Hacking smart buildings

You’re settling into your cubicle with a hot cup of coffee when the haunting begins. The HVAC blows cold on your neck. That’s weird, you think. You take a sip of your coffee but choke when the moaning starts. The pipes never sound like that. The lights flicker, go out. A hush, then panic sets in across the office.

High-pitched shrieks send you and your colleagues running for the elevators. The doors open and close but the elevators go nowhere. You flee down the stairs. Pretty soon the neighborhood kids point at your glass and steel tower and talk in hushed whispers of the haunted high rise.

Premise for a bad, low-budget Hollywood flick? More like a plausible scenario without adequate security mitigation. A new report from researchers at Edith Cowan University in Australia offers concrete recommendations on how to secure smart buildings.

Buildings can be hacked, and many organizations are not thinking carefully about how to mitigate this risk. Worse, the convergence of cybersecurity and physical security when it comes to facilities management means there’s a lot of buck-passing going on. The new guidance document offers a step-by-step checklist to evaluate the security risk to your organization.

What are building automation and control systems (BACS)?

BACS, also known as intelligent building management systems (IBMS, not to be confused with the medical condition IBS), offer fine-grained control over heating and cooling, lighting, elevators, fire suppression systems, access control including security cameras, and so forth. So-called “smart” buildings offer greater energy efficiencies and automate a fair bit of human labor, making the financial calculus a no-brainer–at least, before we start numbering the security risks.

While there is a clear value proposition to turning your high rise into a giant IoT toaster, what is often less clear to management are the high costs of adequate security when failure modes involve more than burnt toast. Business critical functionality is on the line–not to mention reputation.

Regardless of security concerns, adoption of smart buildings is growing at 15 to 34 percent per year, according to the report, and the BACS industry will be worth around $104 billion by 2022. And guess what? Smart buildings are connected to the internet. You can find them on Shodan, because of course you can.

Smart buildings on Shodan

Employees, often lower-paid physical security staff, have to monitor smart building systems. That means Windows for desktops and a web application to access controls. That makes endpoint and web server security critical to securing a smart building.

“Modern-day buildings have had to accommodate the lowest common denominator, and the way to do that is with an HTTP interface,” Ed Farrell, a security researcher and consultant at Mercury ISS says. “That makes it accessible to everyone, including adversaries. That’s where I assess the industry heading towards. Whilst it’s easier to hack, I would also assess it’s easier to administer and oversee.”

A quick Shodan search for query terms like “deltaweb,” “niagara” and “port=47808” turns up all sorts of smart building controls with public web login pages. Some even have telnet enabled.

Optergy Enterprise

In 2012, security researchers Billy Rios and Terry McCorkle discovered critical flaws in Tridium’s Niagara AX Framework, used widely in building automation and control systems. The researchers used some fairly unsophisticated techniques to download user names and passwords. Tridium issued a patch.

Securing those web servers, and the desktops that connect to them, is clearly the job of a security engineer. But things get complicated, fast. Information and physical security now impact each other. Hacking information systems can help bad actors gain physical entry, and physical access can be used to break into critical information systems.

Who, exactly, is responsible for the combined information and physical security of a multi-tenanted high rise?

How do we defend “smart” buildings?

Forget about zero day exploits. Buck passing is the scourge of “smart” building security.

Information security, physical security, and facilities management are typically three distinct departments, none of which takes full ownership for the security of a modern building. Worse, in a multi-tenanted high-rise, a third-party integrator typically manages the building for the facility owner. Different tenants have different security requirements. A government department on ten floors of a skyscraper has very different security requirements than a temp office with a few rooms on one floor. If your enterprise has unique or elevated security requirements, be sure to include those in your lease negotiations.

The convergence of physical security and information security in a modern “smart” building requires greater collaboration between security engineers, the physical security team, and facilities management, plus a high-level manager where the buck stops, the report urges.

“Our lightbulb moment, a clear takeaway, of what needs to be done from an organizational perspective, is that someone needs to take responsibility for these systems, rather than just use them,” lead researcher Dave Brooks, associate professor in security science at Edith Cowan University, tells CSO. “The only way to achieve that is to form a cross-organizational working group with all the stakeholders involved.”

While the prospect of yet more meetings with middle managers may not sound exciting, the enormous complexity of securing a modern high-rise makes a working group the best solution to the problem.

“I’ve noticed that with security stuffups is that there is no one who takes responsibility,” Farrell tells CSO. “There’s the head-in-the-sand mentality that you see a lot of, ‘if we don’t know there’s a problem, there’s not a problem.'”

“A pure security engineer is not going to solve the problem,” he adds. “Cyber is the intersection between the digital, physical, and social worlds. Building automation and control systems are often an overlooked piece of that.”

The new guidance document is intended to help management identify and rate the risk to an organization and take concrete steps to mitigate that risk.

A security checklist for smart buildings

The astounding complexity of a modern smart building requires a managerial solution, not a technical solution, to wrangle the intertwined convergence of information and physical security. The guidance document, Brooks says, “is a governance tool people can use to start asking questions across a whole organization.”

“Guidance documents are designed for people to ask those questions,” Brooks says. “I don’t reckon there’s a single person who can answer all those questions without speaking to other departments.”

That’s a feature, not a bug. Getting previously siloed departments working together is critical to managing smart building security.

The guidance document helps enterprises identify their threat model. The security measures appropriate for a facility where human lives are on the line are far higher than a lower level with no measurable operational impact.

Once an enterprise has identified the correct threat model for their organization, the checklist focuses heavily on identifying whether proper processes and procedures are in place to mitigate risk. Security, goes the adage, is a process, not a product, and the checklist here focus on human organization, not computer code.

As for the haunted high rise? Farrell is skeptical. “What damage could you do? You’d probably find it would be reputational damage more than anything else,” he says. “We don’t want to overstate the risks, even though they are there. There will always be an asymmetry on the attack side of the house.”