Cybersecurity: Understanding Smart Building Vulnerabilities
Different levels of information systems have different potential vulnerabilities. Here's what you need to know.
Vulnerabilities in information systems can come in many different forms and at different levels, including device level, system level, network level, application level, and operation and management level.
Device level. We’ve all seen a great football team with a single devastating weak link that has changed the game outcome. A quarterback who misses passes, a lineman who misses tackles – whatever it is — is analogous to vulnerabilities at an individual device level. One bad device can completely unhinge a system or network. Device level vulnerabilities could refer to any of the following:
• Unauthorized components of a device introduced in the supply chain.
• Unauthorized device, either during initial install or a replacement device.
• Malicious firmware or patch on a device.
System level. Imagine two professional football teams playing, where one team was wearing normal tennis shoes instead of cleats. This is analogous to a system-level vulnerability in an intelligent building; the term typically refers to systematic vulnerabilities in a microprocessor-based system. Examples of this include:
• Some legacy applications can only run on specific OS versions (Windows XP, for example), which has inherent vulnerabilities.
• Oftentimes, B-IoT technologies implement ”security” through “proprietary” systems. Open or proprietary do not in themselves define something as secure or insecure; it may just mean nobody has hacked it yet.
Network level. Perhaps it is communications that create vulnerability. Network-level vulnerabilities refer to limitations in the communication protocols used in IT/OT/IoT networks. The chart below shows the typical layers in the Open Systems Interconnection (OSI) model.
Here are some examples:
• The BACnet protocol is designed to allow communication across all network devices. A simple ‘WHO IS’ broadcast will garner an ‘I AM’ response from every device on the network, allowing any user to see all devices and device properties on a network. (For more on BACnet and cybersecurity, see Edward Sullivan's article on BACNet/SC.)
• Improper network segmentation – control systems and administration networks may be on a completely flat network (no proper VLAN).Application level. These are examples of application level vulnerabilities.
• Limited session establishment in OT / IoT network protocols.
• A facility manager or engineer downloads a malicious mobile application. Upon connection to the building network, this application now has access to critical infrastructure.
Operation and management level. Some of the more common cybersecurity attacks are still those that happen through human errors, such as email phishing and ransomware. Both base building operation and occupants and tenants’ business may be affected by these types of cyber-attack.
• Phishing is designed to panic users into clicking malicious links or handing over personal / confidential information. The result of these phishing attacks could expose critical facility information or give attackers access credentials into these networks.
• Ransomware is designed to lock users out of their facility control systems and system database until a certain sum of money is paid to the attackers. Large facilities and enterprise customers are especially at risk for these types of attacks.