How vulnerable is your control system? Could IoT devices be hacked, and access gained to sensitive information technology (IT) data?
The continued convergence of information technology and operation technology highlights the need for all systems to have comprehensive cyber protection strategies.
Cybercrime and Covid-19
In 2020 Covid-19 changed the way the world worked. During a year when most companies had many workers logging in from remote locations via laptops, personal computers, tablets, and mobile phones, ransomware attacks apparently increased by 150%.
It is not just large organisations that are under attack. One insurer estimates that up to 40% of data breaches are aimed at businesses with under 1,000 employees. The motivation for these cyberattacks is primarily financial, but sometimes just for “fun” (for the hackers, certainly not for the business!) For whatever reason, a security breach causes huge issues for any company and a quick (and cheap) resolution is rarely possible.
The Covid-19 pandemic introduced greater risk with many employees working from home, and hastily implemented operating procedures put in place to enable that to happen. As we learn to live with Covid-19 a hybrid model is being adopted by many companies with staff working some of the time from home, and other times at the office. Without a doubt, better end-to-end security is now needed from the cloud to worker laptops.
Phishing attacks are also becoming more sophisticated as cybercriminals learn from previous attempts that failed. Their techniques are continually being refined! Security measures need to be continually updated to deal with the newest and latest bombardment!
Why is my building control system vulnerable?
Phishing attacks via email, and ransomware designed to prevent us from accessing our data until a ransom is paid, are understood. But why would my control system be vulnerable?
Intelligent buildings today use online connectivity to employ sensors, software, and other IoT devices to monitor and analyse building health and occupancy and to provide data to optimise operational use. When building systems and IoT technologies are integrated, building owners and facility managers can ensure greater energy efficiencies, better indoor air quality, healthier workspaces, and engaged and more productive staff operating in environmentally comfortable buildings.
Smart building technology is commonly used to:
- Monitor critical equipment
- Perform regular testing/reporting (e.g., emergency lighting)
- Reduce energy consumption
- Meet sustainability goals
- Improve occupant experience
- Monitor/maintain a healthy workplace environment
- Increase productivity
- Optimise the use of resources
- Qualify for building certification
The benefits of smart building technology can have a very positive impact on the environment and on the company’s bottom line. Typically, a fully integrated intelligent building control system will include everything from HVAC to security alarms, lighting control, and audio-visual functionality (and more). It will likely be incorporated into a single system with computer-controlled automation to manage the various functions within the building. However, can an intelligent building be too smart for its own good?
Building technology is increasingly relying on cloud computing to tap into and store the data and analytics available in smart building systems. While making the management of utilities such as water, gas, and water, as well as operations and maintenance, much easier and more cost-effective, potentially it can also open your business up to additional external cyber threats. Hence the importance of being prepared for such an eventuality.
Designing with Security in mind
The best time to protect your business from cyberattacks is when the design for your new smart building, or a major retrofit to make it smarter, is underway.
Commonly, an approach to creating an intelligent building is to incorporate as many smart systems and IoT devices as are currently available, and then work out what can be achieved.
Unfortunately, this use of technology “for technology’s sake” can create weaknesses in your building management system that a hacker can exploit.
For example, a simple digital signage monitor or a webcam, still with its default password unchanged, could provide an open window into your building control system, and an unfettered search for other systems with greater potential for disruption.
Even where default passwords have been changed, due to limited processing power and software development many IoT devices have outdated encryption (or haven’t implemented it). Security flaws are common and hardcoded security keys and credentials are hacked very easily. Even supposedly reputable/well-known companies have outstanding lawsuits against them for negligent security practices.
Collaborating with IT
The ideal is to involve IT personnel early in the project design process. With IT onside, and with an understanding of the operational technology that is required, conflicts will be avoided, and the project can progress more smoothly. If the smart building system and all ancillary IoT components are to be put on the company’s enterprise network, it comes with considerable cybersecurity risk. Devices would all need to be checked out and tested by IT before being allowed to connect to the main network.
