Can you Trust your Smart Building? – Understand the cyber security issues

Smart Buildings
In this digital age, what risks are posed to your tenants, staff, visitors and assets from vulnerabilities in Internet connected smart building systems and devices? Understand the cyber security issues associated with ‘smart’ building systems and why they are important to you.
Buildings are becoming increasingly connected and ‘Smart’ with the deployment of sensors, IoT networks, analytics and their integration with building management systems (BMS), building automation systems (BAS) and other systems (e.g. security, fire detection and alarms, occupancy, environmental, parking.
Smart Buildings can generate a deluge of data however, predictive analytics, machine learning and other branches of artificial intelligence (AI) allow managers and Smart Buildings Systems to ‘intelligently’ optimise the use of assets, operations and the consumption of resources. This optimisation offers potential benefits to users, owners and managers of buildings including:
  • Savings in energy and water usage and the resulting reduction in costs and carbon footprint
  • Improved working conditions, safety and security for occupants
  • Improved customer service levels
  • Visibility and management of occupancy levels
  • Optimisation of resources (physical, space and human)
  • Reduced maintenance costs


As well as the benefits, it is important to consider the risks of introducing new technology and devices. IT Cyber Security risks are not new, however, the proliferation of connected IoT devices introduces new system elements and components that can be exposed to possible attacks (attack surface) and mechanisms by which the attack can take place (attack vectors).
The risk to an organisation or individual through poor security practice could impact:
  • Reputation
  • Share price
  • Costs (operational, replacement, sales, legal, fines etc.)
  • Health & Safety

Threats to Smart Buildings

Threats to Smart Buildings can come from a number of difference sources or ‘actors’ including financially motivated cyber criminals, states and state-sponsored groups, hacktivists and malicious insiders (employees).
In 2012, Hackers exploited vulnerabilities in industrial heating systems [ref 1] which were connected to the internet, and then changed the temperature inside the buildings. They utilised a flaw in the building management software.
Security research company, Pen Test Partners, have demonstrated [ref 2] how poor installation by electricians and HVAC engineers who don’t understand security can lead to BMS controllers being exposed on the public internet and vulnerable to attacks that, for instance, could sabotage: HVAC devices to close offices  or cause life threatening issues at healthcare facilities. A simple search on Shodan [ref 3], the search engine for Internet-connected devices can reveal thousands of insecure BMS systems across the globe.
Bring your own IoT Device or Network or Shadow IoT – the use of unauthorised Internet of Things devices and networks poses a new level of threats for enterprises. A 2018 Infoblox report [ref 4] found that:
  • A third of enterprise companies have more than 1,000 shadow-IoT devices connected to their networks on a typical day
  • A quarter of US employees are unclear as to whether their organization has an IoT security policy
  • 20 percent of UK employees rarely or never follow security policy for personal and IoT devices
In 2017, it was revealed that criminals had managed to steal 10GB of data from a North American casino high-roller database via an internet connected thermometer in a lobby aquarium [ref 5]. The internet connected fish tank allowed it to be remotely monitored, automatically adjust temperature and salinity, and automate feedings.
Your building could become part of Botnet to launch Distributed Denial of Service (DDoS) attacks. In 2016, Mirai malware infected CCTV video cameras and digital video recorders and was used to launch a DDoS attack [ref 6] that caused a massive Internet outage affecting Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix. Mirai scours the Web for IoT devices protected by little more than factory-default usernames and passwords, and then enlists the devices in attacks that hurl junk traffic at an online target until it can no longer accommodate legitimate visitors or users

