Building Management Systems (BMSs) are a key component of modern infrastructure, an essential part of OT that continues to evolve to provide businesses with more control over their properties. For many companies, BMSs have been a severe upgrade in terms of efficiency and costs.
However, smart buildings that rely on state-of-the-art BMS are also an attractive target for malicious agents. The real problem is that research in the past decade has shown how insecure and weak BMSs can be.
This powerful resource creates a plethora of opportunities for businesses, but on the cybersecurity side, there has been severe neglect.
In the following lines, we will address the importance of cybersecurity specialists when it comes to protecting smart buildings.
Hacking a Building
Modern buildings have become complex systems of interconnected devices that control everything. These smart buildings rely on many different technologies for day-to-day operations, all of them managed through BMS and, at the same time, connected to the Internet for greater convenience.
And as everything connected to the Internet, there is the potential for misuse and abuse. Malicious agents have the opportunity to “break-in” into these smart buildings and cause mayhem.
How may an attack look like in real life? For example, a malicious agent may sabotage the HVAC system in a building with the mission of causing severe damage to data centers and other hardware that requires proper refrigeration and ventilation.
The distance between OT and IT systems is also an important reason why these situations occur in the first place. The industry evolved this way for years, and vendors did little to none to remediate the problem. It has become the client’s responsibility to make sure that the BMS doesn’t fall victim of a cybercrime.
Neglect from Vendors
The Department of Homeland Security gave last year a maximum severity score to a vulnerability present in a widely-used smart building automation system. The vulnerability allowed a malicious party to access a cloud-based system that controlled everything from HVAC to door locks.
This is a serious precedent that doesn’t only talk about the available solutions alone but also about the vendors behind them.
Typical solutions providers that take care of implementing Building Management Systems stop when the platform is up and running. They do not sell the solution to their clients by explaining to them the potential vulnerabilities these systems could have and their implications. Instead, they make sure to present such technologies as robust and secure, and most of the time, there are no cybersecurity specialists present to support the implementation.
IoT and its Challenges
As powerful as IoT is, it also poses a challenge when managed poorly and with neglect regarding cybersecurity.
A fascinating study in 2014 pointed out how SHODAN. A search engine dedicated to index Internet-connected devices worldwide could show surprisingly detailed information that could be used by malicious parties.
SHODAN publicly delivered information such as IP addresses, geographic locations, service port header info, firmware, protocol, and owner. There was no wall between this critical data and the searchers.
In a highly connected world, industries like BMS are suffering, and unaware clients are paying for the losses.
The Role of the Cybersecurity Specialist
As we said before, vendors have a huge responsibility on the vulnerabilities found and their potential consequences.
Nonetheless, now the risk is visible, businesses must take an active part in the solution. Taking an active part means getting a cybersecurity specialist involved to protect themselves from the potential exploits.
Smart buildings can enjoy greater cybersecurity with the help of a specialist that could detect these weaknesses on time.
An external professional can and will audit the infrastructure to find and solve such vulnerabilities. And because we know BMS well, it’s very likely for these vulnerabilities to exist.
If you are working with a BMS, you must be aware of the possibility of suffering a cyberattack. Therefore, having the help of a cybersecurity professional may be the best option to keep your smart building’s integrity.