More and more « smart » buildings are being built around the world, which is not surprising. Lighting, climate and elevator control, energy efficiency, fire detection, and video surveillance are just some of the benefits. However, security issues associated with the use of IoT devices, for some reason, are reluctantly talked about. Each of these functions depends on hundreds, thousands of sensors and computers connected to local servers and the Internet. It only takes one compromised IoT device for a successful cyberattack! Their large number gives hackers room to maneuver and means that a hack can go undetected for a long time. In this context, such cyberattacks are becoming less « if » and moving into the « when » category.
A Kaspersky report published in 2019 showed that nearly 40 percent of the 40,000 « smart » buildings suffered from cyberattacks. In most cases, computers that control building automation systems (BAS) were compromised. And 26% of the threats came from the Internet, 10% from portable storage, 10% from phishing links, and 1.5% from shared folders on corporate networks. In most cases, they were common malware as ransomware, worms, and spyware, rather than malware with a specific purpose.
Examples and Consequences of Attacks
Cybercriminals can hack into building automation systems (BAS) for a variety of purposes: to distract attention from their primary intentions, to create chaos, to scare, to harm someone’s life. Here are some real-life examples:
– In 2013, the Target retail chain data breach was the infamous HVAC cyberattack that was used to gain access to corporate financial systems to steal payment card data from more than 40 million people.
– In 2017, news spread about a cyberattack on the Romantik Seehotel Jägerwirt, a prominent hotel in Austria, cybercriminals hacked into the hotel’s electronic key system, leaving hotel guests unable to access their rooms and disrupting other business processes.
– Cyber attacks on industrial control systems (ICS) in critical infrastructure sectors are known for their physical consequences. For example, the BlackEnergy malware that took out the Ukrainian power system in 2015 and the Stuxnet worm that damaged Iran’s nuclear program in 2010.
One can also easily imagine the business consequences of such attacks. For example, temperature manipulation by hacking into building automation systems can lead to physical damage to servers or rapid damage to goods. Tampering with water, electricity, ventilation, and fire alarm and extinguishing systems can harm human health. Imagine what would happen if a failure occurred in a hospital during an operation or in a business center – elevators with people inside would simultaneously stop or start going downhill at a crazy speed.
As Forbes notes, building automation systems are a tidbit for hackers. Security credentials of « smart » buildings can be sold by cybercriminals on the Darknet for profit, or hackers can demand a ransom from business owners themselves.
Hacktivists who oppose the corporate policies of some of the companies and products may also be among those interested. State-sponsored criminal groups should also be mentioned.
Motives can vary, but the fact remains that these types of cyberattacks can cause significant damage to commercial building tenants in the form of business downtime, financial losses, and threats to public safety.
Addressing these issues requires collaboration between city planners, engineers, and cybersecurity professionals. Also, the development of cybersecurity mechanisms and risk analysis tools for the construction industry should be a priority. That will help effectively address the current and future challenges of securing smart buildings.