Cybersecurity Best Practice

It is not feasible to eliminate all risks from Smart Buildings. Protecting your investments requires a structured approach to implementing and maintaining security best practice, policies and procedures. This approach is well illustrated and documented by the US National Institute of Standards and Technology (NIST), “Framework for Improving Critical Infrastructure Cybersecurity” [ref 7] which:
“Provides a common language for understanding, managing, and expressing cybersecurity risk to internal and external stakeholders. It can be used to help identify and prioritize actions for reducing cybersecurity risk, and it is a tool for aligning policy, business, and technological approaches to managing that risk. It can be used to manage cybersecurity risk across entire organizations, or it can be focused on the delivery of critical services within an organization.”
The NIST Framework Core provides a set of activities to achieve specific cybersecurity outcomes, and references examples of guidance to achieve those outcomes. The main Core Functions are Identify, Protect, Detect, Respond, and Recover. The Functions should be performed concurrently and continuously to form an operational culture that addresses dynamic cybersecurity risk. Core activities include:
  • Management Governance
  • Risk Assessment
  • Threat Modelling
  • Security by Design (throughout the enterprise and system of systems) and leveraging Defence in Depth
  • Procurement (specifying security requirements for products)
  • Supply Chain processes (ensuring security is maintained throughout and at source)
  • Secure Implementation processes
  • Testing and Validation
  • Secure Maintenance and Lifecycle Management (including security software updates)
  • Training for system administrators and an enterprise monitoring plan to watch for suspicious events within the building network
  • Detection of Anomalies and Events
  • Continuous Security Monitoring
  • Incident response plan to effectively respond to cyber security incidents as they occur
  • Vulnerability disclosure
  • Recovery and Resilience processes and plans to restore services in the event of a security event
  • Physical access controls to provide wider visibility across the physical and electronic space
Security investments should be balanced against the effect of undesirable outcomes. Balancing should be grounded in a realistic assessment of the threats, the risks they pose and how they might prevent the system from fulfilling its intended functions. Costs should be evaluated, and a rational selection of implementation choices made to deliver an acceptable return on investment. In preparing for your risk assessment you might like to consider e.g.:
  • Have you identified your critical digital assets? Not all systems and data are created equal.
  • Have you identified which systems are critical for health and safety reasons and therefore must be fail-safe?
  • Do you have and maintain lists of all your assets (devices, software, and any sensitive information/data)? If so, do you know who has access to them and where the data resides?
  • Are you able to detect unusual behaviour/activity on your network/do you use real time monitoring solutions?
  • Would you know if a rogue device came on to the system?
  • If the building systems are attacked do you have processes and policies in place and are your staff familiar with these?
These and other questions are important for a Smart Building’s stakeholders to carefully weigh up throughout its lifecycle from design to decommissioning especially given the legal and health and safety requirements which relate to data protection and duty of care.

IoT SF Smart Buildings Working Group

The IoT Security Foundation [ref 8] recently published a White Paper ‘Can you Trust your Smart Building?’ [ref 9] and is seeking to encourage people from Smart Building stakeholder groups to engage with their Smart Buildings Work Group and provide input as they develop best practice security guidance in this area. To find out how you can be involved with the Smart Buildings Working Group, please contact:

Secure IoT 2019, Internet of Things Cybersecurity Conference

If you would like to:
  • Learn about the security issues, risks, threats and vulnerabilities associated with IoT systems and connected devices
  • Gain an understanding IoT security best practice
  • Meet leading cyber security experts and companies offering security products, solutions and services
I encourage you to come along to Secure IoT 2019, Internet of Things Cybersecurity conference, on 7th November at the Green Park Conference Centre, Reading, RG2 6GP, UK.

Buy Tickets

The following organisations, publications and/or standards have been used for the source of references in this document:
1. Fast Company, April 2013, “Cybercriminals Hack Into Factory”
2. Pen Test Partners, “Too cold to work? School closed? Sure your BMS hasn’t been hacked?”
3. Shodan, “search engine for Internet-connected devices”
4. Infoblox, May 2018, “Infoblox research finds explosion of personal and IoT devices on enterprise networks introduces immense security risk”
5. Forbes, July, 2017, ” Criminals Hacked A Fish Tank To Steal Data From A Casino
6. KrebsonSecurity, October 2016 “Hacked cameras, DVRs Powered Todays Massive Internet Outage:
7. National Institute of Standards and Technology, “Framework for Improving Critical Infrastructure Cybersecurity”
8. Internet of Things Security Foundation
9 Internet of Things Security Foundation, June 2019, “Can you trust your Smart Building?”

Internet of Things Cyber Security Conference – Talks Announced

Announcing the first set of talks for Secure IoT 2019, the 3rd annual Internet of Things Cyber Security conference, that will be held on 7th November at the Green Park Conference Centre, Reading, RG2 6GP. Speakers: Arm, AWS, Device Authority, IBM, NCC Group, Pen Test Partners, GSMA and Copper Horse.

At the Internet of Things Cyber Security conference, learn about the:

  • Cyber security issues, risks, threats and vulnerabilities associated with IoT systems and connected devices
  • Gain an understanding IoT security best practice
  • Meet Leading experts and companies offering security products, solutions and services.

For full details see:

Secure IoT 2019

To book tickets:
Secure IoT 2019 Tickets
Special discounted tickets are available for full time students and academics at a rate of £44.90 (incl. fees & VAT)


“IoT. Engineer securely, don’t add security”
Ivan Reedman – Executive Principal, Technical Lead, NCC Group

All too often vendors offer products and solutions to secure your IoT device. Unfortunately, in reality there is no silver bullet. For an IoT device to be secure, it must be engineered securely.

