2. Smart Building
• A smart building is any structure that uses
automated processes to automatically control
the building’s operations including heating,
ventilation, air conditioning, lighting,
security and other systems.
4. Smart Building
• A smart building uses sensors, actuators and
microchips, in order to collect data and manage it
according to a business’ functions and services.
• This infrastructure helps owners, operators
and facility managers improve asset reliability
and performance, which reduces energy use,
optimizes how space is used and minimizes the
environmental impact of buildings.
6. Smart Building
• At the most fundamental level, smart
buildings make occupants more productive
with lighting, thermal comfort, air quality,
physical security, sanitation and more at
lower costs and environmental impact than
buildings that are not connected.
8. Smart Building
• Smart office buildings, health care facilities,
hospitals, educational facilities, stadiums and
many other types of smart buildings exist
around the world.
• Navigant Research estimates that the smart
building technology market will generate
global revenue of $8.5 billion in 2020, up from
$4.7 billion in 2016, growing at a compound
annual growth rate of 15.9% over the forecast
period.
10. The Creation of a Smart Building
• Making a smart building, or making a
building smart, begins by linking core
systems such as lighting, power meters,
water meters, pumps, heating, fire alarms
and chiller plants with sensors and control
systems.
• At a more advanced stage, even elevators,
access systems and shading can become part of
the system.
12. The Creation of a Smart Building
• There is no single set of standards that makes up
what a smart building is, but what they all have in
common is integration.
• Many new building have “smart” technology, and
are connected and responsive to a smart power grid.
• You don’t even need to move offices or create a new
building to work in a smart building.
• Building automation systems like those from
Honeywell or Johnson Controls exist so property
owners can take advantage of the power available
in older structures.
15. The benefits
• Creating or transforming a building into a
smart building is beneficial for both the owner
and the organizations working within.
• These benefits range from energy savings to
productivity gains to sustainability.
• Smart building strategies can reduce energy
costs, increase the productivity of the facility
staff, improve building operations, support
sustainability efforts and enhance decision-
making across the organization.
17. The Benefits
• One example of energy efficiency is the use
of optimal start/stop, which allows the
building automation system to learn when it
should bring the air conditioning system
online for a particular zone in the building.
• Another feature is electrical loads that are
grouped into categories from critical to high
priority to non-essential.
19. The Benefits
• “When the building load is rising and
approaching the high limit setting, the
nonessential loads are turned off in their
subgroup order, followed by the high-
priority loads”
21. Cyber-Security Vulnerabilities in Smart
Buildings
• Today’s smart buildings are increasingly enabled
by Internet of Things (IoT) and made functional
by the ongoing convergence of Operational
Technology (OT) systems and Information
Technology (IT) systems in buildings.
• A host of new elements such as the cloud,
remote access, data sharing and analytics, and
connected and shared networks has
fundamentally changed how built environments
are being used and operated.
24. Cyber-Security Vulnerabilities in Smart
Buildings
• However, buildings are exposed to a new
threat that has been downplayed and
undervalued for a long time.
• After witnessing a recent slew of security
breaches, stake holders of the smart
buildings industry are recognizing the
potential damaging impact cyber threats
pose for the industry and its related
businesses.
26. Defining Smart Buildings And Cyber-Security
• Smart Building can be defined as one that
uses both technology and processes to create
an environment that is safe, healthy, and
comfortable and enables productivity and
well-being for its occupants.
28. Defining Smart Buildings And Cyber-
Security
• A smart building is characterized by active
IT-aided intelligence, smart sensors and
controls for seamless operation, real-time
dissemination of operational information
for predictive analytics, and diagnostics to
facilitate better management, maintenance,
and optimization over time.
29. Defining Smart Buildings And Cyber-Security
• Cyber security in the context of a smart
building is defined as the quantum of
technologies, processes, and practices designed
to protect from unauthorized access all
building systems and networks, including
front-end physical and IT systems within the
building, accessories and field-level devices,
data and application platforms, and data
aggregation systems such as all localized and
remote systems that help in operating and
maintaining a smart building.
