Cybersecurity and Intelligent Buildings

For several years, information technology (IT) and operational technology (OT) have been converging. In commercial buildings, building automation systems (BASs) are trending toward more IT integration as building owners and facility managers see the value the technology creates. However, this increasing connection and interconnection of building systems also exposes them to malicious attacks from cybercriminals.

There have been a number of high-profile cybersecurity attacks recently, from Anthem to Sony to Target. The FBI now ranks cybercrime as one of its top law enforcement activities. Most of these attacks have focused on stealing credit card numbers, social security numbers, and other forms of personal information. But it’s important to remember that these types of attacks are not the extent of the damage that could be done. The Stuxnet worm was designed to attack programmable logic controllers and was discovered in 2010 after it had ruined almost one-fifth of Iran’s nuclear reactors. In some ways, this attack served as a proof of concept of attacks that could target building systems.

Building Vulnerabilities

Cyber attacks on computer networks are a ubiquitous and constant threat, costing victims hundreds of billions of dollars in damages each year. Organized crime groups, disgruntled employees, adversarial nation states, and even hobbyists are constantly scanning systems to identify entrances into networks. Poorly designed and maintained BAS networks can serve as access points for attacks.

Should companies really worry about the impact of a breached BAS network? It seems like the worst that a hacker could do is turn off the lights. Of course, in critical facilities (such as hospitals and data centers), disruption in building conditions can have direct operational impacts. But the threat is greater than that. A cybersecurity breach launched through a building management system (BMS) or BAS can also compromise the integrity and security of corporate networks that are operating within the building.

In 2012, security researchers Billy Rios and Terry McCorkle identified a vulnerability in the Tridium Niagara AX Framework that would allow such an attack. The team uncovered the ability to execute a directory traversal attack, which allows access to restricted directories and the ability to execute commands outside of the web server's root directory by downloading and decrypting the file containing user credentials from the server.

In 2013, these two security researchers were able to bypass the restrictions of the BMS at Google’s Wharf 7 office in Sydney, Australia using the vulnerabilities in the Tridium Niagara AX platform. By this point Tridium had issued security patches to eliminate such vulnerabilities, but the patches were never installed in this facility. Facilities managers are accustomed to operating with equipment lifespans that reach as long as 20 years. Constantly identifying and updating building system software is a fundamental shift in thinking—and one that a sophisticated tech giant like Google apparently could not manage.

Making Buildings More Secure

Building networks were never created with security in mind, and the sophistication of hacking is evolving at an incredible pace. Traditionally, breaches of security followed a flow of infiltration to aggregation to exfiltration. However, attacks are now rarely restricted to a single system and are now designed to propagate after infiltration. Moreover, the threat isn’t just technological—it also includes social engineering by obtaining account information through spying or misrepresentation.

The IT industry has established protocols for monitoring and protecting computers and IT networks against these attacks. These protocols are well understood, as are the responsibilities that each IT stakeholder has to adequately defend a network. But these are new concepts in building systems, and there is a lack of clarity among most stakeholders. IT departments may expect facilities departments to manage cybersecurity threats of buildings systems, or vice versa. Alternatively, both groups may expect the solution vendor to provide a security solution out of the box.

The threat of cybersecurity is beginning to change attitudes and has created interesting challenges in the commercial building controls market. Awareness and education of building owners and operators remain a persistent challenge. Some are completely unaware of the potential damage a cyber attack on building systems can cause their business. However, even building owners and operators who are aware of and concerned about the vulnerabilities of their building systems are often unaware of what to do about the threat. Relatively few facilities have robust defense strategies in place.

Join Benjamin Freas at the Guidehouse Insights webinar The IoT Transformation of Buildings on Tuesday, September 13 at 2 p.m. ET to learn more about cybersecurity risks in the buildings controls market.