If you ask most smart building managers why they’re investing in IoT, they’ll tell you that it’s all about convenience. They’re interested in technology because it can make the process of running a building – and keeping its occupants safe and comfortable – simpler. Whether that’s by taking data collection off their hands, allowing them to monitor and make adjustments to their buildings remotely, or by automating some of the more time-consuming (and, let’s face it, boring) parts of keeping a building running.
Which means that most of them haven’t considered the cyber security risks that their smart buildings could be exposed to.
And that means that, as an IoT product developer, it’s your job to consider every possible threat that your connected devices could introduce into your customers’ buildings.
In many cases, you’re the only thing standing between your customers and a world of malware, denial-of-service attacks, and data breaches. In fact, a recent Deloitte survey of commercial real estate owners and property managers found that they believe the biggest cyber security threat is exposure from third-party vendors.
So if you can show that you’re protecting customers from these kinds of attacks, you could win a huge competitive advantage – but we’ll get into that later in the blog.
For now, let’s take a look at the potential attack surfaces that hackers and researchers alike have uncovered in almost every smart building.
Which smart building devices are vulnerable to hacking?
Let’s get one thing straight: Every device that’s connected to the internet is vulnerable to cyber attacks. If you’re developing or providing an IoT device of any kind, you should be thinking about how to secure it.
But some connected devices are arguably more vulnerable than others – or more likely to cause major damage if they’re breached.
It’s easy for smart building managers to overlook the cyber security of ‘simple’ smart devices like HVACs. Cyber security firm ForeScout Technologies recently found that thousands of HVAC systems are vulnerable to cyberattacks – and that number is only going to grow as more and more companies adopt IoT humidity and temperature controls.
More worrying still, most of the devices they identified were located in hospitals and schools.
If you’re a smart HVAC brand, make sure you’ve considered the following threats:
Denial-of-service attacks – For most smart buildings, loss of access to their HVAC is more of an inconvenience than a life-or-death situation. But many smart HVAC systems are installed in hospitals, where loss of service could cause real harm to patients who need their environment to be maintained at a certain temperature or level of humidity.
Network breaches – Because HVACs are often left unsecured, with no cyber security protection and only a default password to stop hackers, they can be used as an easy gateway into your customers’ wider networks.
Building managers tend to be a little more aware of the potential dangers of a hacked smart elevator. No one likes the idea of being trapped in a metal box 20 stories up with a cybercriminal in control of your elevator system.
So smart elevator hacks are more of a universal physical threat to smart buildings. But you and your customers should be aware of the full range of possible smart elevator vulnerabilities.
Breakdowns in data reporting – If hackers can prevent your smart elevator from sharing usage data or flagging maintenance issues, your customers could easily overlook potentially dangerous malfunctions or cause a breakdown by missing a maintenance check-in.
Denial-of-service attacks – How easy is it for hackers to breach your device’s defenses and disable elevators entirely? In a particularly tall building, shutting down the elevators can cause chaos by trapping occupants on certain floors or preventing service and security staff from reaching certain areas.
Network breaches – If your smart elevator isn’t secured, it could become a handy doorway for hackers to enter your customers’ entire network.
Perimeter access and door locks
This is probably what most of your customers think of when they’re imagining someone infiltrating their smart building.
Mention the word ‘hack’ and they’ll probably be imagining some Mission Impossible-style hacker “breaking into the mainframe” and taking down their perimeter security fences.
The reality is usually much more mundane, of course – but no less scary for smart building managers. A worrying number of perimeter security measures are still unsecured from a cyber security perspective, which means some smart buildings could be infiltrated with relatively little effort.
As an IoT brand, you should make sure you’ve considered the impact of:
Denial-of-service attacks – Most people will worry about criminals getting into the building, but what if they can stop occupants getting out? Or even just stop smart building managers from accessing certain parts of the building? Make sure you’ve considered fail-safes that allow your customers to take back control in the event of an attack.
