Smart Building Automation Systems Vulnerable to Hackers, Report Finds
Hackers have hit computer systems used to control automated smart buildings with a variety of attack types so far this year, according to new research by security provider Kaspersky.
Smart building rely on Internet of Things (IoT) devices that automate processes to control buildings operations such as heating, ventilation, air conditioning, lighting, security and other systems. Remote monitoring technology that leverages IoT connectivity, sensors and the cloud is a key feature of smart building operations.
These systems are typically managed and controlled by internet-facing generic workstations, making them particularly vulnerable to cyber attacks that can result in the failure of one or several critically important smart building systems. “Such automation systems are used not only in office and residential buildings, but in hospitals, shopping malls, prisons, industrial production, public transport, and other places where large work and/or living areas need to be controlled,” said Kirill Kruglov, security researcher at Kaspersky’s industrial systems emergency response unit,” in a blog post.
Some 37.8 percent of smart building technologies have been attacked by malware in one form or another in the first six months of 2019, the report’s data showed. While it is unclear if such systems were deliberately targeted, they often become an end point for various generic threats posing significant implications to smart building operations, Kruglov said. The figures are based on a random sample of some 40,000 of Kaspersky’s security solutions installed in building-based automation systems. By comparison, 39.9 percent of Kaspersky’s systems were hit by attackers in the same period last year.
Of the attacked systems, more than 11 percent were hit with different variants of spyware. Worms were detected on 11 percent of workstations, while eight percent were infected with phishing scams and four percent were hit by ransomware. Some 26 percent of threats came from the internet and 10 percent originated via email links and attachments. About 1.5 percent were attacked from sources within an organization network such as shared folders.
Of note, most of the blocked threats are neither targeted, nor specific to building-based automation systems. “In other words, it is ordinary malware regularly found on corporate networks unrelated to automation systems,” that pose the threats, Kruglov said. Attacks in Italy and Spain each saw roughly 48 percent of their protected smart building security solutions assaulted. The U.S. was not among the top 10 countries experiencing those types of attacks.
While the threats hackers present to smart building technology is relatively low compared to other industries, their potential impact should not be underestimated, Kruglov said. “Imagine if credentials from a highly secured building are stolen by a generic piece of malware and then sold on the black market, or a sophisticated building’s life support system is frozen because essential processes have been encrypted by yet another ransomware strain,” he said. “The list of possible scenarios is endless.”
And, it’s not only IoT devices and computer systems that can be targeted by smart building hackers. The networks of developers, integrators, and operators who often hold privileged remote access credentials to a high huge number and variety of objects are also subjected to random and targeted attacks.
Security teams whose responsibilities extend to the IT networks of smart buildings should not neglect walling off that environment from hackers, Kruglov said. “Even a basic solution will provide benefits and defend the organization against potentially crippling attacks.”