IoT security breaches seem to affect businesses regularly with the proliferation of hackers stealing data. According to a report from the Ponemon Insititute, a data privacy and security research organization, 94% of responding risk management professionals believe that an IoT security incident in their organization could be catastrophic.
For FMs, it might be easy to disregard this information because these attacks are more commonly associated with financial security breaches. However, as building systems become more interconnected, the chances that any given IoT security attack might affect building systems increases.
The number of IoT devices used by organizations is expected to double in two years, according to the Ponemon Institute, and the subsequent security shortfall can compromise all IoT devices in a facility.
“It can be unclear who is responsible for security decisions in a world in which one company may design a device, another supplies component software, another operates the network in which the device is embedded and another deploys the device,” notes the Department of Homeland Security (DHS). Additionally, DHS cites a lack of comprehensive standards for security and little incentive for developers to adequately secure products.
Without the proper security measures in place, hackers can probe into organizations’ networks, and whole IoT suites can be at risk – either by design or by accident. Coupled with the rise of hacktivism opening up buildings to possible system failures, facilities are at risk of greater damage or disruption. Are your IoT devices secure enough?
Exposure to a Breach
The pessimism exhibited in the Ponemon Institute’s survey is not simply paranoia about breaches that might ultimately never come. The fact of the matter is that a considerable number of organizations using IoT devices for the day-to-day operations of their facilities are already open to a cyber-attack.
According to strategy consulting firm Altman Vilandrie & Company, 48% of firms surveyed have experienced an IoT security breach at least once. The consequences of these security failures can be critical. For smaller companies, these breaches can cost over 13% of the total revenue; in larger companies, losses can reach tens of millions of dollars.
However, these security breaches are avoidable. Companies that hadn’t suffered an IoT security failure have invested 65% more on IoT security than firms that have been breached.
As far as building systems that are most vulnerable to an IoT security breach go, HVAC systems seem to be the most likely at this point due to the sheer volume of devices. And the consequences of a disruption to IoT devices that control heating and cooling in a building can be dire if they are unable to work properly or provide the right information to control systems.
“For example, if building HVAC sensors gave incorrect info, it could lead to significant overpressure, underpressure or water condensation due to wrong temperatures or insufficient airflow – all of which are known to lead to mold and structural damage problems,” says Jarno Niemela, Lead Researcher at F-Secure Labs, a cybersecurity and privacy company.
Deral Heiland, Research Lead at cybersecurity software company Rapid7, also points to HVAC systems as a main area to target along with lighting because they most commonly utilize IoT devices. He adds, “Moving forward, I could also see elevator services, security alarms and access control to potentially be affected.”
With security systems potentially susceptible to data theft, securing your facility becomes more of a two-front battle that requires safeguarding the equipment that ultimately safeguards your building.
Beyond simply stealing data or overriding specific functions in a facility, hacking into IoT devices can have serious, unintended consequences.
“Think hospital beds, industrial equipment or supply chain companies. Turning these things on at unexpected times might hurt or kill someone,” says Tom Van de Wiele, Principal Security Consultant of Cyber Security Services at F-Secure. “Criminals and hackers are in most of the cases not interested in these scenarios, but they might occur in the future by accident or by proxy.”
The Technological Gap
One of the main reasons FMs and IT staff face these scenarios is because of the rate at which IoT devices have taken over the industry. While the technology to simplify and automate building functions has progressed incredibly quickly, security has been neglected. In the words of the Department of Homeland Security, “IoT security has not kept up with the rapid pace of innovation and deployment, creating substantial safety and economic risks.”
Because IoT’s development far outpaces the security of these devices, they can become highly vulnerable. Too often IoT is treated differently than any other computer-based system, leading to the neglect of security in the development of these devices, says Niemela.
“The IoT ecosystem introduces risks that include malicious actors manipulating the flow of information to and from network-connected devices or tampering with devices themselves, which can lead to the theft of sensitive data and loss of consumer privacy, interruption of business operations, slowdown of internet functionality through large-scale distributed denial-of-service attacks and potential disruptions to critical infrastructure,” DHS explains.
Unfortunately, these problems are only exacerbated by the lack of accountability for manufacturers when it comes to securing their products. Some fail to take even the most basic security actions. DHS cites a lack of incentives for developers to take greater security measures because “they do not necessarily bear the costs of failing to do so,” as well as “uneven awareness of how to evaluate the security features of competing options.”
Identifying Your Vulnerabilities
As easily as IoT devices can be breached, you need to work with IT staff closely to reduce that risk in any way you can. Handling them appropriately is a good start. Niemela explains, “IoT devices are not usually recognized to be computers, and they are likely to be operated completely in manufacturer default settings and are thus vulnerable.”
Some breaches that are easily avoidable afflict facilities based on neglect of simple good tech behavior. Although not enough on its own, making sure you change your devices’ passwords, for example, will make it that much harder for hackers to compromise your devices.
“Insecure and dangerous default settings, mixing of network contexts, lack of access control, lack of oversight and threat modeling are possible outcomes of a successful IoT-based compromise. Most companies are still in the awe phase of having the functionality around and enjoying its benefits,” says Van de Wiele.
However, he stresses how the early stages of this technology make predicting the ways that you might be affected difficult. “The real effects of this correlated data and its abuse and misuse are yet unknown as this is all new to society as we know it, but there are trends that look like the identity theft model where we will have abuses in the beginning but not widespread,” Van de Wiele explains. “Let us hope it will remain with those while we try to fix the problem bottom-up (secure defaults and asking questions as consumers) as well as top-down (regulation).”
