In 2017, hackers stole several gigabytes of sensitive data from a Las Vegas casino. It was later discovered that their point of entry to the network was a newly installed fish tank, which had an internet connection enabling it to be monitored remotely.
This case illustrates the security risks posed by the increasing use of the internet of things (IoT), especially in the shape of smart sensors that track the performance of commercial buildings. Each one represents a potential chink in the network’s armour.
Cybercriminals can find vulnerabilities in devices that most of us might not even consider to be vulnerable. For instance, when Joe Biden moved into the White House in January, even his smart exercise bike was deemed too much of a security risk.
Before the IoT revolution, most buildings’ systems tended to be self-contained and therefore safe from hackers, says Nick Morgan, information security manager at property investor Derwent London. This began to change with the introduction of remote management via permanently connected smart sensors.
“Poorly configured building management systems, which handle aspects such as access control and air conditioning, or even a landlord’s network infrastructure can provide a gateway to a remote attacker,” he warns.
As IoT devices continue to proliferate, the need to secure these from attack becomes paramount, says William Newton, president and MD of WiredScore, a provider of certifications rating the quality of digital infrastructure in buildings.
“All IoT devices present possible entry points for hackers,” he stresses. Letting any one of these go unprotected is “the digital equivalent of leaving a small window open downstairs when you leave the premises. Everything that’s linked to your network – from lighting to the CCTV system to the elevators – needs to be subject to the same stringent security protocols as databases containing confidential information.”
Sally Jones, head of strategy, digital and technology at property firm British Land, observes that the rapid adoption of technology in the built environment has left some people behind the curve. “We’re working hard to educate them as to why this area is so important and why it takes a long time to get a certain supplier on board or to get everything connected,” she says.
In April, WiredScore started offering a certification called SmartScore. Jones reports that this new benchmarking system is “helping us to bridge the gap in our organisation. We’re using it to communicate why cybersecurity is important and what it means to be a secure smart building.”
But it’s still too easy for even the biggest firms to ignore the cybersecurity risks in their eagerness to adopt smart new proptech.
Craig Young is principal security researcher at Tripwire, a provider of threat-detection software. He says that he once discovered a vulnerability at WeWork that was leaving the coworking giant’s building control systems exposed to hackers.
“I was able to contact someone there and they quickly changed their systems, but often I can’t get any kind of response from people in this industry,” he says. “For instance, I know there’s a company in the construction-safety field that seems to be exposing its customers to a potential attack. After months of phone calls and emails, I’ve been unable to get the ear of anyone who cares.”
Young believes that, in many such cases, firms find it hard to conceive that something as seemingly inconsequential as a thermostat can become the ideal discreet entry point for a hacker. His advice to property management firms to “invest time and money in security testing, monitoring and strategy now, rather than spending it later to clean up after a breach”.
Ed Cooke, CEO and managing partner at Conexus Law, believes that there’s also a risk concerning the demarcation of responsibility for cybersecurity in many companies. He explains that, while a firm’s head of IT will typically focus on protecting operational systems, “buildings are increasingly being run by computers that aren’t within the IT team’s remit. These are probably managed by a facilities director or property director, depending upon the size of the business. Indeed, they may even be managed by the landlord.”
A call to action
The 2021 Queen’s Speech included proposals that would oblige manufacturers, importers and distributors to ensure that smart products available for purchase in the UK meet minimum security standards. But what action can building managers and owners take now to ensure the cybersecurity of new IoT installations?
Luke Portelli, building manager at US real-estate giant CBRE, suggests that one obvious way to mitigate risk is to ensure that sensors in a building are independent of the control systems. “This way, if the IoT is hacked, the most the cybercriminal will be able to manipulate is secondary data,” he says.
Portelli cites WeMaintain’s secure, IoT-enabled elevator maintenance set-up as a case in point. This operates in a secure private cloud, with the operating and monitoring systems operating separately from each other. This enables CBRE to retain control over the operation of the elevators and other essential systems in the building while still benefiting from the IoT data provided.
Property companies should also question their building management partners, advises Tiago Dias, a cybersecurity consultant at commercial property insurer FM Global. There’s a risk that these “third parties may be the weakest link”, he says. If their systems become infected, “they’ll need to block the connections that link to the building management equipment”.
He continues: “Another example is where devices have weak security features, such as hard-coded default passwords, that can be exploited by attackers aiming to take control of a system. They can use botnets to flood the network with high volumes of data, disrupting targeted services in what’s known as a distributed denial-of-service attack.”
Dias ends with a clear message for building managers. “You need to ensure that your managed devices are fully protected,” he urges. “These must not be exploited or utilised as launchpads for malicious gains