Conciliate cybersecurity and smart buildings : is it possible ?

Given the immense amount of data that a connected building produces between data from BMS, alarms, IoT sensors, and other controllers... Many challenges arise when it comes to cyber security in buildings.

You often hear about the importance of openness and interoperability in getting systems to communicate with each other, but every opening can be an additional breach through which cybercriminals can infiltrate. The good news is that in addition to the benefits of smart buildings, whether it's improving the quality of life for occupants or optimising costs for facility or property managers, smart buildings have the capabilities today to deal with these emerging threats.

Let's meet Gaspard, our technical lead developer, who will tell us about the risks of cyber threats in buildings and the methods to protect against them.

Why are buildings getting cyber-attacked ?

No sector is really safe from a cyber attack.

While this may seem "obvious" for the financial, banking or health sectors, it is no less true for the building sector.

Today, the biggest threat in the building sector is the existing automation systems that are not updated because they are by default vulnerable to cyber attacks. To give you an example, it is now 2021 and it is still possible to find obsolete systems running on Windows XP in buildings.

Moreover, in 2019, the cybersecurity company Kaspersky conducted a study of more than 40,000 connected buildings. The findings were stark: almost 40% of the computers used to control smart building automation systems were reportedly targeted by cyber attacks. This shows that buildings are increasingly becoming a prime target for cybercriminals.

‍

What types of attacks can building managers face?

The building presents several entry points for hackers. For example, these cyber attacks can occur from inside the building by inserting a simple USB stick into a machine or via a contamination contracted on the web.

Buildings are most often confronted with the following cyber threats:

• Ransomware, malicious software that holds personal data hostage and blocks network access
• Phishing, which consists of sending an email that appears to come from a trusted source to entice users to hand over their sensitive data.
• Spying software, used to steal access codes to buildings and take control of them.

But the list is not exhaustive! There are more complex attacks:

• the keylogger, the purpose of which is to electronically record the information when the facility manager types in his password on his computer
• Bounce attacks, where the malicious user will use the infected device to conduct illegal activities. Namely, this is the responsibility of the person owning the machine.

How to prevent cyber threats ?

While there is good protection by design for the systems, unfortunately some manufacturers often end up skipping security in order to have the smallest and cheapest component possible. In addition, not all technicians installing PLCs are aware of IT security and do not follow good network practices.

There is no such thing as zero risk. However, there are some good practices to adopt to make your buildings as safe as possible:

1. Ensure that access to your machines from the outside is limited. Consider putting yourself on a dedicated private network, inaccessible from the outside, and applying a governance strategy to limit access to sensitive data.
2. Check that default passwords have been changed on the various machines deployed within your building.
3. Ensure that you identify and assess cyber risks by identifying every critical system and every 'mouse hole' through which hackers could infiltrate.
4. Remember to keep systems up to date regularly.
5. Make sure that systems are not accessible by anyone: limit wifi access, limit physical access to network ports and don't leave a critical system on an easily disconnected socket.
6. And above all, surround yourself with trusted partners! Choose a solution that reinforces the security of your IS in your buildings and that operates on a network that is secure from A to Z. If it is regularly updated and favours private and encrypted communication, it is even better.

If you want to learn more about the different attacks, I recommend MITRE ATT&CK! It is an excellent tool to understand how hackers proceed to infiltrate the computer system of your buildings

Sensinov proposes you to apply your own strategy on your buildings. Our solutions meet the challenges of openness, interoperability and are 100% in line with the new standards (R2S label, BACS decree, tertiary decree). BOS Sensinov supports building professionals in their daily work on several subjects, particularly in the areas of Hypervision and building supervision, equipment control and energy consumption optimisation