Smart buildings may be at much greater risk of cyber attack than originally thought, based on the findings of a new report from global cybersecurity firm Kaspersky. The report analyzed 40,000 smart buildings worldwide that use the firm’s security products, and found that nearly 4 in 10 (37.8%) of these buildings had been affected by a malicious cyber attack. In most cases, these cyber attacks were attempting to infect the computers that control smart building automation systems.
The smart buildings threat landscape
As Kaspersky points out, these cyber attacks were not “targeted” or “directed” specifically at these smart building computer systems. Instead, it was typically the case that ordinary malware – the kind found on many corporate networks – was the culprit behind the cyber attack. In its report, Kaspersky broke down the malicious cyber attacks by type, and found that variants of spyware (11%), worms (10.8%), phishing (7.8%) and ransomware (4.2%) accounted for nearly all of the cyber attacks at the smart buildings.
That’s the good news, if you can call it that, since it implies that rogue hackers around the world are not dreaming up devious new cyber attacks against smart buildings in the center of the world’s largest cities, or dreaming up new cyber threats to target smart buildings wherever people live or work. Using security solutions from companies like Kaspersky, it is presumably still possible to spot and then eliminate these cyber threats.
But, as Kirill Kruglov, security researcher at Kaspersky, pointed out, these cyber attacks against smart buildings should not be underestimated. That’s because smart building computers control many of the mission-critical processes at hospitals, public transport hubs, shopping malls and even prisons. Moreover, computers are used to control the sensors and controllers used for elevators, ventilation systems, heating systems, lighting, water, video surveillance systems, alarms, fire extinguishing systems, and other mission-critical functions. In the ultimate nightmare scenario, malware that infects these systems would be able to wreak havoc at any smart building in the world.
As a result, IT administrators at smart buildings should be vigilant for telltale signs that a smart building computer automation system has been compromised. For example, elevator systems that fail to work as planned, video surveillance cameras that go on and off, or alarm systems that go off for unknown reasons could both be telltale signs that important smart building automation systems have been the victim of a cyber attack.
Cyber attack scenarios for smart buildings
As part of its investigation into the weaknesses of smart building automation systems, Kaspersky provided important information about the type and nature of these smart building cyber attacks. According to Kaspersky, 26% of the threats are being introduced into smart building automation systems via the web; 10% of attacks are coming from memory sticks, flash drives and external hard drives; 10% of attacks are coming from corrupted email links; and another 1.5% of threats are coming from shared folders on a corporate network.
In addition, Kaspersky broke down the data by geographic area, to see if certain regions or nations were at greater risk than others. While nearly 40% of buildings worldwide had been affected by a cyber attack, the incident rate was even higher in Italy (48.5% of all smart buildings), Spain (47.6%), UK (44.4%), Czech Republic (42.1%) and Romania (41.7%).
As part of its smart building study, Kaspersky also hypothesized on how and why hackers might choose to target smart buildings in the future. According to Kaspersky, security credentials for smart buildings now have a value on the Dark Web, and can be sold for a profit to shadowy hacker collectives. Once in these hands, it might be possible to pull off a ransomware attack against a smart building owner. Imagine, for example, what would happen if rogue hackers started to launch cyber attacks against shopping malls, or even worse, against buildings that are part of a nation’s critical infrastructure (such as transportation hubs).
Rules for protecting smart buildings from cyber attacks
According to Kaspersky Lab, there are several steps that smart building owners can take to protect access controls and building systems management computers. First and most importantly, they can conduct regular security audits to maintain the overall integrity of computers that control smart building automation systems. Secondly, they can maintain up-to-date threat intelligence about the types of cyber threats out there, so at least they know what to look for in the cyber risk landscape. After all, you can’t defend against something when you don’t know what to look for. And, finally, companies can think about investing in reliable security solutions that have been specifically created for industrial control systems (ICS) environments. In other words, they can protect critically important smart building assets with Kaspersky security solutions.
Security lessons from the smart home sector
At the end of the day, the consumer “smart home” sector might have a lot to teach IT security professionals at smart buildings. For years, security researchers have warned about all the weaknesses embedded into common, everyday devices connected to the Internet. These smart home devices – everything from video doorbells to smart thermostats – have been used for stealing account credentials, and even for organizing all of these smart home devices into massive botnets. That’s generated considerable debate and discussion about what can be done to better protect these systems, as well as how security can be embedded into these devices from the original design and manufacture process onwards.
With that in mind, best practices for smart building systems management would seem to suggest that IT administrators do a fair amount of due diligence before hooking up sensors and controllers to smart buildings. And they should take into account basic security practices – such as eliminating default password settings for any hardware devices and disabling unused features – in order to maintain the integrity of protected smart building systems.
It’s a brave new world, now that smart buildings are vulnerable to cyber attacks. Going forward, this Kaspersky report should be a wakeup call for smart building owners everywhere. The same hackers who once broke into smart homes to snoop on data are now turning their attention to smart buildings.