In some cases, the preference is to create a stand-alone dedicated network simply for their building technology components. Although there is some additional expense with this route, making such decisions early in the design process will ensure any extra costs will be minimal, and there will be no delays to the implementation schedule.
Data Storage Problems
In many cases, data from building systems is stored on a single, low-budget PC, located in reception, or a plant room.
Commonly there is no real recovery plan, no off-site backup, limited PC maintenance, often a single password for users, and limited physical security.
When data for critical systems such as emergency lighting is stored in this way reports such as emergency test records could be lost, leaving your business unable to prove that testing was completed.
With no test reports, lack of compliance and increased liability becomes a given.
Security of Site Information
It is usual for files for building technology systems to remain with the commissioning agent. If that is the case, the building owner is reliant on that agent having good security and data recovery plans. Additionally, agents can “lock clients in” by retaining setup files as their own IP (intellectual property) allowing them to force clients to use only their company for services to make changes to the site control system as required.
Building systems may be unprotected from mistaken or malicious changes i.e. users changing the data by mistake, or for malicious reasons. There is usually not way to know when or where the changes occurred. It is common for generic passwords and usernames to be used, or a single password and login for most users. Sometimes users can log on to the system even after leaving the company.
PC systems containing sensitive or important information are obviously a prime target for theft. Numerous PCs have “disappeared” during construction or ongoing maintenance. Many systems rely on the head-end PC to perform scheduled tasks, so this immediately causes real issues.
The biggest issue is when system software does not get upgraded. When exploits or vulnerabilities are never patched, the systems could be used for botnets or other illegal activities without the business even knowing. This is the same issue for both the OS software and the control system software. If security is not increased over time, as more powerful attacks are developed, the system is left even more vulnerable. Even when the OS is patched, often systems such as the lighting control is not (many use SQL or similar databases which need to be patched).
A high level of processing power is required to encrypt sufficiently on all devices. Many manufacturers will not make that investment or lack the necessary skilled people to correctly implement security. Processing power in devices cannot be increased after installation
Security systems need to be designed for ten years ahead when it is estimated that computers will be 70 times faster than those of today. Processing power is doubling every 18 months and makes it easier to break cryptos.
Why zencontrol For Lighting Control
There have been numerous posts about why we put forward zencontrol for most lighting control projects, but this post is about security, and this may not have been the focus of previous blog posts, so please read on.
- Zencontrol systems are stored on the cloud and follow standard best practice procedures
- All data is backed up
- Data is secured both physically and digitally
- As standard, zencontrol uses enterprise grade encryption
- Local communications use TLS 1.2 PSK and cloud communications use TLS 1.2 PKI (4096 RSA). TLS 1.2 stack developed and backed by ARM.
- Hardware maintenance is managed
- Multiple fault-tolerant servers
- Approved personnel only can access sensitive information
- Password/credential storage is hashed and salted.
- Temporary permission can be given to provide access without ongoing vulnerability
- Building managers can grant/revoke access to building areas and privileges
- Users and changes are logged and can be audited
- Incorrect or malicious changes can be identified and rolled back
- Built on secure foundations and deployed worldwide using Amazon web services
- No requirement for local storage as data storage is cloud-based
- As head-end PC not required, less risk of theft
- Devices are upgradeable so new exploits will be patched and protected against.
- Cryptographically signed firmware security updates can be pushed to systems remotely as a response to new security issues.
- Every individual device is programmed with unique and strong 32byte encryption key
- All details of site setup are stored and can be accessed by any approved agent
The supplier or commissioning agent of any building automation system e.g. lighting control, BMS etc. should be able to provide full and comprehensive information on the security measures of their control system that will prevent your building being accessed by any unauthorised means.
zencontrol are serious about security. Their standard practices and implementation ensure zencontrol networks stay strong currently and well into the future.