The plethora of IoT devices used to monitor building systems and operations are making smart buildings more vulnerable to cyber attack, according to research by cybersecurity firm ForeScout Technologies Inc.
ForeScout found that building automation systems in hospitals and schools are particularly vulnerable to cyber attack from malicious actors.
“The number of identified vulnerabilities in building automation systems has been increasing over the past two years, illustrating the urgency for BAS owners to harden their systems against internal or external cyber threats,” stated Elisa Costante, senior director of Industrial OT Technology at ForeScout.
The company says that a strong likelihood exists that malicious actors will leverage building automation systems (BAS) in a major public ransomware attack in 2019.
While IoT devices such as smart meters, HVAC units and even vending machines are not designed for web browsing, they often connect to the internet for control and analytics purposes and pose serious security threats and obscurity from direct internet access often makes them prime targets as areas of entry by hackers.
“In recent years, hackers have become increasingly sophisticated in their attacks, and are nowadays well-equipped to identify and target vulnerabilities across most business and consumer technologies,“ said Costante at Secura’s annual security conference.
According to ForeScout, IoT devices within smart buildings – including those which automate heating and ventilation – are regularly unsecured from hackers.
ForeScout discovered that thousands of vulnerable IoT devices in heating, ventilation, and air conditioning (HVAC) systems are vulnerable to cyber attack.
The researchers found nearly 8,000 devices that were highly vulnerable to cyber attack mostly in hospitals and schools and unauthorized access could enable hackers full control of the devices and carry out malicious actions against patients and children.
Lower sensitivity vulnerabilities such as access to sensitive data, distribution of malware, file deletion and authentication bypass, were also found among 76% of the device instances.
The company says that manipulation of HVAC systems can enable attackers to access private financial information and potentially harm people in facilities by gaining unauthorized offline data stored and processed in data centers by large companies.
One of the characteristics making smart building increasingly susceptible to cyber attack is the increased integration of building sub-systems.
As more smart buildings start functioning autonomously to predict and automatically set room temperature, lighting controls and other systems to meet occupant comfort- they require integration across building systems- this integration, if not secured correctly, can make the entire system more vulnerable to attacks, says Costante.
Preventing cyber attack in smart building automation systems
The key to identifying vulnerabilities and attacks is creating a completely visible BAS systems says Costante.
“Adding enhanced security with network monitoring can give organizations a thorough understanding of the BAS environment and its connections. This makes it easier to design effective security architectures, identify attack vectors, and locate blind spots, among other things” Costante said.
Improved BAS visibility also enables security managers to resolve unknown and unchecked operational security issues, misconfigurations, policy violations, faulty design and unplanned or unauthorized changes which serve as an alert that something may be wrong.
One way to increase BAS visibility is to adopt an advanced network monitoring and situational awareness platforms, designed for building automation.
These tools provide much-needed visibility into the BAS and raise immediate alerts if a new node appears on the network or a communication pattern becomes abnormal or dangerous or if non-compliance with internal network and maintenance policies such as unauthorized credentials or logs in at unusual and unauthorized hours.