While there is a different definition for smart buildings for each person that tries to define them, the one aspect that can be agreed upon by all parties is that connecting climate controls, lighting, locking systems and other building elements to the web drastically increases the security risks for the structure as well as any networks that are connected to it. To add a little more risk to the equation, the integration of different management systems within smart buildings also extends beyond the structure’s walls as government agencies and programs such as ENERGY STAR push for greater energy efficiencies, part of which requires connections to smart meters as well as the smart grid.
Network security researchers see two primary risks in the rapid build-out of structures with an ever increasing number web-enabled devices and systems; in the rush to connect everything to the web, the security of the connected devices exists basically as an afterthought, and hackers can gain access to networks within the structure through breaches of less secure networks that are connected to them. In terms of the lack of security in connected devices and systems, the risks arise from the relatively easy process of gaining access to more extensive networks through, for example, a printer that has been web enabled via a wireless connection. The best example of a threat coming from a poorly defended outside network is the massive breach of Target’s financial data, which was facilitated by hackers gaining access to the retailer’s network through a service contractor that maintained the HVAC system via a web enabled connection.
Additional risks include:
- Access to closed circuit security cameras – Outsourcing security to third parties, especially when multiple devices are bundled to provide additional utilities such as climate control and lighting present the potential for hackers to put their eyes in the building by gaining access to cameras within the structure.
- Access to operational capabilities within the building – Hacking into an integrated security system could allow doors to be unlocked, power to be cut, and a variety of other issues that could jeopardize both physical and digital assets within the structure.
- Attacks on IT – Intrusions can also be used to corrupt IT systems within the structure through the insertion of malware, viruses, etc. In buildings with networks that aren’t compartmentalized, the insertion of malware in a network designed to monitor lighting needs can quickly spread to other networks that that serve as the backbone of operations.
Some of biggest risks of web-enabled structures are presented by the growing number of off-the-shelf automation products that offer functionality without security. Mitigating these risks requires the implementation of professionally designed building automation products that include defenses against hacking, with the trade-off being that these products will be more expensive than products that can be purchased at the neighborhood electronics store.