Cyber criminals are eyeing smart buildings

July 16th, 2019, Published in Articles: PositionIT

The risk of a security incident taking place in an intelligent building is linked to the motivations of cybercriminals, who mainly seek to achieve economic gain through their actions, as well as to impact and spread fear.

Carey van Vlaanderen

Smart buildings use building automation systems (BAS) to control a wide range of variables within their environments with the aim of providing more comfort and contributing to the health and productivity of the people inside them. This expansion of smart buildings is largely due to the fact we live in a world increasingly permeated by technology, in which process automation and the search for energy efficiency contribute not only to sustainability, but also to cost reduction. Two years ago a smart building in Las Vegas decided to install a sophisticated automation system to control the use of the air conditioning, so it is turned on only when there are people present. The reduction in energy consumption led to a saving of $2-million during the first year after the system was installed.

With the arrival of the Internet of Things (IoT), smart buildings have redefined themselves. With the information they obtain from smart sensors, the equipment is used to analyse, predict, diagnose and maintain the various environments within them, as well as to automate processes and monitor numerous operational variables in real time, including  ambient temperature, lighting, security cameras, elevators, parking and water management.

It is likely, however, that at some point the entire smart network is connected to a single database, and that is where the risk is. Particularly if we consider that many IoT devices are manufactured by different suppliers, who may not have paid due attention to security considerations during their design and manufacturing process.

There are already tools such as Shodan that allow anybody to discover vulnerable and/or unsecured IoT devices connected publicly to the internet. If you run a search using the tool, you can find thousands of building automation systems in its lists, complete with information that could be used by an attacker to compromise a device. In February 2019, around 35 000 building automation systems worldwide appeared in Shodan within public reach via the internet.

This means that someone could take control of a building automation system after finding it through a search, which can also reveal IP addresses, which in turn can help them gain access to the device’s interface. They’ll need to enter a username and password, but if it is a default password or if it can be cracked easily, the attacker will gain access to the system monitoring panel and all its information. Besides remote takeover of the building’s systems it could also lead to physical breaches, or the demand for ransom to restore the system to its owners. This is called a siegeware attack.

There are a number of security considerations and requirements to keep in mind. First, review the devices’ security specifications and apply a security-by-design approach. Next, set a suitable budget for security, and choose partners that have knowledge of security issues. Install software for managing vulnerabilities, an ensure cooperation between the different areas and/or departments. On the operational side, update the devices regularly, implement a replacement plan for when devices’ support life cycles end, exercise precaution and monitor connected devices.

Send your comments to

Related Articles

  • Earth observation challenge seeks mining solutions
  • Geospatial Round-up – Sept/Oct 2019
  • Major improvements to airborne urban mapping solution
  • Versatile fixed-wing drone portfolio showcased
  • Rapid urban mapping system product range expanded