Current and future smart buildings offer the promise of user comfort and energy efficiency, all managed by increasingly interconnected systems. Smart networks and other applications central to this technology have proliferated rapidly in recent years, and continually exchange a variety of different data—sometimes to the complete detriment of security. As such, safeguarding a smart building against cyberattacks (whether they involve IT or OT networks) represents a sizeable challenge—but not an insurmountable one.
For a while, the first smart buildings (connected tertiary buildings designed for professional or residential use) were limited to collecting information from a single building system (also known as a “work package”), such as lighting, heating or air conditioning—a process referred to as Centralized Technical Management (CTM). By connecting systems and networks together, Building Management Systems (BMSs) provided a layer of automation and monitoring to CTM. Building management became smart and integrated for all systems, including lighting, HVAC (heating, ventilation and air condition), fire protection systems (smoke detectors), elevators, parking sensors and surveillance cameras, to name just a few examples. All of this data is used to monitor the facilities, produce operating statistics, and initiate preventive and predictive maintenance operations.
Smart buildings under the crosshairs
However, this additional layer of automation and monitoring comes with non-negligible cyber risks. Since data is vital for smart buildings, its integrity must be maintained. And since the volume of data is exponential, and may come from a variety of different suppliers, maintaining security is a complicated task. The protocols and operating systems may vary, and not all suppliers have the same level of maturity when it comes to tackling IT and OT cybersecurity risks.
In 2014, the American company Target suffered a cyberattack that provided an early textbook case: in order to steal payment card info from millions of customers, the hackers broke in directly through the network of one of the company’s subcontractors, which was in charge of the air conditioning systems. And according to a study by Kaspersky, nearly four in ten computers used to control smart building automation systems were hit with cyberattacks in the first half of 2019.
Understanding the different types of attacks
The interconnections between these systems and the building network, as well as the abundance of stakeholders involved, make these buildings more vulnerable to cyber risks. Put simply, if a smart system is remotely accessible for the building manager or one of its subcontractors, it is potentially accessible for a cyber-criminal as well. Using BMSs, multiple types of cyberattacks can be launched against smart buildings. Attackers may hack into the networks and servers, modify data, or shut down the building with ransomware, undermining the building’s operation and even leading to physical or material damage if they gain control of the elevators, fire alarms, door locks or ventilation systems. These scenarios offer a hair-raising perspective for shopping centres and hospitals.
And the development of smart devices and the Internet of Things (IoT), which are particularly vulnerable to security issues, are making buildings more susceptible to attacks that are closer to home, via open wireless networks (such as Wi-Fi or Bluetooth). A few years ago, two researchers successfully hacked into smart light bulbs to demonstrate the vulnerability of the IoT and the security flaws of wireless networks. They managed to remotely take control and upload malware throughout a smart building using a malicious update.
Note as well that cyberattacks may also occur from inside the building by inserting a simple USB stick into a piece of equipment.
Whether they involve IT or OT systems, attacks may lead to material or bodily harm, with dramatic consequences. Accordingly, these cybersecurity problems are even more of an issue for highly sensitive sectors such as healthcare, since utility systems (air conditioning, air-level systems, fire security) are central to any hospital building. The prospect of a cyberattack disrupting the air treatment system in an operating theatre constitutes a critical health risk.
The importance of anticipating risks
“We are now aware of the cyber risks affecting CTM-BMSs, whether they involve OT, IT or the IoT, but the lack of forward planning speaks volumes: we are working from a backward-looking mindset. We are preparing for the future by examining risks linked to attacks that have already taken place. Cyber risk should be addressed right from the design and construction phase of a smart building”, notes Denis Boudy, Sales Manager, Digital Solutions at ScredIn*.
In smart building projects, the “operation and maintenance” phase is preceded by “design and construction”. During this initial phase, all architectural, engineering and construction data will be aggregated into a digital mock-up, a process known as Building Information Modelling (BIM). This data is then organised, cleaned up and optimised to develop a digital twin. Once additional data has been added (from the IoT, for example), this twin will be used throughout the operation and maintenance phase, providing real-time graphical representations of the smart building’s management system. The initial design phase is important, then, since sensitive 3D-modelling data will be processed throughout the building’s lifetime.
If digital security is not an integral part of upstream data production, then you’re just making the hackers’ job easier!
