Smart building systems cover a wide spectrum of technologies from door controllers and surveillance cameras to HVAC and building management systems (BMS). However, there are a number of cybersecurity pitfalls that apply to any smart building tech that you should note and work to eliminate. Let’s look at five common pitfalls and how to protect your smart building investments from cyber risk.
1. Unpatched Systems
Smart building systems and OT have long been neglected compared to IT systems regarding routine software maintenance and security patching. Today’s smart building technology vendors have made significant improvements regarding releasing bug and security patches—and providing methods to apply updates/patches to systems efficiently. However, building operators still tend to neglect smart building technology patches, using the “if it ain’t broke, don’t fix it” mentality.
Unfortunately, bad actors are well aware of this problem and are keying in on exploiting smart building software vulnerabilities as one of the easier ways to gain access to sensitive data by first taking control of one or more smart building systems, then using that as a launching point to move laterally within the building network to infiltrate other systems and devices that are more lucrative targets. Keeping up with smart building security patching is a must-have and requires administrators to be diligent in terms of patch management schedules, testing, patch application, and post-patch validation.
2. Lack of Network Device Isolation/Segmentation
Even with vigilant patching, smart building and IoT technologies remain vulnerable to zero-day exploits. These are vulnerabilities that bad actors have identified but are not yet publicly identified so that a patch can be released by the vendor to mitigate the threat. The problem here is that once a device is compromised, traditional networks commonly allow cyber attackers and malware automation processes to scan a large portion of the remaining network to find additional connected devices from which to infiltrate. This is due in large part to the archaic use of Layer 2 VLANs on the smart building wired and wireless LAN.
There are a few ways to mitigate this problem. First is the use of specialized software that enables micro-segmentation so that smart building devices, IoT, and any other network-connected device become isolated and are only permitted to communicate with a small number of external systems. However, it must be noted that traditional micro-segmentation security solutions are extremely complex to implement and maintain as they require numerous security policies to be implemented. This makes security maintenance a challenge for almost any IT/OT security team.
A more modern approach is to eliminate layer 2 VLANs on the network and instead opt for a network infrastructure that operates completely at layer 3. This isolates every device from all others, forcing communication through an advanced firewall system that offers centralized and dynamic policy control. This type of network architecture protects against malware proliferation while significantly streamlining implementation and management oversight.
3. Weak Authentication
Smart building systems tend to be implemented with weak authentication measures that are individually managed. It’s common for building administrators to share local admin/root accounts and neglect password refresh policies.
Most enterprise-grade smart building systems allow for the integration of modern and robust authentication technologies such as Multi-Factor Authentication (MFA), Federated Identity Management (FIM), Role-based Access Control (RBAC), and Single Sign-On (SSO). These systems create a secure authentication foundation while delivering ease of access to end users.
4. No End-to-End Encryption
Smart building systems collect a range of company and tenant data that must be protected. In many cases, data is collected and transported across the building LAN to be stored either on-site or in a public/private cloud data center. This data, either at rest on a storage server or in motion on the network and/or WAN/internet, can be intercepted or inadvertently sent to the wrong location.
End-to-end data encryption (often called E2EE) protects data from being lost or stolen by only allowing parties with the decryption key to view, manipulate, or interact with sensitive data. This protects against interception, tampering, or unauthorized access.
5. Poor Threat Incident Response Procedures
Even with the most sophisticated security architectures and tools at your disposal, no security posture is impervious to threats. That’s why it’s so important to create and train on threat incident response procedures that:
- Identify parties and tools that can be used to mitigate threats
- Triage incident notifications and communications to the appropriate parties
- Contain step-by-step recovery procedures for mission-critical systems/applications
- Properly document incidents with lessons learned and further preventative measures with which to implement
A Holistic Approach to Cyber Security Threats
While this is a list of five common smart building cyber security threat pitfalls and how to avoid them, note that this is by no means a comprehensive list. The key to protecting smart building systems, data, and occupants from cyber threats is to take a holistic approach that includes a combination of technologies, training, and continuous improvement to be successful.