What are some of the most critical security threats to smart buildings today?
Smart buildings are being implemented without necessarily designing security into these systems from the beginning. Because of this, we risk creating smart buildings that have inherent weaknesses that attackers can exploit. We’ve seen this happen in many other environments; unless security considerations are implemented as part of the design, we will be forever trying to bolt on extra security and playing catch up with attackers.
This model of providing security has proved to be expensive and inefficient. We are now at a point that we can apply our experience of securing other systems to ensure that smart building systems are well designed and resilient to attack.
The provision of services to buildings such as power, water, electricity and internal facilities such as heating, air conditioning, lighting, lifts and door locks may all rely on small embedded computers, as these computers become networked to create a smart building we are creating new risks. Without considering the security needs of these devices and the networks that connect them, we’re creating the environment where attackers may maliciously activate motors, pumps, valves, open or close locks, control heating settings etc.
For example, permanent damage can be caused to information systems if the air conditioning in a data centre is disabled. Water dripping from an overflowing cistern that is constantly being replenished, even though it is full due to a faulty sensor or actuator, can wreck electronic equipment. Additionally, an office without water and functional washrooms is one where the workforce cannot operate without breaks.
We’ve recently seen attackers launch denial of service attacks against financial services organisations in an apparent attempt to occupy and distract security teams while more sophisticated attacks to compromise systems is undertaken. We can envisage the scenario where poorly protected environmental control systems that have not been subject to any security oversight are compromised by an attacker who switches the air conditioning to full heat and waits for the security operations team to take a break to cool down before launching an attack on sensitive systems.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.