Denis Boudy, Sales Manager, Digital Solutions at ScredIn
The risks will therefore need to be anticipated. “If digital security is not an integral part of upstream data production, then you’re just making the hackers’ job easier”, says Denis Boudy. “During building renovation, it is common for some companies to use foreign contractors to put together 3D models, for budgetary reasons. There is no guarantee when it comes to the integrity of the data; it’s all open to everyone. You don’t need to jump straight to a cyberattack; even a physical attack on the building is conceivable. Anyone who has had access the digital model may have access to sensitive information and know exactly what to do to shut off the lighting, or know exactly where the surveillance cameras are. Recently, a number of French government agencies digitised their buildings and properties using 3D scanning, and didn’t ask for any information on how the digital models were produced. We know that many companies outsource this type of process, and they’ve sent all of the required data abroad, unencrypted. This is a genuine risk to the safety, confidentiality and integrity of the data.” “From a cybersecurity perspective, by having access to this data, a hacker might more easily find out how to turn up the heat to the maximum setting, cut off the air intake, or prevent a fire alarm from going off... The tragic consequences are easy to imagine”, says Raphaël Granger, Account Manager at Stormshield.
The design and construction phase may last anywhere from two to four years. During this period, more than 400 people will be producing data, and more than 1000 will have access to it, says Denis Boudy. The likelihood of a security breach is therefore considerable. “Having a BIM manager or a data manager determine the criticality of the data is crucial during this stage: it’s their job to determine the permission levels needed (to access a camera, for example), and to manage communication flows and encryption. If you’re not careful to ensure access security for all of the data aggregated throughout the BIM process, then it may be used to actively monitor the system to prepare for an attack.”
Beware of the cloud and 5G
Smart buildings are increasingly spread out. Connectivity is essential for transmitting information—as long as it’s secure and reliable. If a fire breaks out in a smart building, the right information must be sent to the right person as quickly as possible.
This requires information relays, which often take the form of decentralised mini-computing centres. This process is central to edge computing, and soon enough 5G. While edge computing helps cope with the considerable amount of data that needs to be stored, analysed and processed, a decentralized data system carries just as many cyber risks. “We need to find a happy medium between simplifying our lives and taking risks”, notes Mathieu Demont, Product & Solution Security Expert (PSSE) at Siemens Smart Infrastructure. “Providers of cloud storage solutions offer unlimited data processing capacity to businesses, but what happens behind the scenes is murky. The connections aren’t visible, and we don’t always know who really stores the data, or on what hardware. Is our data shut away in containers, themselves integrated into private servers? Or is it pooled together with other customers’ data? All of this remains unclear, and while we’re sitting here thinking that our data is properly protect, all of it might at some point get mixed with other data that contains viruses.” With 5G, the flow of information will increase, which makes it essential to address processing capacities.
“5G will offer greater bandwidth capacity, but of course that’s just as true for cyber-attackers as it is for companies. That means our systems need to be more robust, and that’s why we account for cybersecurity as early as the design phase”, adds Mathieu Demont.
5G will offer greater bandwidth capacity, but of course that’s just as true for cyber-attackers as it is for companies.
Mathieu Demont, Product & Solution Security Expert (PSSE) at Siemens Smart Infrastructure
A safe and (cyber)secure smart building
In order to safeguard data processing and ensure the reliability of smart building data, it is recommended to set up a governance framework that requires strict authentication for users. It also strongly advised to strengthen information system security by segmenting the networks and installing a firewall. Lastly, it is essential to safeguard production using robust end-to-end data encryption.
All of these measures need to be supported with consistent, day-to-day organisation. “We often say that technology accounts for 30% of security, and the remaining 70% is essentially organisational, says Mathieu Demont. In our heads we have this image of a fire extinguisher that’s blocked by a door in order to ‘air out’ the hallways—a major error if the doors ever need to be closed... That may seem anecdotal, but poor organisation can impair the reliability of technical measures and undermine the overall security of the system. That’s why we do a fair amount of training and awareness-raising at Siemens Smart Infrastructure, particularly when it comes to cybersecurity.”
These measures also apply to smart industry, and to smart cities more widely, which entail similar issues to smart buildings, only on a broader scale. There are more players involved, which raises issues in terms of governance, confidentiality and data security—particularly since new sensor technologies (LoRa, SigFox, 5G) are accelerating the development of future cities. This transition to smart cities cannot occur without some measure of cybersecurity.
* ScredIn is a product developed by the Ingérop Group.