As smart buildings become integral to our modern landscape, they also bring about new cybersecurity risks. The integration of sophisticated technology has made buildings smarter but also more vulnerable to cyber threats. We delve into this issue with industry expert Fred Gordy, Director of Operational Technology and Risk Assessment at Michael Baker International.
“I’m not sure that everybody’s aware of what’s going on in cybersecurity for buildings and the attacks that are happening. It’s simply because we don’t have to report any attacks that happen. And what I want to share is a little bit of what I see almost on a daily basis, as it relates to attacks on smart building technology.”
Q: Why do hackers love smart buildings?
A: Well, simply put easy entry. These buildings have evolved rapidly without the necessary cybersecurity measures, making them attractive targets for cybercriminals seeking an easy way in. And to understand why they’re easy entry, you need to look at the history and the evolution of smart buildings that was driven by convenience and control but often neglected the security aspect, leading us to the current situation.
Q: So, what is the history behind smart buildings, how did we get here to this point of easy entry?
A: Buildings started getting connected in 1969, these systems were being connected to different manufacturers for the purpose of being able to control multiple systems and multiple processes, if you will. But from 1989/90, these systems get connected to the true network, not just a proprietary network that the manufacturer came up with, they were being connected to corporate LANs, and then ultimately, they were being connected to the web. So, there was a lot of beneficial reasons for connecting them to the internet.
The problem was the people that were connecting them to the Internet didn’t come from an IT discipline. And so therefore, it was all about the availability of the system, not the confidentiality of the system, if we fast forward a little bit more, then in around 2008, they started getting connected to the cloud.
And ultimately, around 2014 is when we saw the beginning rumblings of attacks on smart buildings. And reason was/is because the ‘bad guys’ have figured out easy entry. I like to say that bad guys are the laziest, most persistent people you’ll ever meet, because they’re always looking for the easy way in. And they never give up. That’s what has attracted bad guys to smartphone technology, in some cases, not just necessarily looking to attack the system, they’re looking for a pivot point, a way to get from the building system over to the corporate IT.
Q: Taking on board the history, wouldn’t you need to take quite a few steps backward to find a solution?
A: Yes, your statement is absolutely correct. And to your point about having to take a step back, these buildings are living beasts, I mean, they are operating 24/7. The problem is you can’t just turn them off and then reconstruct everything. There was a lot of pushback about ‘hey, you’re not coming in here and changing anything’.
We have a couple of approaches, the very first thing you need to do, is you need to determine is this building a highly critical asset? Well, if it is, then you need to take the steps necessary to protect it. And from a business standpoint and operational standpoint, what may make the most sense would be to enclose it inside of a hardened boat. You don’t fix the things on the inside because you can’t or rather you could but there’s usually business reasons. I like to use the example of everybody’s seen Jurassic Park. The scene that stuck with me the most is the one with the little goat. The poor little goat comes up into the T Rex enclosure, and he’s just stood there on a rope, and he doesn’t have a chance and when we cut back to the shot, then there’s just that hanging rope. Well, we’ve got to get a cage around that goat because these things weren’t designed to protect themselves.
The cloud-based Armis platform enables you to easily discover, oversee, and secure every wired and wireless asset on your networks, including BMS controllers and devices. Learn more about Cyber- Physical Integrity of Building Management Systems read Armis’ Solution brief here: https://www.armis.com/solution-briefs/ensure-the-cyber-physical-integrity-of-building-management-systems/
Q: What’s the latest in smart buildings and how does that affect the average person?
I’d say the latest developments in smart buildings revolve around the advancement of edge devices. Edge devices are getting smarter, they’re able to do things all by themselves and can operate independently without a centralized brain.
An example is the integration of RFID and smartphone apps that enable buildings to prepare for occupants’ arrival by activating necessary systems like elevators and climate control based on real-time data, such as the occupants’ location and estimated time of arrival. I wrote an article about this many years ago, and I’m seeing it coming to fruition. With this type of smart technology buildings can monitor occupants and become more efficient with energy usage. This increasing level of integration not only signifies a leap in operational efficiency but also heralds a future where buildings will more seamlessly interact with occupants’ daily routines, marking a significant evolution in how buildings are experienced and interacted with. I think that’s the part that people are not really aware of, it’s how these buildings are already using smart tech for efficiency and how much more they’re going to integrate into their lives.
Obviously these new levels of intricate communication between various building systems, like elevators, access control, HVAC, and lighting to optimize efficiency and energy usage, is of course a really positive thing but it also adds new layers of cyber risk.
This blog is a write up of a brief extract from a conversation on Armis’ Bad Actors podcast series. In the episode, Fred continues to discuss the New Tech in Smart Buildings, the threat of Ransomware to our critical infrastructure, The Dark Side of AI, and Worm GPT. Listen to the full episode here: https://www.armis.com/podcasts/