30. Cyber Risks in Smart Buildings
• Technology Progression
• The building automation system (BAS) or a
building operating system (BOS) has moved
considerably from the physical realm to one
with IT enabling all aspects of its functioning.
Furthermore, there is now a new generation
of connected and intelligent buildings
powered by IoT.
31. The Integrated Building Network
• The integrated network of a smart building
is where the true benefits of a smart and
converged infrastructure are realized by
building owners and operators; however, this is
also the point where extreme exposure to
security vulnerabilities are manifest.
33. Security Vulnerabilities of a Smart
Building’s Integrated Network
• The integration portion of a smart
building’s software is subject to extreme
vulnerabilities, in which the BAS is
connected to virtually any other aspect of the
building, and from which a skilled hacker
could access nearly any system in a
corporate network.
35. IoT and Cyber Risks
• Activities centering on IoT are delivering
increasingly unique advantages and novel
challenges.
• The advantages include real-time access, vast data
generation and analytics, and interconnectivity of
systems and devices.
• These advantages by themselves, however, offer little
value unless the crucial decision to share the data and
networks is simultaneously taken, thus permitting
access to multiple service providers to tap into a
smart building’s various systems and devices.
37. IoT and Cyber Risks
• This access implies potential security
breaches that could render a smart
building, its occupants, and service
providers powerless over an adversary’s
damaging actions to corrupt networks,
misuse critical information, and cause
significant operational and financial loss.
40. Why cyber criminals are targeting smart
buildings ?
• In countries like the United States, the growth
of smart buildings is estimated to reach 16.6%
by 2020 compared to 2014, although this
expansion is not limited to the US but rather is
taking place on a global scale.
• This growth is largely due to the fact we live in
a world increasingly permeated by technology,
in which process automation and the search for
energy efficiency contribute not only to
sustainability, but also to cost reduction
41. Why cyber criminals are targeting smart
buildings ?
• Smart buildings use technology to control a
wide range of variables within their
respective environments with the aim of
providing more comfort and contributing to
the health and productivity of the people
inside them.
• To do so, they use so-called Building
Automation Systems (BAS).
43. Why cyber criminals are targeting smart
buildings ?
• With the arrival of the Internet of Things (IoT),
smart buildings have redefined themselves.
• With the information they obtain from smart sensors,
their technological equipment is used to analyse,
predict, diagnose and maintain the various
environments within them, as well as to automate
processes and monitor numerous operational variables
in real time.
• Ambient temperature, lighting, security cameras,
elevators, parking and water management are just
some of the automatable services currently
supported by the technology.
46. Why cyber criminals are targeting smart
buildings ?
• To put the possibilities of this smart infrastructure into
perspective, is the example of a smart building in Las
Vegas where, two years ago, they decided to install a
sophisticated automation system to control the use of the
air conditioning (keeping in mind Las Vegas has a hot
desert climate and very little rain), so it is turned on only
when there are people present.
• This decision led to a saving of US$2m during the first
year after the smart system was installed, due to the
reduction in energy consumption achieved by automating
the process.
• Marriott Hotels implemented a similar system across the
entire chain that is expected to generate an estimated
US$9.9 m in energy savings.
47. Marriott Hotels implemented a BAS system across
the entire chain that is expected to generate an
estimated US$9.9 m in energy savings
48. Possibility of a smart building being
attacked
• The risk of a security incident taking place in an
intelligent building is linked to the motivations of
cyber criminals, who mainly seek to achieve
economic gain through their actions, as well as to
impact and spread fear.
• There are already some tools such as Shodan that
allow anybody to discover vulnerable and/or unsecured
IoT devices connected publicly to the internet.
• If you run a search using the tool, you can find
thousands of building automation systems in its lists,
complete with information that could be used by an
attacker to compromise a device.
49. Tools Such As Shodan That Allow Anybody To Discover
Vulnerable And/Or Unsecured Iot Devices Connected
Publicly To The Internet
50. Possibility of a smart building being
attacked
• Smart homes and buildings are a new
battlefield for hackers and security experts
• Most people wouldn’t consider their heating,
ventilation, and air conditioning (HVAC)
system as a prized target for cyber criminals.