This talk will cover some basic principles of secure engineering using publically available references and models whilst also explain why and how to implement these principles.

“Systemic fraud in IoT: the fraud no one know about”
Tony Gee – Associate Partner, Pen Test Partners

Systemic issues in IoT are becoming more and more prevalent, with millions of devices compromised by poor security on the API, but there is a more sinister abuse of this attack as yet unknown.

This talk will discuss this attack and the ways an attacker can abuse the flaw for massive systemic fraud. We will also discuss the current mitigations in place and other mitigations organisations and individuals can put in place. This talk will be an eye opener to a brand new type of abuse of IoT!

“The PSA Security Model: Important Security Goals and How They Impact Security”
Marcus Streets – Principal Security Architect, Arm

Security is constantly changing and evolving. With regulations always on the horizon and new threats being identified, businesses need a strategy to protect against future security threats. The Platform Security Architecture (PSA) offers a framework for securing connected devices. It provides a step-by-step guide to building in the right level of device security, reducing risk around data reliability, and allowing businesses to innovate on new ideas to reap the benefits of digital transformation.

“IoT Security for Industrial and Smart Factory use cases”
Rob Dobson – Director, Device Authority
The presentation will take the audience through what some of the challenges are for securing industrial and Smart Factory deployments. Looking at several case study scenarios where customers have specific requirements around data security, privacy and how they can meet the Operation Technology (OT) needs for their businesses.

“Cybersecurity and the IoT”
Henrik Kiertzner, Principal Cybersecurity Consultant

The argument goes something like this – a huge number of nodes, all built by the lowest bidder and designed largely in jurisdictions where there is less-than-desirable attention paid to intellectual property rights, present a huge and appealing attack surface to the potential State actor aggressor, allowing for compromise of the confidentiality, integrity and availability of the devices and services they provide. IoT operators will need to find ways to maintain visibility of activity on their extended network and identify attacks and reconnaissance activity in order to move to mitigate impacts at the earliest possible time.

As with any modern issue, the key strands are people, process and technology. Where we are likely to fail is in process – the allocation of responsibility, the development of policy (and regulatory) architectures.

“Leveraging the SIM as a ‘Root of Trust’ to Secure IoT Applications”
Ian Smith, IoT Security Lead, GSMA

The GSMA has investigated how to leverage existing mobile operator assets to help secure IoT services – one of these key assets being the SIM. In his presentation, Ian Smith, IoT Security Lead at GSMA, will describe how cellular connected (GSM, LTE, NB-IoT) IoT devices can use the capabilities of the SIM to enhance the security of commonly used IoT security protocols such as Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS).

Ian will also talk about the work the GSMA is undertaking to create a ‘common implementation guide’ for this capability – to the benefit of the IoT developer community.

“The Digital Security by Design Challenge”
Robin Kennedy – Cyber Security, Knowledge Transfer Network

Robin will outline one of the latest programmes to be announced under the Industrial Strategy Challenge Fund (ISCF) which, through enhancements to processor architecture and software, aims to make digital systems inherently less vulnerable

Other Speakers at the Internet of Things Cyber Security conference include:

  • Dr Andrew Jones – System Architect, Arm
  • Dave Walker – Solutions Architect, Amazon Web Services
  • Adam Laurie – Global Lead Hardware Hacker, X-Force Red, IBM
  • Mark Neve – IoT Security Foundation Ambassador and Technical Lead at Copper Horse

New Internet Laws Fuel Russian Cybercrime

New Internet Laws Fuel Russian Cybercrime: The introduction of Russia’s Sovereign Internet rules is having an impact on the way criminal hackers around the world do business. This is according to security house IntSights, which says that the law, set to become official in a few months, will force many hacking groups to change the way they operate both in Russia and in other countries. The rule would lead to Russia developing its own standalone network that could be cut off from all connections outside of the country if need be and continue to function.

“The sovereign internet will make it much easier for Russian law enforcement to crack down on hackers that target Russian entities,” Yakovlev explained in the IntSights Dark Side of Russia report.
“But the government will still likely turn a blind eye to threat actors that target foreign entities – particularly those operating in enemy states, like the United States.”

In other words, as hacking within Russia becomes more difficult and dangerous, expect to see Russian hacking groups focus even more of their attention on western countries, where the attacks will not draw a police response.

