Recent high-profile data breaches prove that without adequate security, smart buildings could be a dumb idea.
News that hackers responsible for the recent massive data breach across Target retail stores may have cracked remote access credentials used by a third-party HVAC vendor has jarred anyone interested in smart management of buildings.
Target allowed HVAC system supplier Fazio Mechanical Services of Sharpsburg, Pa., to perform its "electronic billing, contract submission and project management" for the retailer on its network. Even though Fazio wasn't using its remote access rights to track HVAC, it seems thieves found their way in through the vendor's privileged route.
The breach logically focuses attention on smart building systems -- including automation and control systems for lighting, HVAC, water, electricity, access control, and fire safety, as well as the overarching building management systems that govern these tools.
"In general, most companies and organizations allow Internet-facing connections to the control systems for metering and the remote [access] of HVAC, and those systems are now being targeted by malware," said Michael Chipley, president of The PMC Group LLC, a Washington-DC-based tech consultancy, in a phone message to me.
A Target retail store in Ontario. (Photo: Nicholas Moreau via Wikimedia)
Another expert, Miki Calero, chief security officer of the city of Columbus, Ohio, wrote in an email to me this week:
Any system connected to a network exposes all other systems on the same network to Internet-based security threats. Smart buildings rely on network connected sensors to transmit energy usage data to systems for green initiatives, Leeds compliance, etc., internal to the network and externally, to third parties. Same with fire and smoke detection systems, physical access control systems (PACs), intusion detection systems monitored by contracted/external security service providers, etc... As everything becomes a networked device in the Internet of Things, exposure grows explosively.
There's nothing new about this. In a comprehensive overview published by the National Institute of Building Sciences in the US, Chipley reminds readers that malware such as Stuxnet, Duqu, Flame, and Shamoon have aimed specifically at industrial control systems, of which building management and automation systems are a subset. He writes:
Smart buildings are now becoming the norm across the country, and as the buildings get ever smarter and interconnected with Smart Cars, Smart Cities, etc., they become vulnerable to outside attack and malware. As the IT and OT [operational technology] systems continue to converge, the need for new Cybersecurity skills and training for the facilities workforce will need to be developed.
In the US, the Department of Defense, the National Institute for Standards and Technology, and the General Services Administration have outlined ways to reduce security invasions on networks with integral building automation and management systems -- and these are listed exhaustively by Chipley in his paper.
There are other sources of information on protecting smart buildings and associated networks. Miki Calero described a few of these, including the Multi-State Information Sharing and Analysis Center (MS-ISAC), in a a blog here on Future Cities last October.
Internationally, there is also work in this area by particular vendors of smart building systems, such as Johnson Controls; and by groups such as the academically oriented Workshop Enabling ICT for Smart Buildings.
At least some procedures are simply common sense. In this week's email, Miki Calero noted that when it comes to securing smart buildings and smart city systems, the most common strategy is to "physically separate the business and control networks, ensuring ... an 'air gap' between them." Additionally, it's important to make sure that any links between control systems and external or internal ones is really necessary and valid, says Calero. User names, passwords, and other protections must be strong and up to date.
Despite all the efforts underway, problems continue to surface. "Awareness and understanding of security risk management that cuts across all technology is growing, yet slowly," Calero states. "Regrettably, incidents tend to accelerate the learning process."
Saying that Target should have known better is easy in hindsight -- and of course, that's true. Smart building networks are yet another entry point to the rich stores of information increasingly gathered by businesses, governments, and other organizations worldwide. Wherever these networks emerge, so will hackers.
— Mary Jander, Managing Editor, UBM's Future Cities