global environmental footprint, they also increase the attack surface. As a result, the security of all new internet-enabled appliances must be forethought before they are added to the network.
About the Author
Andrea Carcano is an expert and international leader in industrial network security, artificial intelligence, and machine learning. He co-founded Nozomi Networks in 2013 with the goal of delivering next-generation cybersecurity and operational visibility solutions for industrial control networks. As Chief Product Officer, Andrea defines the vision for Nozomi’s products and is the voice of the customer within the organization. In this role, he draws on his real-world experience as a senior security engineer with Eni, a multinational oil and gas company, as well as his academic research.
With a passion for cybersecurity that began in high school, Andrea went on to study the unique challenges of securing industrial control systems. His Ph.D. in Computer Science from Università degli Studi dell’Insubria focused on developing software that detected intrusions to critical infrastructure control systems. His Masters in Computer Science from the same institution involved creating malware designed to take advantage of the lack of security in some SCADA protocols and analyzing the consequences.
Andrea has published a number of academic papers, including one describing an early example of malware targeting SCADA systems.
Andrea Carcano – Published Papers
Andrea can be reached on LinkedIn at https://www.linkedin.com/in/andreacarcano/
or on twitter @andreacarcano and at our company website www.nozominetworks.com