With the Internet of Things, smart buildings pose big risk
As buildings get more automated, they raise new security risks
Computerworld - In an Internet of Things world, smart buildings with Web-enabled technologies for managing heat, lighting, ventilation, elevators and other systems pose a more immediate security risk for enterprises than consumer technologies.
The increasing focus on making buildings more energy efficient, secure and responsive to changing conditions is resulting in a plethora of Web-enabled technologies. Building management systems are not only more tightly integrated with each other, they are also integrated with systems outside the building, like the smart grid.
The threat that such systems pose is twofold, analysts said. Many of the Web-enabled intelligent devices embedded in modern buildings have little security built into them, making them vulnerable to attacks that could disrupt building operations and create safety risks.
Web-connected, weakly protected building management systems also could provide a new way for malicious attackers to break into enterprise business systems that are on the same network.
The massive data theft at Target for instance, started with someone finding a way into the company's network using the access credentials of a company that remotely maintained the retailer's heating, ventilation and air conditioning (HVAC) system. In Target's case, the breach appears to have happened because the company did not properly segment its data network.
Such issues could become more common as buildings and management systems become increasingly intelligent and interconnected, said Hugh Boyes, cybersecurity lead at the Institution of Engineering and Technology, a U.K.-based professional organization promoting science and engineering.
"It creates some interesting challenges for enterprise IT," Boyes said. "They need to know there are some increasingly complex networks being put into their buildings that are running outside their control."
As one example, Boyes pointed to the growing use of IP-enabled closed-circuit security cameras at many buildings. In some cases, the cameras might be used instead of a motion sensor to detect whether someone is in a room, and whether to keep the lights or heat turned on.
In such a situation, the camera, the lighting and the heating systems would all need to be integrated. Each of the systems could also have Web connectivity linking them with an external third party for maintenance and support purposes. "You quickly get into a situation where a network that was just inside the building goes to locations outside the building," Boyes said.
It's not only heating, lighting and security systems that are integrated in this manner. An elevator manufacturer might stick smart sensors on all the elevators in a building to detect and spot a failure before it happens. Or a building manager might have technology in place to monitor and conserve water use in a facility.
Many of these technologies will have a connection out of the building and over an IP network to a third-party supplier or service provider, Boyes said. Often the data from these systems is captured not only for real-time decision support but also for longer-term analysis.
Exacerbating the situation is the fact that many of the communications protocols for building automation and control networks, such as BACnet and LonTalk, are open and transparent, said Jim Sinopoli, managing principal at Smart Buildings LLC.
Device manufacturers have adopted these protocols for product compatibility and interoperability purposes, Sinopoli said. However, the openness and transparency also increase the vulnerability of building automation networks.
- Microsoft backs open source for the Internet of Things
- Microsoft joins AllSeen Alliance, the Qualcomm-led IoT project
- The Internet of Things at home: Why we should pay attention
- The Internet of Things at home: 14 smart products compared
- Google's move into home automation means even less privacy
- It's time to get moving on IPv6 rollout
- A new industrial age is being built on sensors, 3D printing and the cloud
- Could robots walk on stage at Google I/O?
- The Internet of Things figures into this IT leader's five-year plan
- Microsoft, insurer, may make home automation inexpensive -- even free
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!