Can you Trust your Smart Building? – Understand the cyber security issues

Smart Buildings
In this digital age, what risks are posed to your tenants, staff, visitors and assets from vulnerabilities in Internet connected smart building systems and devices? Understand the cyber security issues associated with ‘smart’ building systems and why they are important to you.
Buildings are becoming increasingly connected and ‘Smart’ with the deployment of sensors, IoT networks, analytics and their integration with building management systems (BMS), building automation systems (BAS) and other systems (e.g. security, fire detection and alarms, occupancy, environmental, parking.
Smart Buildings can generate a deluge of data however, predictive analytics, machine learning and other branches of artificial intelligence (AI) allow managers and Smart Buildings Systems to ‘intelligently’ optimise the use of assets, operations and the consumption of resources. This optimisation offers potential benefits to users, owners and managers of buildings including:
  • Savings in energy and water usage and the resulting reduction in costs and carbon footprint
  • Improved working conditions, safety and security for occupants
  • Improved customer service levels
  • Visibility and management of occupancy levels
  • Optimisation of resources (physical, space and human)
  • Reduced maintenance costs

Risks

As well as the benefits, it is important to consider the risks of introducing new technology and devices. IT Cyber Security risks are not new, however, the proliferation of connected IoT devices introduces new system elements and components that can be exposed to possible attacks (attack surface) and mechanisms by which the attack can take place (attack vectors).
The risk to an organisation or individual through poor security practice could impact:
  • Reputation
  • Share price
  • Costs (operational, replacement, sales, legal, fines etc.)
  • Health & Safety

Threats to Smart Buildings

Threats to Smart Buildings can come from a number of difference sources or ‘actors’ including financially motivated cyber criminals, states and state-sponsored groups, hacktivists and malicious insiders (employees).
In 2012, Hackers exploited vulnerabilities in industrial heating systems [ref 1] which were connected to the internet, and then changed the temperature inside the buildings. They utilised a flaw in the building management software.
Security research company, Pen Test Partners, have demonstrated [ref 2] how poor installation by electricians and HVAC engineers who don’t understand security can lead to BMS controllers being exposed on the public internet and vulnerable to attacks that, for instance, could sabotage: HVAC devices to close offices  or cause life threatening issues at healthcare facilities. A simple search on Shodan [ref 3], the search engine for Internet-connected devices can reveal thousands of insecure BMS systems across the globe.
Bring your own IoT Device or Network or Shadow IoT – the use of unauthorised Internet of Things devices and networks poses a new level of threats for enterprises. A 2018 Infoblox report [ref 4] found that:
  • A third of enterprise companies have more than 1,000 shadow-IoT devices connected to their networks on a typical day
  • A quarter of US employees are unclear as to whether their organization has an IoT security policy
  • 20 percent of UK employees rarely or never follow security policy for personal and IoT devices
In 2017, it was revealed that criminals had managed to steal 10GB of data from a North American casino high-roller database via an internet connected thermometer in a lobby aquarium [ref 5]. The internet connected fish tank allowed it to be remotely monitored, automatically adjust temperature and salinity, and automate feedings.
Your building could become part of Botnet to launch Distributed Denial of Service (DDoS) attacks. In 2016, Mirai malware infected CCTV video cameras and digital video recorders and was used to launch a DDoS attack [ref 6] that caused a massive Internet outage affecting Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix. Mirai scours the Web for IoT devices protected by little more than factory-default usernames and passwords, and then enlists the devices in attacks that hurl junk traffic at an online target until it can no longer accommodate legitimate visitors or users

Cybersecurity Best Practice

It is not feasible to eliminate all risks from Smart Buildings. Protecting your investments requires a structured approach to implementing and maintaining security best practice, policies and procedures. This approach is well illustrated and documented by the US National Institute of Standards and Technology (NIST), “Framework for Improving Critical Infrastructure Cybersecurity” [ref 7] which:
“Provides a common language for understanding, managing, and expressing cybersecurity risk to internal and external stakeholders. It can be used to help identify and prioritize actions for reducing cybersecurity risk, and it is a tool for aligning policy, business, and technological approaches to managing that risk. It can be used to manage cybersecurity risk across entire organizations, or it can be focused on the delivery of critical services within an organization.”
The NIST Framework Core provides a set of activities to achieve specific cybersecurity outcomes, and references examples of guidance to achieve those outcomes. The main Core Functions are Identify, Protect, Detect, Respond, and Recover. The Functions should be performed concurrently and continuously to form an operational culture that addresses dynamic cybersecurity risk. Core activities include:
  • Management Governance
  • Risk Assessment
  • Threat Modelling
  • Security by Design (throughout the enterprise and system of systems) and leveraging Defence in Depth
  • Procurement (specifying security requirements for products)
  • Supply Chain processes (ensuring security is maintained throughout and at source)
  • Secure Implementation processes
  • Testing and Validation
  • Secure Maintenance and Lifecycle Management (including security software updates)
  • Training for system administrators and an enterprise monitoring plan to watch for suspicious events within the building network
  • Detection of Anomalies and Events
  • Continuous Security Monitoring
  • Incident response plan to effectively respond to cyber security incidents as they occur
  • Vulnerability disclosure
  • Recovery and Resilience processes and plans to restore services in the event of a security event
  • Physical access controls to provide wider visibility across the physical and electronic space
Security investments should be balanced against the effect of undesirable outcomes. Balancing should be grounded in a realistic assessment of the threats, the risks they pose and how they might prevent the system from fulfilling its intended functions. Costs should be evaluated, and a rational selection of implementation choices made to deliver an acceptable return on investment. In preparing for your risk assessment you might like to consider e.g.:
  • Have you identified your critical digital assets? Not all systems and data are created equal.
  • Have you identified which systems are critical for health and safety reasons and therefore must be fail-safe?
  • Do you have and maintain lists of all your assets (devices, software, and any sensitive information/data)? If so, do you know who has access to them and where the data resides?
  • Are you able to detect unusual behaviour/activity on your network/do you use real time monitoring solutions?
  • Would you know if a rogue device came on to the system?
  • If the building systems are attacked do you have processes and policies in place and are your staff familiar with these?
These and other questions are important for a Smart Building’s stakeholders to carefully weigh up throughout its lifecycle from design to decommissioning especially given the legal and health and safety requirements which relate to data protection and duty of care.

