Choosing the Best Building IoT Devices for Security and Integration
The best way for building owners and facilities managers to make Internet of Things (IoT)...
Throughout the Coronavirus pandemic, Internet of Things (IoT) technology has provided important tools for countless industries. IoT enables doctors and other healthcare workers to diagnose and treat patients remotely, deliver vital medical equipment and medicines to remote areas, and IoT-enabled robots are even helping keep healthcare facilities clean, reducing the risk of transmission. Office buildings are turning to IoT devices to monitor air quality to prepare buildings for reopening and keep occupants safe. IoT sensors are increasingly being paired with intelligent analytics in all types of commercial buildings to improve fault detection and diagnostics to allow for remote monitoring and to minimize the need for on-site personnel.
But while smart technologies have great promise, the network-connected nature of IoT devices can pose a cybersecurity risk if deployment is not well understood and managed. Many detractors believe that the proliferation of the Internet and the sheer number of devices within these smart ecosystems makes IoT a liability for security. But with careful planning, competent management and sensible protocols, smart buildings can be made safer and more secure.
Though much has changed, much has also stayed the same. In 2000, Scott Pulp of the Microsoft Security Response Center wrote a seminal article on what would eventually become referred to as “cybersecurity”. These Immutable Laws of Security are still relevant today when it comes to facing IoT cybersecurity challenges. For buildings IoT, these challenges include:
Malicious software has long been a serious concern for computer networks, well before the proliferation of smart technology. Hackers can exploit vulnerabilities in IoT networks and leverage these weaknesses to deploy ransomware attacks. In these attacks, hackers seize control of systems or encrypt valuable information and then demand ransoms, usually payable in cryptocurrencies.
While it makes sense to discourage the practice by not paying the ransoms, this is not sufficient to avoid the problem, which requires that those connected through IoT networks act responsibly. Mitigation techniques include:
With increasing control of critical operational technology (OT) points in IoT systems, it’s important that operating systems are kept updated and properly protected. The dangers of foregoing this step can drastically increase vulnerability to serious security breaches. For example, hackers compromising a building’s HVAC system during a major heatwave may seem like a minor inconvenience, but such occurrences can be life-threatening, as one small community recently discovered.
In February 2021, a hacker compromised a water treatment facility in Oldsmar, Florida by exploiting an outdated Windows 7 operating system and poor password security to increase levels of sodium hydroxide into the water supply. An observant manager quickly noticed the hack and denied further access, but the incident is a stark reminder of the importance of up-to-date operating systems and using more complex passwords.
While cybersecurity focuses on data theft or loss of system control, old-fashioned thievery can facilitate such crimes. Because smart building systems involve multiple connected devices, including those that are privately-owned, stolen devices can infiltrate these same networks. To prevent this, consider doing the following:
As the digital and physical worlds increasingly intertwine, IoT cybersecurity becomes more complex. With remote work becoming more common, hackers attack devices used by employees outside the network to compromise them. Since many IoT devices rely on cloud-based services for functionality, ensuring proper access control and correctly configuring off-premises software helps prevent breaches.
Remote and direct access to servers, whether physical or cloud-based, should be strictly regulated to prevent unauthorized access. Consider taking these steps to regulate access:
With building systems continuously generating vast volumes of data, administrative IoT cybersecurity challenges include:
When interacting within IoT ecosystems from remote locations, it’s important to remember that connecting through insecure networks can compromise systems. Never connect via public Wi-Fi networks or those using untrustworthy encryption practices, as these expose devices to attack and can result in lost data. Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA) encryption are outdated and shouldn’t be part of your network setup.
Even with updated Wi-Fi protocols WPA2 and WPA3, vulnerabilities still exist. WPA2 is susceptible to key reinstallation attacks, or Krack, which allows attackers to compromise and view encrypted traffic, hijack credentials, and steal sensitive information. WPA3 is vulnerable to Dragonblood attacks, where attackers target instant messages on Wi-Fi networks to obtain passwords and gain access to confidential information.
Running multiple layers of encryption within communications channels between IoT devices makes attacks more difficult to launch. Virtual personal networks (VPNs) also provide inexpensive and easy ways to configure devices against Krack attacks. Two-factor authentication (2FA) should be used in all cases in addition to an encrypted VPN connection.
Networks can also be partitioned internally using VLANs or physical network separation to provide a clear delineation between the network used for IoT and other building system devices and the general corporate network, with specifically designed and carefully controlled access points linking the protected network to the wider corporate network only as required.
A collection of compromised Internet-connected computers or other devices—such as security cameras or baby monitors—controlled by an outside party without the owners’ knowledge is called a botnet. A botnet attack can remotely control vast numbers of these devices, many of which have little or no security, and the damage can be significant.
For example, on October 12, 2016, a widespread distributed denial of service (DDoS) attack left much of the US East Coast without Internet access. Feared to be the work of a hostile nation-state, it turned out to be bots seeking to make money from Minecraft fans. Access in this case resulted from hackers scanning for IoT devices that still had their default passwords. The moral to the story: always change default passwords.
Hackers can take over network-connected surveillance cameras, making privacy a key IoT cybersecurity challenge. While spying through IoT-connected cameras is an issue, other devices such as smart toys, wearables, and even health equipment that records information on users can be hijacked. In one case, a doll with Bluetooth capabilities had vulnerabilities exposed when it was discovered that certain cell phones could access it to communicate directly with children. It was labeled an espionage device and banned in Germany.
When used on an industrial level, companies’ big data can be collected and exposed, causing unprecedented damage. Any device which connects to the public internet could potentially pose such a risk, and careful consideration should be taken to assure default passwords are changed, software is up to date, and the implications of the internet-connected nature of these types of devices are understood.
The world isn’t static, and IoT cybersecurity challenges will continue to develop and evolve. Best practices will change as hackers and other bad actors seek ways to use smart technology against its users and to their advantage. The best thing to do is develop robust strategies to address security issues and patch vulnerabilities. Organizations should define their approach and plan ahead to keep their networks safe. This includes training and creating protocols for all current and future IoT cybersecurity challenges.
Risks abound with anything connected to the Internet, particularly in commercial buildings and other large facilities. It is critical to acknowledge and remedy such vulnerabilities through effective and cost-efficient strategies.
Deployment of cutting-edge management systems and intelligent analytics within smart buildings will help you integrate gathered data and assist with:
Working to minimize IoT cybersecurity challenges, Buildings IOT helps you develop strategies and solutions around smart building technology, such as the use of onPoint Analytics. Through use of multiple security layers and with extensive expertise, our dedicated team of experts can help you integrate and manage your system to create custom IT solutions that provide 24/7 security, control, and visibility for smart infrastructure.
Buildings IOT offers the services and technologies you need to securely integrate IoT technologies in your building. Contact our team of experts today.
Richard Miller leads Buildings IOT's IT team to deliver managed services to smart buildings from data centers to shopping malls. He writes about cybersecurity for smart building systems, IT/OT collaboration and more.
The best way for building owners and facilities managers to make Internet of Things (IoT)...
Choosing between an open vs. proprietary protocol is a critical factor affecting building...