Architect and Builder June/July 2019 | Page 19

“Buildings are rapidly embracing digitisation worldwide and, while the convergence of smart technologies and physical environments has greatly improved business operations, this digitised method of operating does potetially lead to increased potential vulnerabilities and attacks.” By Carey van Vlaanderen CEO Eset Southern Africa [email protected] you can find thousands of building automation systems in its lists, complete with compromising information. In February 2019, around 35,000 building automation systems worldwide appeared in Shodan within public reach via the internet. This means that someone could take control of a BAS after finding it through a search. If, for example, a criminal used Shodan for building automation systems to attack, they will find IP addresses. If they copy those IP addresses into the address bar of a web browser, in many cases this will bring up an interface for gaining access, where they need to enter a username and password. If the password is a default password of if it can be cracked easily through a brute force attack, the attacker will gain access to the system monitoring panel. Once the attackers have access to this public information and can monitor, for example, how the air conditioning works, they could make a phone call pretending to be from the maintenance company and say they are going to send a technician. At the same time, the attackers could request remote access, which would give them access to the server and allow them to control the building. Once they have control, they could alter the building’s heating or air conditioning or adjust the way any of the other automated systems operate and then demand payment of a ransom in using a system that allow them to remain anonymous, such as cryptocurrency, in exchange for not shutting the building down. Siegeware: a very real threat Cybercriminals are already carrying out such attacks when they have the opportunity. This kind of attack is siegeware, or the Cybercriminals code-enabled ability to make a credible extortion demand based on digitally impaired building functionality. In conclusion, the low cost of IoT devices for buildings and the advances of technology for building automation systems is leading to changes with an impact on security. This drive toward automation and the use of smart devices to gather data – in order to give a building’s users more comfort and to make more efficient use of resources such as energy – is also leading to increased security risks. As a result, the possibility of a cybercriminal launching a ransomware attack on a smart building is already a reality. Considerations to keep in mind There are a number of security considerations and requirements to keep in mind: • Review the devices’ security specifications and work on the basis of the ‘security by design’ concept • Set a suitable budget for security • Choose partners that have knowledge of security issues • Install software for managing vulnerabilities • Ensure cooperation between the different departments For operational issues: • Update the devices regularly • Implement a replacement plan for when devices’ support life cycles end • Exercise a precaution in respect of connected devices • Monitor connected devices 19