Network breaches – You get the picture by now: Your customers’ perimeter access controls aren’t just a gateway to the building, they’re also a potential gateway to the wider network. Considering that door locks and perimeter security measures are likely to be plugged into a wider security network, any hacker that infiltrates could be able to take control of all of your customer’s security systems – a potentially devastating turn of events.
How can you make your devices more secure?
Even if your devices aren’t listed here (and you’ve ignored everything we’ve said above about the vulnerabilities common to all connected devices), most of these threats could still affect your products.
But don’t worry – most of these problems arise from the same kinds of cyber security weaknesses. And, if you think carefully about the following elements, you can easily close lots of these gaps in your security.
The physical placement of devices
Devices in smart buildings are, by definition, located either out of reach in ceilings, closets, or crawl spaces (to keep them away from the public), or out in the open (so that they can gather data in areas with heavy footfall, or so that they can be accessed or used easily on a regular basis).
The out-of-the-way devices are often easily overlooked and rarely inspected, making it easier for hackers to break in undetected.
The accessible devices are much more easily damaged or stolen – either by innocent members of the public, or by hackers.
When you’re building devices, think about the context in which they’ll be installed. If they’re out of the way, set up a system that nudges your customers to check in on the physical condition of the devices on a regular basis. If they’re accessible, explore ways to make them more robust, or implant tracking tags that prevent thieves from taking them too far from the building.
One building, many IoT providers
It’s rare for a smart building manager to buy all of their devices from one provider. Usually they’re installed little by little, whenever they’re needed.
The result is that most smart buildings are crammed full of devices that are built by different IoT brands and have different standards and practices for cyber security.
Which makes it almost impossible for your customers to keep track of the cyber security protocols for all of their devices. Which devices come with default passwords that need updating? Which devices will alert them if there’s a cyber security issue? Which devices need to be checked manually and which will send automatic updates?
As an IoT brand, you can help set yourself apart from other providers and keep your customers safer by:
Making sure your devices meet local standards for cyber security. The EU, UK, US, and a number of bodies have all recently introduced regulations for cyber security, so make sure your devices align with these – then you’ll know your customers are getting a consistent security experience.
Integrating your devices with smart building hubs and digital twins, which allow your customers to monitor and interact with all of their devices in one place — making it easier to spot security threats.
Lack of built-in cyber security
Too many IoT brands are making security an afterthought. They focus on delivering a high-functioning product and then – sometimes at the very last minute, or after the last minute when a breach has already occurred – hastily add on a few cyber security measures like password protection or encryption.
It’s hardly surprising: IoT security is complex, and it’s always evolving. It can be tough to keep up with every threat your devices might come up against.
But the reality is that IoT brands need to make cyber security a priority, if they’re going to protect their customers and stay competitive in an increasingly security-conscious market.
That means you need to:
Invest in embedded IoT endpoint protection for all of your devices – software that can be installed during manufacturing (or after manufacturing, through a firmware update) to provide your devices with continuous protection.
Partner with a security provider that specializes in IoT security. They’ll be able to help you spot previously overlooked vulnerabilities, keep up with the latest hacking techniques, and protect your devices without slowing down their performance.
Is your smart building IoT truly secure?
Connected devices are bringing in a new wave of convenience and insight for smart building managers. But, as an IoT expert, you’ll need to make sure you’re guiding them towards safe, secure IoT implementation.
It’s not always easy but if you can show customers that you’re protecting them against major threats – and proactively making your devices more secure – the rewards can be enormous.
Winning more customers. Forging deeper, more trusting relationships with your existing customer base. Differentiating yourself from the competition as the most secure brand in the smart buildings market.
At Firedome, we’re experts in IoT cyber security – and our lightweight embedded endpoint protection software is already changing the way IoT brands across the market protect their customers. If you’d like more advice on helping your customers secure their smart building devices, we’re always here to help.