After all, a successful hacking attempt could
go as far as making us uncomfortable for a
few minutes until we fix the problem.
51. Smart homes and buildings are a new
battlefield for hackers and security experts
52. Possibility of a smart building being
attacked
• This wishful thinking, however, is what
hackers are counting on. As we deploy a
growing number of connected devices such as
smart HVACs, intelligent cameras, and smart
doorbells in our homes and offices, the
complexity of the Internet of Things (IoT)
ecosystem increases.
54. Possibility of a smart building being
attacked
• Gartner, a research and advisory company,
predicts that 25 billion connected devices
will be in use by 2021.
• And many of these IoT devices will interact
with each other through house automation
servers like FHEM (Freundliche
Hausautomatisierung und Energie-
Messung) and Home Assistant, making our
lives more comfortable, but less secure.
57. Possibility of a smart building being
attacked
• Sure, having tech that automatically turns on
the air conditioner and lights as people enter
the room is convenient, but building
automation systems (BAS) that integrate
connected ‘things’ are often inadequately
secured and configured.
59. Possibility of a smart building being
attacked
• Hackers easily breach them by, for instance,
finding a weak spot in an unprotected web
login page of a fire detection system.
• Once inside, hackers move to take over other
parts of the BAS as well and can shut down the
alarm or heating systems and demand ransom
payment.
• This threat, also known as ‘siegeware’, is
growing in severity, and many companies and
individuals have already fallen victim to these
attacks.
60. Hackers easily breach a weak spot in an unprotected
web login page of a fire detection system
62. Scope of The ‘Siegeware’ Threat
• According to ForeScout, a cyber-security
firm, the number of vulnerabilities in
automation systems is constantly increasing.
• Hospitals and schools are particularly
unprotected from cyber-attacks, and they
operate as much as 8,000 highly vulnerable
devices. And taking full control of these
devices can have major consequences.
64. Scope of The ‘Siegeware’ Threat
• ForeScout explains that control over smart
devices can eventually provide hackers with
access to private financial files and information
stored in data centres.
• Also, they can listen to conversations, review
camera streams, delete files, reprogram
automation rules, distribute malware, and
provide unauthorised individuals with physical
access to the building.
66. Scope of The ‘Siegeware’ Threat
• And although many of the vulnerabilities that
hackers exploit are well known, only about
half of them in industrial and IoT systems have
been patched.
• What’s worse, even hackers with limited
resources can develop effective malware and
hack smart buildings.
67. Creating powerful malware isn’t as
expensive as it may seem
• For instance, it took ForeScout only $12,000
to develop proof-of-concept malware to
show how easy it is to hack a smart building.
• In that process, the security experts first
spent some time analysing various
automation systems and looking for weak
spots.
69. A hacker hijacked Nest devices in a
family home
• Arjun and Jessica Sud from Lake Barrington,
a village in the US state of Illinois, certainly agree
with ForeScout, as they were victims of a
malicious cyber criminal.
• He hacked their Nest cameras, speakers, and
thermostat, and, at first, talked to their 7-
month-old baby.
• As Arjun grabbed the kid and went
downstairs, he noted that the temperature,
which was usually set to around 22°C, was
turned up to 32°C.
71. Family Was Watched Through Nest Security
Cameras
• https://youtu.be/qrgn8zHpGfs
• https://sagaciousnewsnetwork.com/family-was-
watched-through-nest-security-cameras
72. A hacker hijacked Nest devices in a
family home
• A deep male voice then yelled at him through
the speaker in a security camera, using racial
insults and cursing.
• And as soon as the voice stopped screaming,
Arjun and Jessica unplugged 17 Nest
devices worth $4,000 and returned them to
Google’s company.
74. Exfiltrating data through a fish tank and
modem routers
• But despite all the security measures in
place, creative hackers are sometimes able
to overcome any obstacle.
• In Las Vegas, for instance, they hacked a
casino through a high-tech fish tank that
was connected to the internet.
• The malware extracted ten gigabytes of data
and transferred it to a remote server in
Finland.
