A Growing Threat: Smart Buildings at Risk

More and more “smart” buildings are being built around the world, which is not surprising. Lighting, climate and elevator control, energy efficiency, fire detection, and video surveillance are just some of the benefits. However, security issues associated with the use of IoT devices, for some reason, are reluctantly talked about. Each of these functions depends on hundreds, thousands of sensors and computers connected to local servers and the Internet. It only takes one compromised IoT device for a successful cyberattack! Their large number gives hackers room to maneuver and means that a hack can go undetected for a long time. In this context, such cyberattacks are becoming less “if” and moving into the “when” category.

A Kaspersky report published in 2019 showed that nearly 40 percent of the 40,000 “smart” buildings suffered from cyberattacks. In most cases, computers that control building automation systems (BAS) were compromised. And 26% of the threats came from the Internet, 10% from portable storage, 10% from phishing links, and 1.5% from shared folders on corporate networks. In most cases, they were common malware as ransomware, worms, and spyware, rather than malware with a specific purpose.


Examples and Consequences of Attacks

Cybercriminals can hack into building automation systems (BAS) for a variety of purposes: to distract attention from their primary intentions, to create chaos, to scare, to harm someone’s life. Here are some real-life examples:

– In 2013, the Target retail chain data breach was the infamous HVAC cyberattack that was used to gain access to corporate financial systems to steal payment card data from more than 40 million people.

– In 2017, news spread about a cyberattack on the Romantik Seehotel Jägerwirt, a prominent hotel in Austria, cybercriminals hacked into the hotel’s electronic key system, leaving hotel guests unable to access their rooms and disrupting other business processes.

– Cyber attacks on industrial control systems (ICS) in critical infrastructure sectors are known for their physical consequences. For example, the BlackEnergy malware that took out the Ukrainian power system in 2015 and the Stuxnet worm that damaged Iran’s nuclear program in 2010.

One can also easily imagine the business consequences of such attacks. For example, temperature manipulation by hacking into building automation systems can lead to physical damage to servers or rapid damage to goods. Tampering with water, electricity, ventilation, and fire alarm and extinguishing systems can harm human health. Imagine what would happen if a failure occurred in a hospital during an operation or in a business center – elevators with people inside would simultaneously stop or start going downhill at a crazy speed.



As Forbes notes, building automation systems are a tidbit for hackers. Security credentials of “smart” buildings can be sold by cybercriminals on the Darknet for profit, or hackers can demand a ransom from business owners themselves.

Hacktivists who oppose the corporate policies of some of the companies and products may also be among those interested. State-sponsored criminal groups should also be mentioned.

Motives can vary, but the fact remains that these types of cyberattacks can cause significant damage to commercial building tenants in the form of business downtime, financial losses, and threats to public safety.

Addressing these issues requires collaboration between city planners, engineers, and cybersecurity professionals. Also, the development of cybersecurity mechanisms and risk analysis tools for the construction industry should be a priority. That will help effectively address the current and future challenges of securing smart buildings.

Related Posts

Hackers need just 15 minutes to scan for vulnerable devices after bug disclosure

  Hackers around the world have resorted to a ridiculously simple tactic where they scan official websites of software vendors for announcements of vulnerabilities and start scanning for them in the software’s system within as less as 15 minutes of the official disclosure, latest research has revealed.   The revelation comes amidst ever-increasing disclosures of […]


Here we are: 1 in 3 employees don’t understand why cybersecurity is important

  Even worse – only 39% say they’re ‘very likely’ to report a security incident.   A startling new report indicates the disconnect between employees and their company’s cybersecurity efforts.   Nearly one in three (30%) employees don’t think they personally play a role in maintaining their company’s cybersecurity posture, according to new research from […]

Leave a Reply

Your email address will not be published.