In an Internet of Things world, smart buildings with Web-enabled technologies for managing heat, lighting, ventilation, elevators and other systems pose a more immediate security risk for enterprises than consumer technologies.
The increasing focus on making buildings more energy efficient, secure and responsive to changing conditions is resulting in a plethora of Web-enabled technologies. Building management systems are not only more tightly integrated with each other, they are also integrated with systems outside the building, like the smart grid.
The threat that such systems pose is twofold, analysts said. Many of the Web-enabled intelligent devices embedded in modern buildings have little security built into them, making them vulnerable to attacks that could disrupt building operations and create safety risks.
Web-connected, weakly protected building management systems also could provide a new way for malicious attackers to break into enterprise business systems that are on the same network.
The massive data theft at Target for instance, started with someone finding a way into the company's network using the access credentials of a company that remotely maintained the retailer's heating, ventilation and air conditioning (HVAC) system. In Target's case, the breach appears to have happened because the company did not properly segment its data network.
Such issues could become more common as buildings and management systems become increasingly intelligent and interconnected, said Hugh Boyes, cybersecurity lead at the Institution of Engineering and Technology, a U.K.-based professional organization promoting science and engineering.
"It creates some interesting challenges for enterprise IT," Boyes said. "They need to know there are some increasingly complex networks being put into their buildings that are running outside their control."
As one example, Boyes pointed to the growing use of IP-enabled closed-circuit security cameras at many buildings. In some cases, the cameras might be used instead of a motion sensor to detect whether someone is in a room, and whether to keep the lights or heat turned on.
In such a situation, the camera, the lighting and the heating systems would all need to be integrated. Each of the systems could also have Web connectivity linking them with an external third party for maintenance and support purposes. "You quickly get into a situation where a network that was just inside the building goes to locations outside the building," Boyes said.
It's not only heating, lighting and security systems that are integrated in this manner. An elevator manufacturer might stick smart sensors on all the elevators in a building to detect and spot a failure before it happens. Or a building manager might have technology in place to monitor and conserve water use in a facility.
Many of these technologies will have a connection out of the building and over an IP network to a third-party supplier or service provider, Boyes said. Often the data from these systems is captured not only for real-time decision support but also for longer-term analysis.
Exacerbating the situation is the fact that many of the communications protocols for building automation and control networks, such as BACnet and LonTalk, are open and transparent, said Jim Sinopoli, managing principal at Smart Buildings LLC.
Device manufacturers have adopted these protocols for product compatibility and interoperability purposes, Sinopoli said. However, the openness and transparency also increase the vulnerability of building automation networks.