76. Exfiltrating data through a fish tank and
modem routers
• The full scope of the breach was spotted only
after the staff called in experts from Darktrace, a
cyber-defence company, to analyse suspicious
activity.
• Darktrace says that “this was a clear case of data
exfiltration but far more subtle than typical
attempts at data theft.”
• This, however, isn’t the only way hackers exploit
the vulnerabilities of connected ecosystems.
78. Exfiltrating data through a fish tank and
modem routers
• In one such example, cyber criminals hijacked
DLink DSL modem routers and redirected all users
that wanted to visit the website of Banco de Brasil to
a fake website.
• The attack was highly sophisticated in the sense that the
hijacking succeeded without editing URLs in the
victim’s browser. Also, the malicious code works on
both Apple and Android phones and tablets.
• The victims then enter their username and
password, believing they’re accessing online
banking accounts, while in reality, they’re delivering
sensitive data to hackers.
80. Cyber Criminals Hijacked Dlink DSL Modem Routers And
Redirected All Users That Wanted To Visit The Website Of
Banco De Brasil To A Fake Website.
81. Google Hacked By Its Own Employee
• Even big tech companies aren’t immune to security
flaws in IoT devices.
• Google’s engineer David Tomaschik, for example,
found a way to control smart locks used in the
company’s Sunnyvale offices by replicating the
encryption key and forging commands in the office
controller software made by the tech firm Software
House.
• Even without the required RFID keycard,
Tomaschik managed to open or lock the door and
prevent people from entering the facility. And he
could do all of this without leaving any digital traces
behind.
83. Hospital data breach left 1.5 million
patients exposed
• Meanwhile, cyber criminals stole the
personal data of 1.5 million patients in
Singapore, including their names, gender,
identity card numbers, and addresses.
• They stole even the prescription data of Prime
Minister Lee Hsien Loong.
85. Hospital data breach left 1.5 million
patients exposed
• The attack took place between 27 June and 4
July 2018, as the hackers breached the network
of Sing Health, Singapore’s largest group of
healthcare institutions.
• Luckily, records such as diagnoses or test
results weren’t tampered with, but the
authorities paused many of the country’s
Smart Nation initiatives because of the
attack.
87. Hospital data breach left 1.5 million
patients exposed
• And many people fear that hackers could misuse
their identities, as ID numbers are crucial for
accessing various government services in
Singapore.
• Leonard Kleinman, the senior director of IT
Security for the Australian Tax Office and
cyber security advisor to the security company
RSA, says that “such data can fetch a high
price”. In 2017, a stolen or lost healthcare
record was worth as much as $408 on the Dark
Web.
89. Siegeware and BAS attacks, an emerging
threat
• As technological solutions to cybercrime
become increasingly advanced, able to
preempt attacks and weed out vulnerabilities
before they’re widely known, attackers
also become more adept at cloaking their
presence and concealing their intent.
91. Siegeware and BAS attacks, an emerging
threat
• The targets of attacks also change with the
times.
• Hacking websites and bank accounts is old-
hat, some of the most threatening dangers to
the most modernized companies and even
citizens are those that target technology that
doesn’t yet have the robust security systems,
or even standards, in place.
93. Siegeware and BAS attacks, an emerging
threat
• It’s sad, but well known that the average
consumer doesn’t spend a lot of time worrying
about whether the firmware on their IoT
devices is up-to-date, leaving millions of
devices around the world critically
vulnerable to attack.
94. Siegeware and BAS attacks, an emerging
threat
• However, you would be forgiven for assuming that
companies implementing centralized control of a
building’s life support functions such as HVAC, fire
security, doors and windows, etc. along with more
convenience focused building automation systems,
would prioritize cyber security.
• This is not always the case, and can lead to a potentially
disastrous situation for the homes and organizations
that implement Building Automation Systems (BAS)
and the companies that manufacture, install, and
maintain them.
96. Siegeware and BAS attacks
• When attackers combine ransom ware with
BAS vulnerabilities, we get Siegeware.
• The attacker takes control of a building and
shuts down critical operations such as
heating, cooling, alarm systems, and even
physical access, and will only rescind
control once a ransom has been paid.