Truly finding and solving vulnerabilities requires open communication with IT staff. Not properly considering IoT in the same sense you would other network-based devices leads to problems that can be easily avoided, and underestimating the avenues where a breach might occur cannot be allowed to happen with IoT technology.
“Often, when it comes to security, the biggest misconception is that IoT only includes the embedded technology,” says Heiland. “In fact, IoT technology also includes Cloud API and web services, mobile or human interface devices, and various network and Radio Frequency (RF) communication paths. So a holistic approach must be used when testing and securing IoT.”
Ultimately, having a detailed knowledge of what devices are on the network in your facility will eventually help you enact a better plan for better cybersecurity. Thus, it is important to note that susceptibility often depends on how and what kind of devices are used and how they are implemented and interact with other devices and IT.
“Not knowing they are exposed in the first place is usually the number one threat, as one cannot attempt to secure a device if you do not know it is there. Internal networks can be breached if IoT devices are installed or mis-installed on networks that allow jumping from one network to another,” Van de Wiele explains. “Employees might bring a device to work and enroll it in the company WiFi and that is when things get dangerous.”
A Plan of Action
Exposing your vulnerabilities via penetration tests can help you respond to your specific cybersecurity needs. In addition, you can take some measures on your own with IT staff that can improve your resistance from attack.
To ward off the threat of IoT security breaches, a major step would be to isolate your IoT technology into separate networks. “If they are properly isolated and maintained, they are safe. If they are just connected to company LAN and left with default passwords, they are very likely to be used as an attack vector,” says Niemela.
Although the interoperability IoT provides can be useful for facility management, it opens up opportunities for security breaches if IoT is not isolated. Because devices are only becoming more interconnected with one another and other communications systems, proper isolation can prevent security breaches from becoming too widespread.
“IoT technology not properly isolated could be impacted by attacks leveraging default passwords. This includes default passwords on the hardware and often WiFi access passwords also,” says Heiland. “It is also common to find these services using RF such as Zigbee, ZWave or some other form of proprietary RF communication. Often, these are not properly encrypted or utilize a weak encryption, making them vulnerable to replay attacks.”
Discuss with your IT staff what you would need to do to implement a proper segmented VLAN network to protect your devices. Van de Wiele notes, “Regardless of the kind of device, segregating and separating based on function is a good IT practice but also a good security practice. As long as IoT networks are kept separated from other networks, the impact is usually reduced.”
Another action that can improve your IoT security readiness is to get into the habit of diligent documentation and oversight of your facility’s IoT portfolio.
“Document your networks and what is on them. Make a security policy for the general types of devices you have around and lay down the foundations for the actual procedures on how to install, integrate, interact with and decommission these devices and the data they carry,” Van de Wiele explains. “Understand the inherent flaws of cheaper or insecure devices and assume they are vulnerable, consolidate them and come up with mitigation paths that will allow the functionality while lowering the risk for the overall organization so the advantages outweigh the disadvantages.”
Implementing IoT devices in your buildings requires adherence to the best tech practices, strong oversight and the ability to adapt to new security methods and updates that will no doubt appear in the coming months and years. IoT security failures can severely impact the bottom line for organizations, but better awareness of your IoT setup can protect you in the future.
Justin Feit firstname.lastname@example.org is Assistant Editor of BUILDINGS.
Finding Secure IoT Devices
When looking to outfit your facility with IoT devices, it can be difficult to tell whether they are truly secure. Unfortunately, many manufacturers fail to provide products that incorporate the most basic security measures. The Department of Homeland Security places blame on a “lack of comprehensive, widely adopted international norms and standards for IoT security.”
With the already large gap between the development of IoT technology and security, not having secure IoT products should be a major concern. And if the industry is pushed toward greater security in its devices, it means ultimately little without the provider’s continued support of its security for a long duration.
“Without regulation, there is very little that can be promised, upheld or committed to vs. what is on the colorful box. Even if regulation came, the lifetime of the company you are buying from and what services and APIs they interact with is still a guessing game,” says Tom Van de Wiele, Principal Security Consultant of Cyber Security Services at F-Secure, a cybersecurity and privacy company. “It doesn’t matter if the device you bought has secure defaults if the company hosting its online services gets acquired by a less than interested company that shuts down the service.”
While an IoT product might boast security credentials, that might not mean much. At the surface level, there is little to distinguish an IoT device that is built with security in mind and one that could easily be breached.
“Unfortunately, there are no real obvious signs currently available to consumers for most IoT products,” says Deral Heiland, Research Lead at Rapid7, a cybersecurity software company. “What we need to see moving forward to resolve these issues are manufacturers of consumer products validating that they have had independent security testing done on their products. Also, labeling their products indicating that they will provide regular security updates, and for how long they plan to support their products.”
Ultimately, finding the right IoT devices takes research. Speak with IT staff and other professionals that can address the technical aspects of cybersecurity.
“As consumers, we usually get what we deserve by not asking questions that matter,” says Van de Wiele. “The industry will not figure it out due to a lack of regulation and standards, which is why as consumers, we should be better at asking the hard questions and not take ‘it’s secure’ for an answer without some proof that can be scrutinized. The last thing we want is ‘hacker proof,’ ‘military grade encryption’ and other ambiguous labels that mislead the consumer with empty promises.”