Smart buildings and vulnerability – finding the weak spots

Smart buildings are rapidly becoming a widely-recognised phenomenon, talked about in the media and high on the agenda of progressive companies on both the supply and demand side.

In truth, although the concept of smart buildings seems to be cutting-edge, the technology has been developed over a length of time dating back to the 1990s when the first ‘intelligent systems’ were implemented in building design. This was driven at the time by the need for greater levels of automation, and has subsequently evolved to include factors such as environmental impacts – reduced energy bills and environmental footprints – as well as safety, user comfort, business productivity and, of course, security.

From the perspective of a security professional, the smart building is all about integration, and how a flexible security solution blends seamlessly across all levels of an automated, connected building. Converged systems built on open platforms are integral to this, and involve factors such as access control (both physical and logical), security cameras and Video Management Software (VMS), as well as alarm systems.

Much more recently, Artificial Intelligence (AI) has given us the capability of driving much more sophisticated services through these existing security platforms. A VMS can now identify individual faces and record them, reporting back to a central security point if there is a perceived threat; carparks use the same technology to provide ticketless parking, thus streamlining the flow of traffic in and out of a building.

The one common factor driving this evolution however, is the Smart Building. However according to Dr Dave Brooks, Smart Building or Intelligent Buildings should be termed Building Automation and Control System (BACS), a more technically correct term that removes cognition and confusion between operators and users. From a security perspective, BACS is a system that is most susceptible to outside attack.

Dr Dave Brooks, who will be speaking at this year’s ASIAL Security Conference, suggests that: “Building Automation and Control Systems have become embedded into today’s contemporary building, extending across all types and sizes for the purpose of automation and information flow. However, there remains limited organisational awareness and practitioner understanding of BACS threats and vulnerabilities, and importantly, potentially business impacts.”

As a platform that extends across many areas of a building’s intelligence and automation base, a BACS needs to interact with many different systems at a variety of points throughout the facility, and therefore is potentially exposed to more vectors of attack.

“My colleagues and I recently performed a risk survey, interviewing facility and security professionals to gauge their current understanding on the vulnerabilities of a BACS solution and find out what security practices were being used to mitigate risk in this area. Our findings indicated a limited understanding of BACS risks and, equally important, there is a distinct lack of suitability in the mitigation strategies currently being employed,” states Dr Brooks.

Considerations when looking at risk mitigation of a BACS platform cross areas including architecture and design, engineering, critical infrastructure, physical security and IT.

Guidance mitigation strategies range from designating the impact that BACS may have if an event occurs, through to a list of security questions designed by Dr Brooks and his colleagues that considers management, security risk, personnel, physical and cyber security measures, incident and continuity planning and maintenance practices.

“It is important to work from a position of strength when assessing risk, so professionals require a proper framework and knowledge to address the many and changing BACS threats and risks to an organisation,” said Dr Brooks.

BACS are located throughout an Intelligent Building, and used by many people connected across different networks. If the BACS fails, that may have a significant impact on the ability of an organisation to occupy a building and therefore, maintain operations.

There is no longer such a thing as a single, safe perimeter. Any device that enters a building is a potential threat, and anything that interacts with the facility’s network has the potential to introduce harmful elements to the building and its systems.

Identified vulnerabilities may include limited awareness of security threats and system vulnerabilities, physical access to parts of the system, compromise of various networks, insertion of foreign devices, lack of physical security, and a reliance on utility power.

Nevertheless, there are mitigation strategies that can be put in place to protect IB systems. These include threat-driven security risk management, an understanding of system criticality, greater integration of departments, network isolation, layered protection measures, and increased security awareness.

The first stage in this process is to be aware of the various attack vectors that may pose threats, and have an over-riding security plan drawn up. This way, the organisation can move onto a positive footing, and attack risk proactively rather than reacting as they occur.

Three steps towards BACS security

A system criticality assessment defines the most mission-critical information within the network of hardware and software running the smart building and finds exactly where that information is located. It then evaluates what the business impact would be if that information was lost, damaged or stolen. This ensures that information systems are properly grouped together, and that the right controls are in place around those systems.

Greater integration of departments will see better communication between employees and management, and a greater understanding on how separate departments and systems interact in the broader operational environment. Regular contact and discussions around risk and security should be scheduled, and these need to look at the smart building as a whole. As the overriding system off which many other systems run, there needs to be a focus on the BACS.

Network isolation has the effect of partitioning information away, so that it is not vulnerable to attack all at once. Using a Virtual Local Area Network (VLAN), data is separated off and categorised depending on the department or system that requires it. Each local network can have different protocols applied to separate high risk data from that which poses a lower risk.

During Dr Dave Brooks ASIAL presentation, he will evidence the drive toward BACS within smart and intelligent buildings, and highlighting security and facility professional lack of understanding of these critical building systems. More importantly, a clear framework will be provided to allow an organisation to manage their BACS risks.

To hear more from Dr Dave Brooks and other leaders in global security, the ASIAL Security Exhibition and Conference is taking place from July 25-27 at Melbourne’s Convention Centre. Conference Passes can be purchased from securityexpo.com.au