98. Siegeware and BAS attacks
• Gaining access to the BAS means the
attacker becomes the digital overlord of the
building. By controlling the automated system
that governs the functionality of the building,
they control the building itself.
• They can turn off ventilation, heating, fire
suppression systems, and potentially extend
influence to other digital functionality of the
building.
100. The hacker can access seven systems
remotely once he hijacks the BAS:
• Lighting control systems
• Fire detection and alarm systems
• Automated fire suppression systems
• Integrated security and access control systems
• Heating, ventilation, and Air conditioning
• Power management and assurance systems
• Command and control systems
• The consequences of losing control of these
systems may range from discomfort to potentially
life-threatening situations.
101. The hacker can access seven systems
remotely once he hijacks the BAS
102. An Emerging Threat
• Siegeware is quickly becoming one of the
most dangerous and effective methods of
cyber-attack.
• Many companies have already fallen victim to
these attacks, and those that haven’t given in
to the ransom demands have faced highly
disrupted operations as a result.
103. Siegeware is quickly becoming one of the most
dangerous and effective methods of cyber-attack
104. An Emerging Threat
• BAS allows a single command center to
control and automate all connected systems
in a building so that a high level of comfort
can be achieved efficiently.
• But vulnerabilities exist in any connected
system, and when the network is
compromised the prospect of physical
danger becomes very real.
106. An Emerging Threat
• With increasing numbers of organizations adopting
BAS infrastructures, the number of potential targets
rises, along with the time spent by attackers
searching for as-yet unknown vulnerabilities.
• To make things worse, many of these buildings are
connected to the internet where anyone with the correct
username and password can access it.
• As of February 2019, there were 35,000 BAS
systems connected to the public internet globally,
and it’s highly likely that many of these are using
default usernames and passwords.
108. An Emerging Threat
• Even if the majority of organizations
implement adequate security, those that do not
face severe consequences.
• Countless schools, hospitals, universities, and
banks have all fallen prey to ransomware attacks
in the past few years, and this is likely to
mutate into large-scale siegeware attacks in
coming months to many BAS equipped buildings
that do not have effectively secured networks.
110. Siegeware: When Criminals Take Over Your
Smart Building
• Siegeware is what you get when
cybercriminals mix the concept of
ransomware with building automation
systems: abuse of equipment control software
to threaten access to physical facilities.
111. Siegeware: When Criminals Take Over Your
Smart Building
• Imagine you are the person in charge of
operations for a property company that
manages a dozen buildings in a number of
cities. What would you do if you got the
following text on your phone?
• “We have hacked all the control systems in
your building at 400 Main Street and will close
it down for three days if you not pay $50,000
in Bitcoin within 24 hours.”
113. Siegeware: When Criminals Take Over
Your Smart Building
• In this scenario, the building at that address is one
of several upscale medical clinics in your
company’s portfolio.
• The buildings all use something called a BAS or
Building Automation System to remotely manage
Heating, Air Conditioning, and Ventilation
(HVAC), as well as fire alarms and controls,
lighting, and security systems, and so on.
• As many as eight different systems may be
remotely accessible.
116. Siegeware: When Criminals Take Over
Your Smart Building
• In this scenario, if someone has in fact
gained control of the BAS, then it is entirely
possible that the sender of the threatening
message could make good on their threat.
118. Siegeware: When Criminals Take Over
Your Smart Building
• Clearly, holding a building for ransom by
leveraging its reliance upon software is now
on the criminal agenda, part of the expanding
arsenal of techniques for profiting from the
abuse of technology
120. Siegeware: When Criminals Take Over
Your Smart Building
• From Neolithic hilltop settlements to
medieval castles and walled cities, human
structures have always been a target for
nefarious activity, often besieged by
aggressors because access to them is
essential to their functionality, be that
living, working, meeting, trading, storage,
or medical care.
121. Siegeware: When Criminals Take Over
Your Smart Building
• Numerous practical and financial benefits can
accrue from enabling remote access to a BAS,
but when you combine criminal intent with poorly
protected remote access to software that runs a
building automation system, siegeware is a very
real possibility.
