Are Smart Buildings Safe From Hackers?

Recently a staff member’s smartphone started randomly turning on and off without provocation. The battery died within hours of charging and the memory was running at capacity, even with all apps closed. The verdict: hacked. The phone was wiped and promptly replaced.

This hacking close to home made us think, “what else could be hacked?” The Internet of Things (IoT) and smart cities adoption continues rapid expansion. More devices are connected to the Internet than ever before: air condition, lighting control, and entry points. A 2015 survey by UK’s Gartner estimated that smart homes and commercial buildings represented 45% of total connected IoT.  Smart commercial buildings were estimated to have 354.6 million installed IoT items by 2016. With the recent election hacking and warning about vulnerabilities in the United States’ electric grid, we have to ask: are smart buildings safe from hackers?

The State of Smart Building Security

Last year IBM’s X-force Security Research Group set out to explore the security of IoT networks. The hacking team approached a building management company to run a penetration test on their automated systems. X-force successfully hacked into the data centers and controls, gaining access to the central server and control of several different commercial buildings across the U.S. managed by the company. Imagine the implications of a malicious hacker breaking into a system managing the environmental controls of a skyscraper, a hospital, or a server room.

IBM’s analysis of current smart building automation systems (BAS) revealed a need to address security.  While 84% of BAS were managed through an Internet connection, only 29% of those systems were improving their cyber security. Another survey by Facilities Management News and Education found 35% of BAS users were not currently taking any action to improve their cyber security.

BAS Security Issues

The problem is many intelligent devices were not made to automatically update software or resist hacks. Think about thermostats--how often do you reboot a thermostat? If there’s a malfunction, the easiest fix is to replace the thermostat.

Further complicating the security issue is the use of third-party monitoring providers. While many systems begin as an integrated in-house suite (think cameras synced with motion and lighting sensors,) an increasing number of smart building systems are monitored by an outside service provider. To maintain compatibility, the communications between these systems are often open and transparent. That’s how retail giant Target was breached, exposing customer data. The hackers found a way into the system through a remote party controlling the HVAC system.

How to Improve IoT Cyber Security

What can building automation managers do to improve their cyber security and prevent data theft or obstruction?

  1. Segment the data network. Keep the BAS on a different network from the company’s network.

  2. IT and CIO need to work together when selecting IoT equipment so that the IT professionals can analyze the underlying security protocols behind the sensors, network monitoring needs and create strong authentication protocols.

  3. Avoid sharing passwords across devices and/or buildings, and don’t store as clear text.

IoT and smart building tech adoption is going to continue. In fact, smart cities and IoT rank as a top CRE tech trend for 2017. BAS should be embraced, but businesses and IT professionals need to prioritize security measures in their selection process to prevent cyber attacks.