It is well known that violent physical attacks against tall buildings are on the rise,[1] but an even more concerning threat will take the form of cyberattacks, with the potential to be catastrophically as destructive. In response, security departments securing their tall buildings will now require more than protecting the physical area and surrounding perimeter from physical access by threat actors who might attack a building. They now have to exponentially expand controlling the access to their increasingly smart buildings with their soaring amounts of IoT (Internet of Things) devices and converged OT (Operational Technology) and IT (Information Technology). With the number of entry points multiplying exponentially, the attack surface is now wide open to malicious cyber threat actors not just on location, but from anywhere around the world.
Currently, most new buildings with 100,000 square feet or more are smart buildings with energy efficiencies and Building Automation Systems (BAS) that offer autonomous functionality to control lighting, climate and elevators, and also energy management, electric power distribution, fire detection, video surveillance and badge access. However, these attractive benefits come replete with security concerns. Many building protocols lack adequate cybersecurity features. For example, one of the most widely used data layer protocols for HVAC control, BACnet, is deployed in an unencrypted format. And while more secure versions are emerging, they are not commonly used.
Each one of these autonomous subsystems depends upon hundreds to thousands of sensors and computers and connects to local servers and also to the Internet. Preventing cyberattacks does still entail concerns regarding the physical layout of big buildings, as devices may be in unprotected areas where people can easily access them. One compromised IoT device is all it takes for a cyberattack, and the sheer quantities of devices means this could go undetected for long periods of time. But obviously, physical access is not necessary for a cyberattack to infiltrate and compromise a BAS. In fact, these systems are oftentimes housed in satellite facilities, with minimal to no direct IT support.
A Kaspersky report published in 2019 revealed that 37.8 percent of 40,000 smart buildings had been impacted by a cyberattack, most of which tried to compromise computers controlling the BAS, with 26 percent of threats coming from the web, 10 percent from removable media, 10 percent from phishing links, and 1.5 percent from shared folders on corporate networks.[2] In most cases it was regular malware in the forms of ransomware, worms and spyware, not malicious software specifically intended for BAS, but rather to infect any corporate network.
OT and IT cybersecurity efforts are often siloed, with gaps between OT and IT defenses exploited by adversaries who gain access to OT systems with weak defenses as an entry point into corporate IT networks. The Target retail chain data breach in 2013 was an infamous cyberattack on an HVAC system, used to gain access to the corporate financial systems to steal payment card data from over 40 million people.
The growing use of cyber-physical systems in smart buildings brings with it the capacity to wreak havoc not just in the form of costly breaches compromising data confidentiality, but even more worryingly in the form of physical consequences, such as a cyberattack on a smart building that compromises the availability of a BAS. For example, news circulated in 2017 of a cyberattack on the Romantik Seehotel Jägerwirt , a prominent hotel in Austria, by cyber criminals who compromised the electronic key system, leaving hotel guests unable to enter their hotel rooms, and disrupting other business operations.[3] One can easily imagine physical safety concerns that could arise from a cyberattack on critical BAS functions (such as water, electricity, air ventilation, elevators, as well as fire alarm and extinguishing systems), not to mention the damaging fallout of a disruption of mission-critical operations in hospitals or prisons.
In addition to the aforementioned examples of cyberattacks compromising the confidentiality and availability of a BAS, cyberattacks compromising integrity are not to be ignored. For example, temperature manipulation via a BAS hack could result in physical damage to items such as data servers or perishable goods. Cyberattacks on industrial control systems (ICS) in critical infrastructure sectors are notorious for their physical consequences, such as the BlackEnergy malware that brought down the Ukrainian power grid in 2015, and the Stuxnet worm that resulted in damages to Iran’s nuclear program in 2010, acknowledged as the world’s first large-scale cyber warfare attack.
As noted in Forbes, BAS may become the next target of cyberattacks. Security credentials for smart buildings can be sold for profit on the dark web by cybercriminals, not to mention substantial Bitcoin payments to be reaped from ransomware demands. The threat actors behind these attacks are more than just cybercriminal organizations motivated by financial gain.
Potential threat actors may include hacktivists who oppose corporate policies and products. Adversary nation states and state-sponsored criminal groups are well-funded and highly sophisticated with capabilities to disrupt building operations, as well as cause physical destruction and loss of life.
Whether motivated politically, financially or otherwise, smart buildings are now on the radar of threat actors. Disruptions to a BAS can cause significant damages to a building’s commercial tenants in the form of business downtime, financial loss, and public safety threats, such as shutting down a building’s electricity grid.
Addressing these critical issues will require collaboration amongst city planners, engineers and cybersecurity professionals, as well as cybersecurity frameworks and risk-analysis tools for the building industry to effectively meet the present and future challenges of securing tall smart buildings.
Securing tall buildings is, therefore, no longer about just securing the physical space of a building from potentially violent attacks. Moreover, cybersecurity is no longer about just preventing loss of data or confidentiality breaches to business entities but to major buildings that house a multitude of potentially affected tenants, including retail establishments.
Cybersecurity concerns for interconnected BAS devices within smart buildings extend into the realm of physical damages, and potential threats to tall smart buildings now include a complete building takeover from hackers who could gain remote access from other countries. While financial loss and reputational damage are serious concerns, a catastrophic event resulting in loss of life can now occur, not just by the physical presence of a terrorist or an active shooter engaging in workplace violence, a deliberate crash by a car bomb or a plane crash, but by the stroke of a computer’s keyboard far, far away.
