Managing Cybersecurity Threats for Building Infrastructure in the IoT Age

Protecting Networks, Data, and Devices Shifts Responsibility from FM to IT
Published 11-15-2017

While the rapidly growing Internet of Things (IoT) offers tremendous business potential for all types of organizations, it also presents significant new security challenges and privacy concerns. As the number of connected devices grows into the billions, so does the number of risks and exposures through multiple entryways, including building automation systems (BAS). Many of these network-connected devices and applications lack basic security measures because they are rushed to market or deployed rapidly without standard protections. In addition to providing hackers with more opportunities to gain access to corporate networks, exposed IoT devices—some as innocuous as a light bulb—allow hackers to take control over millions of devices at a time and use them to launch large-scale distributed denial of service (DDoS) and other attacks on the internet. This means that, while facility management and operations teams may have the most to gain from IoT platforms and applications, deploying and securing them is now an IT issue.     

“The IoT ecosystem represents a major change for facility management and operations teams,” says David A. Marks CEO of TEECOM. “Building systems really shouldn’t be managed by facility managers anymore. They should be managed by IT professionals who have expertise in cybersecurity, so that there are established procedures for adding and securing devices on the network. In this environment, facility managers become users.”

Complicating the security problem further is the fact that the IoT market is growing so rapidly that there are no pre-established industry standards for device security and protocols, such as forcing all devices to have secure password protections in place before being activated or verified on a network.

As IoT solutions become the next hot marketing trend, manufacturers that traditionally worked in stand-alone environments—like lighting, HVAC control, and security—have been rapidly pivoting to make their solutions network-enabled, so they are easier to configure and deploy for IoT. But in the rush to market, system security has largely been an afterthought.

“For example, if a lighting control system uses a network to connect all the switches and sensors in a building, this makes it extremely easy for someone to walk into that facility, unscrew a faceplate, take out the switch, and plug in a mobile device to take control of the system throughout the floor or the building. If the lighting control system is connected to the corporate network for ease of administration, they could introduce malware or potentially shut down a company’s entire operations,” says Marks.

In one high-profile example, Hollywood Presbyterian Medical Center paid a $17,000 bitcoin ransom in 2016 to hackers who likely accessed their network through an unsecured medical device and encrypted its entire contents, holding it hostage using a ransomware called Locky.

“There are a lot of disparate protocols out there, and the people installing these things don’t always understand the implications of having unsecured, unencrypted devices on their network,” says Brian Haines, vice president of marketing at FM:Systems®. “This means that everything, even very simple heat sensors and lighting controls, needs to be vetted and continuously monitored by IT. If companies aren’t thinking about this, somebody is going to find a way to exploit it.”

Establishing Real IoT Security

It’s important for organizations to use products with up-to-date cybersecurity and data protection protocols designed for the IoT age, because retrofitting existing security systems often comes with added exposures and pre-existing flaws already being exploited by hackers.

“Technology is always changing, and it would be naïve for anyone to expect a solution created today to be hack-proof, especially in relation to IoT, which has so many ways it can be attacked from the device to the network to the application,” says Aaron Allsbrook, CTO of the enterprise IoT software provider, ClearBlade®. “That said, it’s completely reasonable to expect makers of IoT solutions to implement best practices in authentication, encryption, and authority into today’s solutions, and create a clear model for how these systems get updated in the future.” 

This is even more critical now that many institutions are integrating their BAS with the rest of their IT systems, which offers not only more entry points for hackers, but access to more data once they are in. Where building management is still considered the domain of facilities experts rather than IT professionals, BAS can be the unlocked data security door. For example, a team of IBM cybersecurity experts demonstrated the security weakness in a group of 20 office buildings by “hacking” into the BAS system of one of them. The team was able to gain access to all 20 buildings—one of which stored a data center—through the one building with the weakness. Had they been real hackers intent on causing harm, they could have tampered with the HVAC system and increased the temperature in the data center enough to shut it down.

In this case, the IBM team found flaws in the firewall’s firmware—an embedded memory chip that allows hardware to be updated remotely. Firmware is found on all kinds of products that in previous iterations were simple mechanical devices: Smart light bulbs and thermostats, for example, have firmware chips embedded in them. That was the key that let them into the building’s BAS, and eventually into the system that controlled all 20 buildings.

