Editor’s note: Peter Dickinson is the CTO of BuildingIQ, a leading energy management software company. He has worked as an entrepreneur and executive in the energy management and commercial property sector for the last 15 years.
Last month major corporations and household names such as Evernote, TweetDeck and Feedly were held ransom by Internet hackers. Many found this concerning, but even more serious is that some businesses may not realize how highly vulnerable they are to such an attack. What if it were your building that was held ransom? Are there things that could have been done to prevent a cyber attack?
When we think of the Internet of Things, it’s common to think of phones, cars, tablets and countless other consumer devices, but don’t forget buildings. Businesses are racing toward integration through web-enabled technologies that can control everything from heating and lighting to elevators and door locks. But imagine a cyber attack shutting down your building’s lights and elevators. In addition to the security breach, employees would need to be sent home, and depending on the size of the company, this could result in losses of thousands or even millions of dollars.
Building control is moving away from the human hand and it is time to view a building as IT and not just the traditional brick and mortar. While connected buildings that use the cloud and IP networks to more efficiently control building operations are not new, there are new security precautions that need to be implemented to prevent intruders. More emphasis on and education around this topic is necessary.
Google’s Australian office hack last year should have served as the wakeup call for smart buildings. Two security researchers exposed Google’s vulnerable building management system for its Wharf 7 office. By going through the Tridium Niagara AX platform, the researchers had access to multiple panels. They were able to view blueprints of the building and the water pipes within the system. If they wanted to, they could have even clicked buttons labeled “active overrides,” “active alarms,” “schedule,” and more. This was not a malicious attack so no damage was done, but the possibility for a damaging security breach was there.
Once in a system, it could be relatively easy to access multiple building controls, as was the case for Google. Many of the communications protocols for building automation devices are built to integrate with each other for product compatibility and interoperability. In addition, automation systems that are set up on the same network as corporate and administrative systems put companies at increased risk. In the Google hack, the building management system was on a dedicated line and not on the same network as its corporate and administrative systems, which poses an additional hurdle for hackers.
The answer to preventing cyber attacks is not disconnecting your building from the cloud, it’s for the industry and end users to be more educated about the security risks and to be prepared for them. At times, it can actually be human error and mistrust in a system that can lead to more harm than good.
Take Target’s data hack, for instance. The breach that made headlines around the globe started with someone gaining access to the building via the heating, ventilation and air conditioning system. Without digging a little deeper, it is easy to point to the technology installed as the major issue and the only reason this breach happened. In reality, without manual intervention, the hack could have been contained within moments of occurring.
In the Target breach, the automated, intelligent, self-healing IT security system was overridden to perform just as a passive alert system. In turn, this alert was – by all accounts – ignored by the monitoring personnel. The virus/worm detection system, which actually did end up detecting the eventual intrusion into the point-of-sale system, could have automatically stopped the whole thing in its tracks, if it weren’t being limited. Unfortunately due to the apparent insistence on manual (human) oversight and interference with the system, the hack took hold and an alert was raised but nothing was done for what appears to be a number of days.
Like any industry involving tech, growing pains are to be expected, but the reality is that buildings are now IT. The hacks mentioned above are not reflective of the industry as a whole, but do provide a good lesson. When selecting automated system for a building, security must be a factor.
Utilizing the cloud is not something to be afraid of and its uses will only increase. A lack of education creates fear, which is why as the intelligence of our buildings increases, there is also a need for us to increase our intelligence of how systems within our buildings operate.
For 30 years, our building stock has represented some of the biggest robotics systems on the planet. The benefits of this explosion in automation have been deep and numerous. Further benefits are now becoming a reality, but without a serious focus on security, we risk losing those 30 years of progress and missing out on the next wave of advances.