If you would like to

  • Learn about the security issues, risks, threats and vulnerabilities associated with IoT systems and connected devices.
  • Gain an understanding IoT security best practice.
  • Meet Leading experts and companies offering security products, solutions and services.
    Come along to Secure IoT 2019, Internet of Things Cyber Security conference, book tickets here

Read full article from The Register article here

Russian hackers targeting IoT devices to penetrate corporate networks

Russian hackers targeting IoT devices to penetrate corporate networks, warns Microsoft. A hacking group linked to the Russian state has been observed targeting Internet-of-things (IoT) devices in a bid to breach secure corporate networks. Microsoft claimed in a blog post that its Threat Intelligence Centre detected multiple attempts from Russia-linked Strontium group – also known as ‘Fancy Bear’ – in April to target VoIP phones, digital video recorders and printers. Hackers tried to attack IoT devices at multiple locations and attempted to use those devices as soft points to gain entry into larger corporate networks.

In two cases, the devices carried factory security settings, such as default passwords, making for easy entry. In a third case, the device was found to be using outdated firmware with known vulnerabilities

After gaining access to the devices, the attackers used them to compromise other vulnerable devices/machines on the network. Some simple scans enabled them to move across the network and gain access to “higher-privileged accounts that would grant access to higher-value data”.

If you would like to

    • Learn about the security issues, risks, threats and vulnerabilities associated with IoT systems and connected devices.
    • Gain an understanding IoT security best practice.
    • Meet Leading experts and companies offering security products, solutions and services.

Come along to Secure IoT 2019, Internet of Things Cybersecurity conference, book tickets here

Read full article from Computing here:

Russian hackers targeting IoT devices to penetrate corporate networks, warns Microsoft

Internet of Things Cyber Security Conference | Early Bird Tickets

Internet of Things Cyber Security Conference

There are just 4 days left to purchase an Early Bird ticket for the Secure IoT 2019, Internet of Things cyber security conference. Learn about: the security issues, risks, threats and vulnerabilities associated with IoT systems and connected devices; gain an understanding IoT security best practice and meet leading experts and companies offering security products, solutions and services with speakers from:

  • Amazon Web Services
  • Arm
  • Copper Horse
  • UK Government Department for Digital, Culture, Media and Sport
  • Device Authority
  • GSMA
  • IBM
  • IoT Security Foundation
  • Microsoft
  • NCC Group
  • Pen Test Partners
  • SAS

Purchase your Ticket here.

Secure IoT 2019, Internet of Things Cyber Security Conference will be held at the Green Park Conference Centre, 100 Longwater Avenue, Green Park, Reading, Berkshire, RG2 6GP, on Thursday, 7th November with registration from 9.00 am and closing at 6pm. For more details see:

For details of the speakers see: Secure 2019 Speakers

Why attend the Internet of Things Cyber Security conference?

We are seeing an ever-increasing number and sophistication of cyber-attacks on systems and products that are using connected IoT devices. These attacks are being instigated by different types of actors including: criminals; states and state sponsored; issue-orientated hactivists (malicious insiders pose the greatest threat) and ‘script kiddies’.

The risk and damage in terms of reputation, costs, health & safety to an organisation or individual due to poor security practice can be considerable.

In May 2018, the General Data Protection Regulation(EU) 2016/679 (GDPR) became enforceable. GDPR covers “security by design” in hardware and software. Data controllers are obliged to consider “data protection by design and by default”. Organisations using insecure IoT devices, software and systems could face action under GDPR should they contribute to theft or “spillage” of personal data.

If you would like to learn more about IoT Security best practice then come along to Secure IoT 2019, Internet of Things Cyber Security conference.

NIST- Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks

National Institute of Standards and Technology (NIST), US Department of Commerce have published a new document: Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks. The purpose of this publication is to help federal agencies and other organizations better understand and manage the cybersecurity and privacy risks associated with their individual IoT devices throughout the devices’ lifecycles.

Many organizations are not necessarily aware of the large number of IoT devices they are already using and how IoT devices may affect cybersecurity and privacy risks differently than conventional information technology (IT) devices do.

NIST defines cybersecurity and privacy risks for IoT devices  in terms of three high-level risk mitigation goals:

1. Protect device security.

In other words, prevent a device from being used to conduct attacks, including participating in distributed denial of service (DDoS) attacks against other organizations, and eavesdropping on network traffic or compromising other devices on the same network segment. This goalapplies toall IoT devices.

2. Protect data security.

Protect the confidentiality, integrity, and/or availability of data(including personally identifiable information [PII]) collected by, stored on, processed by, or transmitted to or from the IoT device.This goalapplies toeach IoT device except those withoutany data that needs protection.

