In recent years, known vulnerabilities such as in the Tridium Niagara AX Framework,a Siemens’ energy automation device,b or Vaillant heating systemsc put a spotlight on the security of smart buildings. What is needed to increase the security of smart buildings and what research aspects did we forget to cover in recent years?
Smart buildings are automated buildings designed to save costs, to increase our safety and comfort, and to be environmentally friendly4 while being able to interact with other smart things and the energy grid. When we think of a smart building, we may first think of a home in the suburbs or of a high-tech flat for techies. This impression is, however, only a small pixel in the big picture of smart buildings. While smart homes become an increasingly integral part of today’s cities and villages, smart buildings can be found in other areas, too. In factory buildings, building automation technologies handle the physical access control to prevent undesired visitors; in greenhouses, building automation equipment ensures the temperature, humidity, and illumination are kept at the optimal level for the growth of plants; in server rooms, we find equipment that handles the air conditioning to prevent servers from overheating; and in airports, we find automated building components almost everywhere, ranging from elevators to smoke detectors and fire alarms to electric window shutters.
When mentioning such elementary components of smart buildings, we can already deduce that building automation is more than current hype. Instead, such features were integrated into buildings for decades. Indeed, building automation existed for a long time before the first electric components were integrated into the buildings of the 1960s.6 Only in recent years, vendors, due to market demand, started to connect their automated buildings to the Internet to provide new services. These services, such as remotely controlled heating or outsourced video surveillance, do not simply become popular because they are "nice to have." Instead, society will depend on these services to a larger extent every day. This fact is especially applicable to aging societies such as in Japan or Germany. Ambient assisted living provides technology to care for the elderly, for example, via sensor-equipped floors that detect when people fall down and report this event to on-call personnel over the Internet.
In this Viewpoint, I highlight six unsolved problems for smart building security. While several other non-technological problems (such as cyber insurance for smart buildings) exist, the selected issues appeared on a reoccur-ring basis in recent discussions with partners from academia and industry; both stakeholders desire solutions for each of these problems.
Internet-based Communications. First, these now Internet-connected smart buildings apply communication standards that were initially not designed to work over the Internet Protocol; neither in IPv4 nor in IPv6. Instead of the previously separated building area networks, which can be attacked only locally, buildings now face attacks from the Internet as any other Internet of Things (IoT) device does. While many IoT devices are, however, designed with security in mind, building automation protocols still rely on legacy communication standards that, in many cases, did not foresee any mentionable security features. As a result, smart buildings can be easily attacked over the Internet.
Several academic contributions to improve the security of existing building automation protocols were developed under the umbrella of the Security in Building Automation project at TU Vienna.d Within the last several years, vendors became aware of this problem and started to clearly improve the quality of communication protocol security specifications such as BACnet or KNX. From the perspective of a security researcher, this action takes place rather late and would have been needed 10 years ago but the building automation industry develops rather slowly. Building automation technology is designed to last for decades and is therefore highly robust against hardware failures. What is missing is the reliability against several Internet-based attacks that were not foreseen when the particular protocols were developed.
Impact of Attacks. Second, consequences of attacks on smart buildings are not fully understood. These attacks do not target building automation equipment directly but instead focus on the physical environment of a building and its surrounding area. We need to differentiate between active and passive scenarios based on the physical capabilities of a building. In an active scenario, adversaries can influence the building’s operation and with it the business process of an organization. For example, if legitimate physical access to a building is prevented by an access control system, a factory may not operate and if the fire alarm in an airport terminal is activated, the necessary evacuation causes all passenger transfers to stop. Actual "real-world" consequences of attacks are not addressed by current research and remain mostly unclear.
In recent years, vendors, due to market demand, started to connect their automated buildings to the Internet to provide new services.
For an example of a passive scenario, consider the smart home. Using sensor values, a surveillance of inhabitants is feasible by either directly requesting sensor data such as presence sensors or information about the energy consumption of the home over the Internet or by exploiting side channels.3 Being connected with hospitals and wearable devices for elderly care, future smart buildings will transfer highly sensitive vital signs that potentially can be sold to health insurance companies on the black market. Such a surveillance scenario could, in a worst-case situation, lead to smart building botnets performing mass surveillance.5 Various additional attacks may still be uncovered and a systematic analysis of potential attacks outside of the technical level but on the level of organizational processes is necessary to envisage a full spectrum of threats.
Long-term Software Deployment. Third, building automation equipment must be designed in a way that its integrated software will either be formally proven or it becomes ‘patchable’ in order to keep it secure on a long-term basis. A problem in this regard is the limited computing power and memory of the related embedded systems, especially for legacy devices.1 Legacy devices are a significant problem in building automation: while it is easy to claim the building automation industry should implement more security features in their systems, it must be emphasized that automation equipment may last for decades in the same building. If we integrate state-of-the-art cryptography in a component for a building, we still need to ensure the component can handle the necessary state-of-the-art cryptography in a few decades to keep the building secure. A first step toward increased long-term security would be to support awareness for outdated software components. Therefore, building area networks could be scanned regularly by security software to provide information about obsolete software to building management interfaces.
User-Oriented Software Design. Fourth, even if a long-term patchability will be realized technically, it must be designed in a way end users will actually use it. Otherwise, people will not patch their smart buildings for the same reason most users do not typically encrypt their private email. In general, innovative solutions to foster security awareness and to provide means to improve the security of smart buildings are required that are tailored to the different actors. Therefore, such solutions must consider the technical abilities and motivation of these actors, whether they are professional operators, owners, employees, or inhabitants, including the handicapped and the elderly. For example, the Facility Using Smart Secured Energy & Information Technology (FUSE-IT) project develops a user-friendly security dashboard for building management. The dashboard will display potentially relevant information based on the actual requirements of its users.e
People will not patch their smart buildings for the same reason most users do not typically encrypt their private email.
Insecure Network Stacks. Fifth, another step toward more secure legacy systems is to address insecure network stack implementations. In the building automation industry, network stacks for complex protocols are, at least in some known cases, implemented by a single developer or very few developers without a software engineering or information security-related education. For this reason, the resulting software may be vulnerable to rather fundamental attacks. One option is to introduce a ‘normalization’ into the network environment of building automation systems. In the ongoing Building Automation Reliable Network Infrastructure (BARNI) project, funded by the German Ministry of Education and Research, we focus on this normalization aspect. By filtering network traffic and ensuring its conformity to security standards, we can refuse malformed network packets from reaching devices with insecure network stacks,2 preventing these devices from failures. Another option is to perform penetration testing of network stacks, including traffic fuzzing. The penetration testing results can be used afterward for hardening the network stack.
Access to Standards. Sixth, a nontechnical but momentous step toward better security of smart buildings is to provide the academic community with free access to related standards documents. Even some of the most important standards are only accessible under restrictions, for example, for payment. Providing students access to these standards for their projects and theses remains a challenge experienced multiple times within the last five years. The building automation community can learn from the Internet community, which publishes freely available Internet standard documents (even in early forms such as draft standards). Freely available standards for building automation systems would allow the analysis of specifications by many scholars in the field of information security that currently have no access to these documents.
Conclusion
The introduction of improved security into smart buildings requires the collaboration of academia and industry. This collaboration already started for selected sub-topics but an interdisciplinary evaluation of potential threats in smart buildings should be a next step to conclude the full spectrum of potential risks. In a following phase of joint work, security technology must be developed for both new and legacy buildings, tailored for the different involved actors to address this threat landscape.
Join the Discussion (0)
Become a Member or Sign In to Post a Comment