How Do We Defend Smart Buildings from Hackers?

29 May 2019 devTalks

Smart Buildings offer administrators real control over complex systems – smart meters, heating, ventilation, air control, and even vending machines. This body of functions, mostly connected to the internet, has become an attractive target for cyber attacks.

In 2013, a building belonging to Google that was accessible and vulnerable from the Internet was targeted, letting the attackers retrieve extremely detailed diagrams of the building along with access to multiple systems. The Miami TGK prison system also suffered an incident that led to the system opening the cells doors of prisoners. BACNet devices have already been infected by botnet malwares and used to conduct distributed attacks.

When we talk about Smart Buildings, we talk about an interconnected set of sensors, actuators, controllers, devices and computers orchestrated together to provide and control the main functionalities of modern buildings. Smart Buildings control subsystems such as heating, ventilation, air control (HVAC), water heating, lighting, shading, but also security-critical tasks such as CCTV, fire and intrusion alarms, and building physical access control.

In order to offer all these functionalities mentioned above, Smart Buildings increasingly use standardized and open technologies, often communicating through wired or wireless networks using several protocols. Some of these protocols are shared with other IT technologies and CPS, but others are specific of SB such as BACNet and KNX. Common wireless protocols used in SB include ZigBee, EnOcean, and Z-Wave among others. In addition, a large number of Smart Buildings are directly connected and accessible through the Internet to provide integrators and users remote maintenance and control capabilities.

Therefore, many Smart Buildings are directly facing the Internet which exposes these systems to remote attacks. Different elements can be Internet-facing, including the centralized supervision server, the Smart Building controllers, human-Smart Building interfaces, individual sensors or actuators, and other elements. One of the main reasons is to allow remote maintenance and troubleshooting, which allows to save time and money by doing operations over the Internet instead of sending an engineer on site. Because Smart Buildings’ devices and software often lack basic security mechanisms, it could make them prime targets for attacks and exposes Smart Buildings to a wide range of remote attacks of different intensities and effects. For example, more pessimistic researchers even foresee the uprising of Smart Buildings infected with malware.

In developing our Smart Building solution, within the project “MEC-IOT – Developing an intelligent platform dedicated to building efficiency management”, we used the “security by design” model as a core architecture pattern. This approach to software and hardware development seeks to make systems as free of vulnerabilities and impervious to attack as possible through such measures as continuous testing, authentication safeguards and adherence to best programming practices. As we pointed out earlier, security by design is rapidly becoming crucial in the developing Internet of Things (IoT) environment, in which almost any conceivable device, object or entity can be given a unique identifier (UID) and networked to make them addressable over the Internet. One of the major challenges of IoT security is the fact that security has not traditionally been considered in product design for networking appliances and objects that have not traditionally been networked.

The project “MEC-IOT – Developing an intelligent platform dedicated to building efficiency management” is developed by the company BringoVision.
This project is co-financed through the European Regional Development Fund – Priority Axis 2 – “Information and communication technology for a more competitive digital economy” by the Operational Programme “Innovations and Competitiveness” 2014-2020.

The contents of this material do not necessarily represent the official position of the European Union or of the Romanian Government.