The number of smart buildings is increasing globally. Today’s technology world has created an enabling environment for innovation in the construction industry. That’s why intelligent buildings are no longer something new; the smart building is the only way to create a construction following the sustainability principles.  

Technology wouldn’t reach the level they did, if not for constant improvements and adjustments. Smart buildings are no exception. Even though they may look completely safe, the database the buildings connect to may face security risks.  Continue reading to find out more about the vulnerabilities of modern intelligent buildings.

A Way For Cybercriminals To Circumvent Constraints

No matter how secure the system may look, there are always people who want to test it and break privacy rules. They use special tools, like Shodan, to find out about any vulnerability of the IoT devices connected to the network. 

Shodan makes it easy to discover any information about a building automation system (BAS). In 2019 Shodan reportedly exposed data of more than 35 000 smart buildings. Such disclosure of sensitive information can potentially give hackers a chance to find vulnerabilities inside the system. Using the IP address of the automation system, the attacker can gain access to the monitoring panel. The panel contains private data of the companies located within the individual smart building.

And just like that, the cybercriminal can get through security restrictions and gain control over the company’s data. Do you still believe that intelligent buildings are impossible to hack?

Zero-Day Vulnerabilities Pose Security Risks

Ethical Hacking

In January 2019 Tenable Research has found several zero-day vulnerabilities in the PremiSys access control system. The system is used by over 500 companies, which are now at risk of being hacked. 

Zero-day is a vulnerability in the software that is not yet discovered by people who are responsible for fixing the vulnerability. Sometimes, an attacker can find out about the flaw faster than the developers. If such vulnerability wasn’t detected and patched by the responsible parties, there is a considerable risk of an attack. 

Tenable Research has developed several attack scenarios that could be applied by cybercriminals who discover the zero-day vulnerability. For example, the attackers may disable existing building locks and create fraudulent access badges to enter the system. 

Schools, hospitals, offices and even private homes may be targeted because the developers of automation systems didn’t manage to patch zero-day vulnerabilities. There is an exceptional variety of apps, such as KidSecured phone locator, that can help us locate our smartphones to prevent data leaks. Still, even with such enormous systems like intelligent buildings, the data of big organizations can’t be protected. 

Heating Distributions Stopped Due To Attack On A Smart Building

Innovative IoT ExamplesFinland is the leading Scandinavian country that actively supports the incorporation of innovative technologies into the building industry. But, it’s one thing to promote something and an entirely another – to deploy it the most successful way.

December 2016 was marked by a significant attack on a smart building unit that caused the breakdown of the controlled heating system in eastern Finland. Two buildings were left without heating during the below-freezing winter. The reason why that happened is that central heating was temporarily disabled.

The system of the smart buildings tried to respond to attacks and rebooted the central control circuit. As there were numerous attacks and system reacted to each of them, it eventually broke down and terminated the heating of the buildings. 

Luckily, everything ended well, and the specialists were able to fix the system. But such an incident shows that intelligent buildings do have vulnerabilities that haven’t been yet thoroughly explored.

When maintaining the BAS, building automation security isn’t given that attention it deserves. Many building organizations and even owners of the buildings prefer not to invest in the detection of vulnerabilities and strengthening the system. As a result, many BASes are running outdated software.

For example, if someone from your circle is using Windows 95, you will probably warn them about security concerns. But, rarely someone knows that different automation systems may be running Windows 95. 

The owners do acknowledge the fact that smart buildings are substantially profitable. For example, intuitive lighting system applied in the intelligent building can help companies save up to 90% of their current expenses. So why don’t they ensure security measures to maintain such beneficial systems?

How Owners Of Intelligent Buildings Can Eliminate Cyber-Attacks?

Question

As long as some building contractor has remote access to BAS, cybercriminals will try to attack it. Unless you ensure enhanced security. Find out more details about the remote access available and determine whether it’s protected by a password or multi-factor authentication. 

When someone tries to access the BAS with the wrong password, the whole system should be locked. It is important to set alarms that would go off in case of a failed password scenario.

You should also consider hiding the login to your building automation system behind a VPN. Such measures will help you to avoid data leaks and protect the whole intelligent building unit from cyber-attack. 

Every now known vulnerability was once a result of an unexpected incident. That’s why it’s almost impossible to create and maintain a system that would work flawlessly. But, a good vulnerability-disclosure policy is what the BAS needs today. The policy would help the owners of the intelligent buildings to find out about security risks and act instantly to fix them. 

Although the development of the newest technologies and innovations is only gaining momentum, people focus on innovation itself, not on the security. But it should be the other way around. What’s the point of developing a technology that can’t help us? 

The final point is that we all should put security in the first place. By considering the security risks the intelligent buildings are facing now, we can decrease the number of them in the future.