Fundamental measures for protecting the IoT layer include using data encryption, authorization, and authentication protocols for all devices and applications connected to a network. Other measures include following tried-and-true cybersecurity best practices, such as establishing data baselines that help identify aberrations, instituting data collection and use governance, and creating loosely coupled systems to avoid widespread impact if any single device fails.

“There are a lot of ways organizations can improve their IoT network security. The best solution for each application will be determined by discussions between the integrator, the facility operators, and the IT department,” say Joe McMullen, marketing director at Schneider Electric.

Privacy vs. Reality

Another concern around the rapid growth of IoT is the loss of personal privacy. When LED lights, RFID badges, security cameras, mobile devices, worn and even skin-embedded microchips are capable of tracking individual movements and activities down to the heartbeat, how do we maintain a meaningful sense of privacy? Or is that even a reasonable expectation in the 21st century?

“A lot of people are understandably concerned about issues of personal privacy and whether their employers or others can see when they’re working or what they’re doing. The truth is that our customers are gathering data anonymously. They just want to see how well their spaces are being used. These days, you could just as easily be working at your desk as in the break room, lounge, or lobby,” says Haines.

While the mainstream media hypes dystopian concerns around tech company employees being voluntarily microchipped so they can unlock doors and computers with the wave of a hand, the truth is that in an increasingly networked world, being continuously tracked is the cost of connection and convenience. Most people will voluntarily transmit their precise location 24/7 to service providers via their mobile device, if it means they can receive valuable timely location-based information, like weather and traffic alerts, or easily navigate their way around an unknown city, campus, or building.

“Having clear policies in place regarding data collection, and communicating these policies clearly with facility occupants, can greatly reduce privacy concerns. I’ve also noticed that the younger generation—which hasn’t lived in a world without the internet—has a much different set of expectations around privacy than I do,” says Haines.

The Weakest Link

Regardless of how advanced an organization’s security protocols or policies are, the weakest link in any network is always people. Often avoidable mistakes or oversights—such as not setting up secure passwords, failing to update security patches as they are issued, or being duped into opening a malicious file—can result in major breaches.

“The extremely large hacks and privacy failures we’ve seen recently haven’t come from sophisticated hackers; they are happening because solution providers aren’t changing default passwords, or because systems were knowingly left vulnerable for many years,” says Allsbrook.

In the case of the office buildings, IBM partnered with the equipment vendors to address specific security lapses they uncovered, and with the BAS provider to fix configuration issues.

However, a new type of attack is bringing a rogue solution to the growing problem of IoT botnets: Forcing organizations to update and secure their systems by targeting and “bricking” unsecured IoT devices on the network.

Initially identified by the security firm, Radware, the “BrickerBot” malware scans for and connects to network-exposed devices using their default manufacturer usernames and passwords and then corrupts the device’s storage, scrambling their code and rendering them useless, ultimately requiring complete replacement or reinstallation of the infected hardware.

While cybersecurity professionals and organizations are releasing tools to help mitigate IoT exposures—such as Shodan, a search engine that reveals what ports are open on control systems around the world—it will ultimately take a focused, unified effort by hardware manufacturers to improve IoT security.

Recently, technology giant Cisco proposed a blockchain system for efficiently tracking and authenticating IoT devices. In an application released by the U.S. Patent and Trademark Office, the company outlined a blockchain platform that can identify different connected devices, monitor their activity, and evaluate how trustworthy a device is when it’s connected to a network. The proposed system will be able to automatically register and assess new devices as they are added, by comparing their performance to devices already on the blockchain.

“I think it’s unreasonable to expect anything to be completely hack-proof in today’s day and age. Organizations can do their best to prevent known weaknesses from being exploited, but there will always be new threats. The real question is, how quickly can you identify and mitigate them?” says McMullen.

By Johnathon Allen

Editor’s note: This is the second of a two-part series on the Internet of Things. The first report outlines the ways IoT is being deployed to create efficient spaces and facilities.