3. Protect individuals’ privacy.

Protect individuals’ privacy impacted by PII processing beyond risks managed through device and data securityprotection.This goalapplies to all IoT devices that process PII or that directly or indirectly impactindividuals.

This report, the first in a series addressing the IoT, looks at higher level considerations, NIST says future reports will go into greater depth and detail about related issues.

UK public sector lagging behind in taking IoT beyond pilot, says survey

UK public sector lagging behind in taking IoT beyond pilot, says Yotta survey. The UK’s public sector is lagging behind in adopting Internet of things (IoT) with almost three-quarters, at 74%, yet to make use of the emerging technology commercially, according to a research from technology company Yotta.

The survey commissioned by Yotta found that 39% of public sector organisations did run pilots but could not go beyond that with any live commercial deployments. On the other hand, more than a third, that is 35% of the surveyed public sector IT decision-makers indicated that their organisations are yet to start off with the technology.

The survey also found that public sector IT decision-makers believe security concerns to be the biggest obstacles faced by councils in making effective use of IoT-driven technology.

Almost four out of 10 of respondents, at 38%, voted security concerns as the main challenge, while more than a third, at 35% cited perceived cost of implementations as the reason for not deploying the technology.

Other prime concerns for using IoT are lack of skilled in-house expertise, at 34%, and integration challenges with existing systems, which was referenced by 31% of the surveyed public sector IT decision-makers.

How to hack an IoT device

An E&T investigation together with leading cyber-threat experts reveals how simple it is to hack Internet of Things (IoT) devices hooked up to the internet, exploring the implications of what this could mean for consumers and critical infrastructure in the UK.

See E&T article:

How to hack an IoT device

Alexa can be hacked–by chirping birds?

Scientists at the Ruhr-Universitaet in Bochum, Germany, have discovered a way to hide inaudible commands in audio files – commands that, while imperceptible to our ears, can take control over voice assistants. According to the researchers behind the technology, the flaw is in the very way AI is designed.

It’s part of a growing area of research known as “adversarial attacks,” which are designed to confuse deep neural networks–usually visually, as Co.Design has covered in the past–leaving them potentially vulnerable to attacks by bad-faith actors on the technology and infrastructure in our world that depends on AI to function.

In this case, the system being “attacked” by researchers at the Ruhr-Universität Bochum are personal assistants, like Alexa, Siri, or Cortana. According to Professor Thorsten Holz from the Horst Görtz Institute for IT Security, their method, called “psychoacoustic hiding,” shows how hackers could manipulate any type of audio wave–from songs and speech to even bird chirping–to include words that only the machine can hear, allowing them to give commands without nearby people noticing. The attack will sound just like a bird’s call to our ears, but a voice assistant would “hear” something very different.

Attacks could be played over an app, for instance, or on a TV commercial or radio program, to hack thousands of people–and potentially make purchases with or steal their private information. “[In] a worst-case scenario, an attacker may be able to take over the entire smart home system, including security cameras or alarm systems,”

“An Amazon spokesperson told Co.Design that they take security issues seriously, and that the company is “reviewing the findings by the researchers.” Another way to look at this problem? Whenever possible–and unfortunately, it’s not always possible–don’t use unsecured smart speakers for sensitive information until they deliver on the promise of a secure and safe user experience.”

Sources/Further Reading:

Fast Company: Alexa can be hacked–by chirping birds

Adversarial Attacks Against ASR Systems via Psychoacoustic Hiding

Lea Schönherr, Katharina Kohls, Steffen Zeiler, Thorsten Holz, and Dorothea Kolossa, Ruhr-Universität Bochum,  Technical Paper



Most Home Routers Are Full of Vulnerabilities

Research conducted by the American Consumer Institute Center for Citizen Research indicates that the routers commonly found in homes are huge security vulnerabilities for consumers and their employers. The center’s analysis shows that of 186 sampled routers, 155 (83%) were found vulnerable to potential cyberattacks.

The routers samples were from 13 different manufacturers, including Linksys, Belkin, Netgear, and D-Link. While 17% of the routers scanned were vulnerability-free, the report says that the remaining 83% of routers examined had, on average, 172 vulnerabilities.

Most of the vulnerabilities were in router firmware, according to the researchers, with the sheer number of vulnerabilities caused by a combination of a reliance on open source projects for code and a lack of vigorous patching and update policies on the part of the vendors.


Dark Reading:

Most Home Routers Are Full of Vulnerabilities


ThreatList: 83% of Routers Contain Vulnerable Code