The challenge of securing smart buildings from cyber attack [Q&A]
As more and more devices get added to the Internet of Things the risks they present get larger. A recent report from the BBC has highlighted the fact that buildings and their systems for heating, lighting and even security may be at risk.
We spoke to Péter Gyöngyösi, product manager of Blindspotter at contextual intelligence specialist Balabit, to find out more about the risks smart buildings present and how landlords and tenants can guard against them.
BN: How big a problem is security for smart buildings and is it going to get worse?
PG: I believe it is indeed a big problem. Smart buildings are becoming more common because they can lead to savings in energy and improvements to a company's bottom line by using resources more effectively. They can also improve our lives simply through things like allowing us to catch the elevator faster.
Because of this it's already a huge issue and it will get worse. There's still an old-school notion among the people who make these systems that they're going to be air-gapped and will operate independently from the internet or the company’s IT infrastructure. But this is no longer the case, people want these systems to be maintained regularly and remotely because they want cheaper and faster solutions.
Perception needs to change, vendors need to realize that these systems need protection. Highly publicized breaches, such as the Target breach, will help vendors realize that it’s a huge publicity problem if building systems are insecure.
BN: What are some of the basic steps that companies can take to protect their buildings?
PG: It depends if you're a building company or just a tenant. In either case the first step is to understand the kinds of smart technology you're using. What are the systems? What is used to gain access to those systems? And what can be done through those systems?
You might not even realize that you have a programmable thermostat in your offices for example because you don’t really use it. The first thing to do, therefore, is to create a catalog of the systems you have that may be considered smart.
If you're a tenant you need to find out from the landlord what kind of systems are in place. If someone is able to turn up your smart thermostat remotely, you may have to evacuate your building and it can have a big impact on your business continuity.
Having done an audit the next step is to disable or disconnect from the network things that you're not using. These are vulnerable because they're probably still running default passwords and not getting upgraded with the latest updates.
For systems that are in use they need to be kept up to date and have secure passwords. The higher concept here is that if these systems are smart they should be treated as a part of your IT infrastructure and protected from unauthorized access, whether internal, external or by third-party contractors.
BN: Can existing security technologies cope with this? Is it just a case of putting building systems behind a firewall and making sure they have antivirus protection?
PG: To some extent existing technologies can help. These systems are often using general purpose operating systems and hardware rather than being highly specialized technology that needs special tools too maintain it. They can often be accessed and configured via a web browser for example.
In most cases a much narrower scope of activity is, and should be, performed on these devices so it’s important to log and analyze their activity to make sure they're being used correctly.
BN: Will a change in mindset be required from facilities managers and IT teams to keep things secure?
PG: Yes, the first change would be to acknowledge that there's a potential problem, and that it’s their problem. I believe traditionally IT managers considered these kinds of things like environmental factors, just as you would rarely consider the exact details of how power is supplied to your building, or just dismiss it as something the landlord takes care of.
It's important to acknowledge that this is a threat to your company and to have someone take responsibility for the security of building systems.
Image Credit: Peter Bernik / Shutterstock