IoT SF Smart Buildings Working Group

The IoT Security Foundation [ref 8] recently published a White Paper ‘Can you Trust your Smart Building?’ [ref 9] and is seeking to encourage people from Smart Building stakeholder groups to engage with their Smart Buildings Work Group and provide input as they develop best practice security guidance in this area. To find out how you can be involved with the Smart Buildings Working Group, please contact:
smartbuildings@iotsecurityfoundation.org

Secure IoT 2019, Internet of Things Cybersecurity Conference

If you would like to:
  • Learn about the security issues, risks, threats and vulnerabilities associated with IoT systems and connected devices
  • Gain an understanding IoT security best practice
  • Meet leading cyber security experts and companies offering security products, solutions and services
I encourage you to come along to Secure IoT 2019, Internet of Things Cybersecurity conference, on 7th November at the Green Park Conference Centre, Reading, RG2 6GP, UK.

Buy Tickets

References
The following organisations, publications and/or standards have been used for the source of references in this document:
1. Fast Company, April 2013, “Cybercriminals Hack Into Factory”
https://www.fastcompany.com/3008148/cybercriminals-hack-factory
2. Pen Test Partners, “Too cold to work? School closed? Sure your BMS hasn’t been hacked?”
https://www.pentestpartners.com/security-blog/too-cold-to-work-school-closed-sure-your-bms-hasnt-been-hacked/
3. Shodan, “search engine for Internet-connected devices”
https://www.shodan.io
4. Infoblox, May 2018, “Infoblox research finds explosion of personal and IoT devices on enterprise networks introduces immense security risk”
https://www.infoblox.com/company/news-events/press-releases/infoblox-research-finds-explosion-of-personal-and-iot-devices-on-enterprise-networks-introduces-immense-security-risk/
5. Forbes, July, 2017, ” Criminals Hacked A Fish Tank To Steal Data From A Casino
https://www.forbes.com/sites/leemathews/2017/07/27/criminals-hacked-a-fish-tank-to-steal-data-from-a-casino/
6. KrebsonSecurity, October 2016 “Hacked cameras, DVRs Powered Todays Massive Internet Outage:
https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/
7. National Institute of Standards and Technology, “Framework for Improving Critical Infrastructure Cybersecurity”
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
8. Internet of Things Security Foundation
https://www.iotsecurityfoundation.org/
9 Internet of Things Security Foundation, June 2019, “Can you trust your Smart Building?”
https://www.iotsecurityfoundation.org/wp-content/uploads/2019/06/IoTSF-Smart-Buildings-White-Paper-PDF-1.pdf

The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies

The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources – according to a Bloomberg Report.

Excerpts from this report:

“During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.”

“How the Hack Worked:”

1.  A Chinese military unit designed and manufactured microchips as small asa a sharpened pencil tip. Some of the chips were built to look like signal conditioning couplers, and they incorporated memory, networking capability, and sufficient processing power for an attack.

2. The microchips were inserted at Chinese factories that supplied Supermicro, one of the world’s biggest sellers of server motherboards.

3. The compromised motherboards were built into servers assembled by Supermicro.

4.  The sabotaged servers made their way inside data centers operated by dozens of companies.

5. When a server was installed and switched on, the microchip altered the operating system’s core so it could accept modifications. The chip could also contact computers controlled by the attackers in search of further instructions and code.

See also TechCrunch Article:

Chinese chip spying report shows the supply chain remains the ultimate weakness

Threat Modelling & Security Analysis For IoT

Among the most critical tasks in developing secure device is designing platforms with robust countermeasures for identified threats. Dr Andrew Jones from @Arm will be talking Threat Modelling & Security Analysis For IoT at the Secure IoT conference. Andrew will give an overview of Arm’s Platform Security architecture and how threat modelling can be performed to identify and mitigate attacks.

Dr Andrew Jones is the Arm architect focused on future systems design of IoT and embedded automotive systems. Andrew is a veteran system architect having previously worked at the University of Bristol, and several microelectronics companies in the UK and US. He has managed the specification of dozens of successful chips and is the holder of over 50 patents. Andrew Jones is the author of a book on network design and of a number of publications focused on system on chip architectures.

Secure IoT devices from the microcontroller, up

For OEMs, the expense of IoT security is more than simply adding a cryptographic IC to the bill of materials, as it also has implications on engineering development time, power consumption, the type of microcontroller selected, and so on.

http://www.embedded-computing.com/iot/secure-iot-devices-from-the-microcontroller-up

Faced with the time to market and cost pressures of consumer and commercial product development, it’s not surprising many device manufacturers elect to shortcut or completely forego steps in the secure development lifecycle.

Connected devices have a large attack surface and attacks can be software-based, focus on communications channels, target vulnerable firmware during and after an update process, or look to compromise physical components.