Smart Buildings: A Cybersecurity Liability — December 2020 Newsletter

201 Linden Street

Building Owner

5636 sq. ft.

Residential

Fort Collins, CO

201 Linden St. is a private residence located in the heart of downtown Fort Collins, making it a unique commercial solution for a residential space.This space has an individualized hot water system that functions for domestic hot water while also heating water for the radiant floor heating system.The radiant floor heat keeps the historic flooring from breaking or getting damaged during the cold months.This is done through individual zone pumps in conjunction with the boilers.The owners of the building were very pleased with the capability of remotely accessing the controls and being able to run the location at its most energy efficient capabilities.

Read Original Newsletter

Citizens are concerned about the ability of public and private institutions to adequately protect their data, particularly after the high-profile LifeLabs data breach in 2019 and the devastation brought by Ryuk malware on three hospitals in Ontario the same year.1 In the hospitality industry, a breach of data at Marriott exposed the privacy of nearly half a billion guests who stayed at the hotel chain between 2014 and 2018.2 It is crucial for organizations to be proactive when it comes to cybersecurity. Security breaches are often the result of blind spots for IT and security teams. This is especially the case when organizations don’t manage their own assets or are not aware of their existence. Internet of Things (IoT) devices are a prime example of such assets. Building owners and operators rely on many types of IoT devices, such as refrigeration, HVAC, and lighting systems, to diagnose faults, collect data, and remotely operate and service equipment. Each of these systems offers a tempting open pathway for an attacker. In 2017 a casino’s high-roller database was exposed to hackers who infiltrated the network through a smart thermostat and pulled data to the cloud.3 It is more important than ever for building owners and designers to map their smart buildings’ attack surface, expose that shadow risk, and eliminate all attack vectors. Smart buildings collect data from equipment and sensors and analyze them to improve operational efficiency, reduce waste, and ensure occupant comfort—all worthy efforts. An example of the many government and non-profit efforts to improve building energy efficiency and environmental impact is the Government of Canada’s Smart Buildings Initiative, part of a broader goal to make federal buildings energy efficient and reduce greenhouse gas emissions.4 But as smart buildings and IoT devices gain momentum in the market, unless we carefully consider their security, we risk exposing our data and privacy to malicious actors.

Smart buildings need smart devices to deliver the information needed for energy analytics, fault detection, and remote operations management. These devices communicate over Wi-Fi, Ethernet, Bluetooth, EIA-485, and a variety of other networks. Smart devices also provide information to direct digital control (DDC) controllers for status, temperature, CO2 levels, and various other parameters. DDC controllers operate everything from large air handlers to small light sensors using a centralized, network-oriented approach and open protocol languages such as BACnet, Modbus, and KNX. Open protocol languages are the cornerstone of easy integration and plug-and-play installation. BACnet protocol, developed and maintained by ASHRAE, has become an industry standard for smart buildings and was ISO certified in 2003. BACnet is used to control lighting, security access, elevators, HVAC, and life-safety devices. However, as with devices that use Modbus and other open protocols, BACnet-controlled devices offer little to no security in the way they integrate and communicate. This makes smart buildings vulnerable to attacks and system breaches.

Product owner Faisal Hamood and the RC-RemoteAccess team have been improving the way encrypted BACnet networks are managed. Reliable Controls was one of the first organizations to encrypt BACnet communications and develop a server-based router that can manage multiple systems. RC-RemoteAccess is unique in that it does not rely on additional devices to route and manage encryption; it provides security within the building as well as secure access into it. Our encrypted BACnet networks are interoperable with any standard BACnet device, and many of the IP challenges of BACnet/IP, such as static IP addresses and broadcast management, are eliminated. This not only secures a smart building’s network but also simplifies its architecture. As smart-building technology advances, we can expect cybersecurity challenges to increase. Think of encryption as a lock on your door. It can only delay a determined malicious actor. The bigger and stronger the lock, the more specialized tools and knowledge the malicious actor needs to break it. It is not enough to rely on encryption. Smart-building designers need to supplement encryption with network segmentation, social engineering training for staff and operators, and a strong IT policy with contingencies and alarms. Segmentation limits the damage of a break-in, and alarms alert you of suspicious activity on the network, but cybersecurity is not just a technological challenge; it also has a human element. The best lock can’t protect you if the robber has the key.

Today, cities are beginning to use digital technologies to make better decisions and improve quality of life. Smart cities collect data from citizens, buildings, and assets and use it to monitor, track, and optimize energy, water and waste, traffic, comfort, safety, and a variety of other aspects of our daily lives. The more interoperability that occurs between devices, buildings, and infrastructure, the more opportunity for our data and information to be vulnerable; the challenge of cybersecurity is ever present. Future cybersecurity systems will likely be based in artificial intelligence, but they will always rely on fundamental safeguards like encryption and alarming—and on our ability to adapt our human defenses.