• To put it another way, siegeware is the code-
enabled ability to make a credible extortion
demand based on digitally impaired building
functionality.
123. Siegeware: When Criminals Take Over
Your Smart Building
• How widespread will the siegeware problem
become in 2019?
• That will depend on several factors: how
aggressively cases are investigated by law
enforcement; how many victims refuse to
pay; and how many targets of opportunity
the bad actors can find.
125. Siegeware: When Criminals Take Over Your
Smart Building
• So, if you are at all concerned about the
possibility of a siegeware attack, ask around to
see if there is any remote access for the BAS in
“your” building.
• Then try to find out how well protected it is. Has
access been placed behind a firewall?
• Does access require a VPN connection?
• Is access protected with multi-factor
authentication or just a password?
• If the latter, then immediately call a meeting to
get that fixed.
127. Siegeware: When Criminals Take Over
Your Smart Building
• Frankly, anything less than hiding the BAS
login behind a VPN with 2FA means a
building is at risk from criminals wielding
siegeware.
• With 2FA now being so widely available and
easy to use, failure to take advantage of it to
protect a BAS is likely to fail a reasonable
test, should building tenants sue in the wake
of a siegeware attack.
129. Preventing BAS hijacking
• Any smart home or other BAS controlled
building is a potential target for siegeware
attacks.
• If you live in a smart-home, or are the building
manager or security officer at an organization
that utilizes BAS to control functions of the
building, then it’s critical to provide
that the security systems are up to the task
of controlling access to the BAS.
130. Preventing BAS hijacking
• Many contractors will simply set up the
automated control system on a web-based
login interface.
• It makes it easier for them to make any
changes later on or solve any issues that might
appear.
• However, such remote access is vulnerable
to unauthorized access.
131. Preventing BAS hijacking
• If there is remote-access to your BAS it needs to be
considered a critical IT system, see to it that you
have the following, at the very minimum:
• Up to date firmware
• Firewall
• Encrypted connection
• Preferably VPN-only access from the building’s IP
• Strong passwords
• Multi-factor authentication
• Lockout on failed password attempts
• Notification of login attempts
133. Preventing BAS Hijacking
• If remote access to a BAS is vulnerable in
even one of these areas, it’s susceptible to
being hijacked.
• By implementing at least three authentication
types - password, possession, IP - unauthorized
access can be discouraged, but not necessarily
stopped entirely for a determined attacker.
134. Preventing BAS Hijacking
• In the case of smart-homes and IoT devices,
one has to make sure that all connected
devices utilize security that prevents any
unauthorized access.
• The security of the controlling BAS box, in
this case, extends to each and every physical
device controlled through the network.
135. Preventing BAS Hijacking
• The concept of a smart home, of top-tier
technology that aspires to increase convenience
and comfort, becomes one of the most powerful
enablers of cyber-terrorism.
• Here’s hoping that those companies and
individuals implementing BAS into buildings
will be working closely with IT departments and
security researchers to protect our buildings’
critical support systems.
137. Cyber Risk Management for Smart
Buildings
• Dealing with cyber risks and threats demands
a sophisticated and robust approach for smart
buildings, which essentially consists of a
systematic review and analysis of aspects such as
the following:
• ICS vulnerabilities
• Cost of damage
• Scope and magnitude of cyber crimes
• Technology initiatives and mitigation methods
• A cyber-security management strategy
139. Scope and Magnitude of Cyber Crimes
in Smart Buildings
• Cyber crime encompasses a broad range of
activities; however, cyber security
professionals tend to group criminal activity
into categories based on capabilities and
impact.
• It can be categorized in following 4 groups
140. Scope and Magnitude of Cyber Crimes
in Smart Buildings
• Terrorist organizations are considered low-
to-moderate in impact and directed mostly for
propaganda and recruitment; however, they
could potentially launch high-impact
attacks in the future.
142. Scope and Magnitude of Cyber Crimes
in Smart Buildings
• Hacktivists (e.g., politically motivated
groups such as Anonymous and LulzSec)
depict a steep upward trend since 2011and are
prone to high and low fluctuations as
technology changes and as the business,
economic, and socio-political landscape
changes over time.
