Can You Trust Your Smart Building? (IoTSF, 2019)
Understanding the security issues and why they are important to you
Published by: IoT Security Foundation
Smart buildings are one of the most common categories of IoT implementations. In seeking to provide guidelines for smart building stakeholders such as owners, contractors, and installers, an IoT Security Foundation working group has devised a set of guidelines published in a 2019 whitepaper titled “Can You Trust Your Smart Building?” (IoTSF, 2019).
Initially the authors discuss what smart buildings are: systems designed to fully manage and control all aspects inside a building, covering sub-systems such as HVAC, UPS, elevators, lighting, fire detection, and security. Optimal asset management and resource consumption leads to energy and water savings, reduced costs, less waste, improved safety and security, and overall better maintenance and occupant satisfaction. It is thus an expanding multi-billion-dollar global market.
Smart buildings potentially impact the wellbeing of all citizens of the modern world. If there is a trust issue, as the title suggests, and they cannot be trusted, then we should seek to identify the challenges and the ways to address them. The relevance of the whitepaper is clear.
Inside a smart building, sensors gather relevant data about the controlled environment and data analysis facilitates both automation and human decision making. Management systems are increasingly offered as a service in the cloud. Therefore, smart buildings are IoT systems since they share all characteristics of IoT by utilizing sensors, Internet connected smart objects, which generate large amounts of time series data, automatically analyzed through AI in support of decision making.
Threats and Risks
Next the authors turn to discuss the risks. Threats to a smart building system can come from multiple parties including insiders, rivals, criminals, and activists. As the authors show, it is all too easy today to browse a special search website and find Internet exposed building management systems (BMS) accessible by essentially anyone. Those buildings could belong to businesses, health organizations, education establishments, and various other sensitive sites. Security companies have shown the ease in which some Building Automation Systems (BAS) could be hacked (Forescout, 2019).
Furthermore, the authors mention the devastating effects of the Mirai botnet attack and the WannaCry and NotPetya ransomware global attacks. It is this reviewer’s opinion that the whitepaper authors could have made the distinction between the former and the latter two. While Mirai primarily targeted IoT devices (CCTV cameras) with weak passwords turning them into a botnet army later used for the actual onslaught, the other two ransomware targeted vulnerable Windows operating system computers no matter their function causing them direct damage. But since many IoT systems run old unpatched operating system versions this had made them especially susceptible.
Therefore, what we can observe by this comparison is that IoT devices are both easily compromised leading to collateral damage through botnets and DDOS attacks, but also easily individually targetable which can cause direct damage due to their special role.
Following the introduction of risk, the authors discuss how it should be managed. The approach taken is that not all systems within a building are equally important and that not all data is equally sensitive. A series of questions is thus provided for stakeholders to weigh the risks. This section is too short and unstructured to serve as guide for effective threat modeling or risk assessment. On the other hand, Aufner (2020) surveyed several threat modeling techniques which could be used such as STRIDE or CORAS for security, LINDDUN for privacy, and DREAD for risk. They should be used as a starting point, while realizing that research has shown there are gaps between the common threat models and IoT due to lack of consideration for hardware and physical interactions (Aufner, 2020). When it comes to smart buildings it is obvious that physical security is essential. The whitepaper only briefly mentions physical security without going into any detail.
A relevant term in this respect is that of Cyber-Physical Systems (CPS). A review paper focusing on smart buildings as cyber physical systems recommends to increase analytics and visualizations, making smart building systems even smarter for increased resiliency and security and lastly a consistent inclusion of security throughout system lifecycle (Osisiogu, 2019). Here again, identifying the interactions between the physical and the cyber security aspects is imperative for effective risk management.
As for best practices, the whitepaper does not attempt to define its own framework and instead prefers to reference that of NIST (NIST, 2018). I fully support the reliance on a respected standards body’s publication for security implementation.
So, can we trust our smart building? The question from the title remains unanswered. Readers gain better appreciation for real world cases, vulnerabilities, and risks. Surely, one’s trust in smart buildings is diminished by that account. On the other hand, direct stakeholders involved in designing, constructing maintaining, and owning smart buildings can gain insight into what it would take to increase trust.
Overall, the whitepaper does a good job in moving from domain introduction, through problem definition and into the solution space with sound recommendation for how to proceed with security implementation. The whitepaper does not dive into details in any single topic, but instead prefers to paint the entire landscape in a broad brush. By doing so it primarily raises awareness to a pervasive aspect of our lives, dealing with our day to day surroundings, with global implications on sustainability, and personal implications on safety, privacy, and wellbeing.
Aufner, P., 2020. The IoT security gap: a look down into the valley between threat models and their implementation. International Journal of Information Security, 19(1), pp. 3-14.
Forescout, 2019. BAS RESEARCH REPORT: THE CURRENT STATE OF SMART BUILDING CYBERSECURITY. [Online]
Available at: https://www.forescout.com/securing-building-automation-systems-bas/
[Accessed June 2020].
IoTSF, 2019. Can You Trust Your Smart Building? Understanding the security issues and why they are important to you. [Online]
Available at: https://www.iotsecurityfoundation.org/wp-content/uploads/2019/07/IoTSF-Smart-Buildings-White-Paper-PDFv2.pdf
NIST, 2018. Framework for Improving Critical Infrastructure. [Online]
Available at: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
Osisiogu, U., 2019. A Review on Cyber -Physical Security of Smart Buildings and Infrastructure. 15th International Conference on Electronics, Computer and Computation (ICECCO), pp. 1-4.