144. Scope and Magnitude of Cyber Crimes
in Smart Buildings
• Organized crime (e.g., profit-seeking
criminals and criminal organizations) is
considered a medium/high threat in terms of
capabilities and impact and is primarily
focused on data theft and not directed at
destroying the host system so as to maintain
a lifeline to illicit revenues.
146. Scope and Magnitude of Cyber Crimes
in Smart Buildings
• Espionage (e.g., corporate and government) is
considered a high-skilled and high-impact
growing threat involving computer and
physical network attacks to obtain, destroy,
and render critical information unavailable.
147. Scope and Magnitude of Cyber Crimes
in Smart Buildings
• Among the 4 categories discussed above, the 2
considered most applicable to smart buildings,
with the ability to inflict substantial damage,
are espionage and organized crime.
• However, the potential of hactivism impacting a
smart building cannot be ruled out.
• Similarly, depending upon the nature and
strategic importance of the building, terrorist-
devised cyber threats could be a strong
possibility as well
148. Cyber security Measures Adopted for
Smart Buildings
• Cyber security solutions currently being
offered to the smart buildings industry
combines IT and physical security options,
in addition to technology deployment
approaches that attempt at annomaly detection
and reduce vulnerabilities for IT and OT staff.
150. Cyber security Measures Adopted for
Smart Buildings
• In reviewing such technology options, it is
important to begin by looking at a building’s
critical vulnerability areas that gain top
consideration.
152. Cyber Risk Mitigation
• The smart buildings industry is currently
adopting mitigation methods that are varied
and somewhat specific and/or proprietary to
every organization.
• Upon closer inspection, however, several best
practices and commonalities in techniques have
emerged from these approaches, which range
from simple best practices to more rounded
strategies based on life-cycle principles discussed
below.
153. Best Practices for Adoption
• Industry experts agree that simple best practices can be
applied for protection from cyber attacks.
• These best practices include the following steps as
examples:
• Restricting BAS access to virtual private network
(VPN)connections only
• Using a Web server-based human machine interface
(HMI) because it relies on IT technologies to secure access
and restricts ports that need to be opened on a firewall
• Segregating the BAS network from the IT backbone
using virtual local area network (VLAN)IT technologies
to restrict internal attacks/breakdowns
155. Using a Web server-based human
machine interface
156. Segregating the BAS network from the IT backbone
using virtual local area network (VLAN)IT
157. Best Practices for Adoption
• Maintaining password etiquette
• Keeping BAS software and firmware up-to
date and installing patches on a timely basis
• Encrypting the data at rest to protect an
organization further, and backing up to a separate
system for access during a data breach
• Conducting security audits to validate security
measures to-help avoid complacency
• Educating database users, owners, and
operators on the need for, and methodology of
cyber security
162. Conclusion
• Smart buildings are creating new standards in
technology, comforts, efficiency, and
operational gains for owners, users, operators,
service providers, and the community at large.
• The influence of IoT in smart buildings has
drastically changed both services and value
delivery models; however, IoT has exposed
buildings to unprecedented vulnerabilities of
cyber space.
163. IoT has exposed buildings to unprecedented
vulnerabilities of cyber space
164. Conclusion
• While still in the early stages, cyber security
concerns have the potential to derail an
otherwise fast-growing smart buildings
industry and its associated markets, primarily
because of significant operational and
financial loses that all stakeholders will have
to sustain in the event of a cyber breach.
166. Conclusion
• Evolving technology, advances in connectivity, and an
M2M environment will continue to shape the trajectory
of smart buildings, thus raising the need for protection
against cyber threats.
• According to David Fisk, “If intelligent buildings are the
future, then so too are cyber threats to building
services.”
• The question is not how but when a cyber attack will strike
smart buildings.
• It would be in the interests of all stakeholders if an
appropriate response strategy is put in place without
delay, such that cyber threats do not exert a
destabilizing impact on the smart buildings industry.
168. Terminology
• Building Automation
• Building automation is the automatic
centralized control of a building's heating,
ventilation and air conditioning, lighting and
other systems through a building management
system or building automation system (BAS).
170. Terminology
• Home Automation
• Home automation or domotics is building
automation for a home, called a smart home
or smart house. A home automation system
will control lighting, climate, entertainment
systems, and appliances. It may also include
home security such as access control and alarm
systems
172. Terminology
• Internet of Things
• The Internet of Things (IoT) is a system of
interrelated computing devices, mechanical
and digital machines, objects, animals or
people that are provided with unique
identifiers (UIDs) and the ability to transfer
data over a network without requiring human-
to-human or human-to-computer interaction
174. Terminology
5G
• 5G is the fifth generation of cellular technology. It is
designed to increase speed, reduce latency, and improve
flexibility of wireless services. 5G technology has a
theoretical peak speed of 20 Gbps, while the peak speed
of 4G is only 1 Gbps.
• 5G also promises lower latency, which can improve
the performance of business applications as well as
other digital experiences (such as online gaming,
videoconferencing, and self-driving cars).
176. Terminology
• Siegeware
• Siegeware is what you get when
cybercriminals mix the concept of ransomware
with building automation systems: abuse of
equipment control software to threaten access
to physical facilities
178. Terminology
• Darknet
• Dark Net (or Darknet) is the part of the Internet
purposefully not open to public view, or hidden
networks whose architecture is superimposed on
that of the Internet.
• "Darknet" is often associated with the
encrypted part of the Internet called Tor
network where illicit trading takes place such
as the former infamous online drug bazaar
called Silk Road. It is also considered part of
the deep web
180. Terminology
• Electronic Harassment
• Electronic harassment, electromagnetic
torture, or psychotronic torture is a conspiracy
theory that government agents make use of
electromagnetic radiation radar, and surveillance
techniques to transmit sounds and thoughts into
people's heads, affect people's bodies, and harass
people.
• Individuals who claim to experience this call
themselves "targeted individuals" ("TIs") .
182. Terminology
• Black Hat Hackers
• Black hat hackers are the stereotypical illegal
hacking groups often portrayed in popular
culture, and are "the epitome of all that the
public fears in a computer criminal".
• Black hat hackers break into secure networks
to destroy, modify, or steal data, or to make the
networks unusable for authorized network
users
184. Books
The Internet of Risky Things: Trusting the Devices
That Surround Us
- by Sean W. Smith
185. The Smart Enough City
Putting Technology in Its Place to Reclaim Our Urban Future
By Ben Green
186. Ted Talks
• Avi Rubin: All your devices can be hacked
• https://www.ted.com/talks/avi_rubin_all_your_devices_can_be_hacked?utm_c
ampaign=tedspread&utm_medium=referral&utm_source=tedcomshare
187. 'Future Crimes,' by Marc Goodman
• https://www.ted.com/talks/marc_goodman_a_vision_of_crimes_in_the
_future?utm_campaign=tedspread&utm_medium=referral&utm_sour
ce=tedcomshare
188. References
• Building Automation & Control Systems An Investigation into Vulnerabilities,
Current Practice & Security Management Best Practice
• https://www.securityindustry.org/wp-content/uploads/2018/08/BACS-Report_Final-
Intelligent-Building-Management-Systems.pdf
• Cyber security In Smart Buildings in action Is Not An Option Anymore
• https://www.switchautomation.com/wp-content/uploads/2015/12/Cybersecurity-in-
Smart-Buildings_-Discussion-Paper.pdf
• How Common Are Attacks Through The BAS?
• https://www.facilitiesnet.com/buildingautomation/article/How-Common-Are-Attacks-
Through-The-BAS---16713
• Siegeware: When criminals take over your smart building
• https://www.welivesecurity.com/2019/02/20/siegeware-when-criminals-take-over-your-
smart-building/
• What is a smart building?
• https://www.rcrwireless.com/20160725/business/smart-building-tag31-tag99
• What is a Building Automation System (BAS)?
• https://www.opensourcedworkplace.com/glossary/what-is-a-building-automation-
system-bas-
• Why cybercriminals are eyeing smart buildings
• https://www.welivesecurity.com/2019/06/12/cybercriminals-eyeing-smart-buildings/