Top 10 Buildings IoT Cybersecurity Challenges and Their Solutions

Throughout the Coronavirus pandemic, Internet of Things (IoT) technology has provided important tools for countless industries. IoT enables doctors and other healthcare workers to diagnose and treat patients remotely, deliver vital medical equipment and medicines to remote areas, and IoT-enabled robots are even helping keep healthcare facilities clean, reducing the risk of transmission. Office buildings are turning to IoT devices to monitor air quality to prepare buildings for reopening and keep occupants safe. IoT sensors are increasingly being paired with intelligent analytics in all types of commercial buildings to improve fault detection and diagnostics to allow for remote monitoring and to minimize the need for on-site personnel.

But while smart technologies have great promise, the network-connected nature of IoT devices can pose a cybersecurity risk if deployment is not well understood and managed. Many detractors believe that the proliferation of the Internet and the sheer number of devices within these smart ecosystems makes IoT a liability for security. But with careful planning, competent management and sensible protocols, smart buildings can be made safer and more secure.

Addressing 10 IoT Cybersecurity Challenges

Though much has changed, much has also stayed the same. In 2000, Scott Pulp of the Microsoft Security Response Center wrote a seminal article on what would eventually become referred to as “cybersecurity”. These Immutable Laws of Security are still relevant today when it comes to facing IoT cybersecurity challenges. For buildings IoT, these challenges include:

1. Ransomware Attacks 

Malicious software has long been a serious concern for computer networks, well before the proliferation of smart technology. Hackers can exploit vulnerabilities in IoT networks and leverage these weaknesses to deploy ransomware attacks. In these attacks, hackers seize control of systems or encrypt valuable information and then demand ransoms, usually payable in cryptocurrencies. 

While it makes sense to discourage the practice by not paying the ransoms, this is not sufficient to avoid the problem, which requires that those connected through IoT networks act responsibly. Mitigation techniques include: 

• Incorporate security software into all connected devices to stave off ransomware attacks. 
• Upload the latest software patches for all devices and control systems, including firmware for smaller units such as sensors. 
• Ensure backups are current and a process is in place for regular, frequent updates.
• Unplug hard drives after backing up, or maintain a secure network-level separation between main and backup data stores for larger scale systems. 
• Immediately switch off affected devices.
• Limit access to systems.
• Implement a robust password management system and assure that no device retains default passwords as shipped from the vendor.
• Conduct regular security audits with qualified professionals.

2. Outdated Operating Systems

With increasing control of critical operational technology (OT) points in IoT systems, it’s important that operating systems are kept updated and properly protected. The dangers of foregoing this step can drastically increase vulnerability to serious security breaches. For example, hackers compromising a building’s HVAC system during a major heatwave may seem like a minor inconvenience, but such occurrences can be life-threatening, as one small community recently discovered. 

In February 2021, a hacker compromised a water treatment facility in Oldsmar, Florida by exploiting an outdated Windows 7 operating system and poor password security to increase levels of sodium hydroxide into the water supply. An observant manager quickly noticed the hack and denied further access, but the incident is a stark reminder of the importance of up-to-date operating systems and using more complex passwords. 

3. IoT Device Theft

While cybersecurity focuses on data theft or loss of system control, old-fashioned thievery can facilitate such crimes. Because smart building systems involve multiple connected devices, including those that are privately-owned, stolen devices can infiltrate these same networks. To prevent this, consider doing the following:

• Allow devices to be remotely deactivated.
• Employ encryption to keep communications secure. 
• Use unique, strong passwords on IoT networks and devices, as well as password management software. 
• Disable unused features.
• Audit and upgrade IoT devices.
• Keep all other related software updated.

4. Cloud Attacks

As the digital and physical worlds increasingly intertwine, IoT cybersecurity becomes more complex. With remote work becoming more common, hackers attack devices used by employees outside the network to compromise them. Since many IoT devices rely on cloud-based services for functionality, ensuring proper access control and correctly configuring off-premises software helps prevent breaches. 

5. Access Control

Remote and direct access to servers, whether physical or cloud-based, should be strictly regulated to prevent unauthorized access. Consider taking these steps to regulate access: 

• Require employees and contractors to sign confidentiality agreements.
• Use virtual private networks (VPNs) with two-factor authentication (2FA).
• Limit access to those working on projects.
• Log access by IP address.
• Configure system access to limit users to necessary parts of the system.
• Use smart analytics to enforce user permission and access in real time. 

6. Administrative Issues

With building systems continuously generating vast volumes of data, administrative IoT cybersecurity challenges include:

• Adapting protocols for monitoring an increasing number of devices.
• IoT devices that produce data in unusual formats, with software in unfamiliar languages. 
• Poorly designed or difficult-to-integrate networks. 
• New back-up strategies for accommodating IoT devices and data. 

7. Encryption Technology

When interacting within IoT ecosystems from remote locations, it’s important to remember that connecting through insecure networks can compromise systems. Never connect via public Wi-Fi networks or those using untrustworthy encryption practices, as these expose devices to attack and can result in lost data. Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA) encryption are outdated and shouldn’t be part of your network setup. 

Even with updated Wi-Fi protocols WPA2 and WPA3, vulnerabilities still exist. WPA2 is susceptible to key reinstallation attacks, or Krack, which allows attackers to compromise and view encrypted traffic, hijack credentials, and steal sensitive information. WPA3 is vulnerable to Dragonblood attacks, where attackers target instant messages on Wi-Fi networks to obtain passwords and gain access to confidential information.  

Running multiple layers of encryption within communications channels between IoT devices makes attacks more difficult to launch. Virtual personal networks (VPNs) also provide inexpensive and easy ways to configure devices against Krack attacks. Two-factor authentication (2FA) should be used in all cases in addition to an encrypted VPN connection.

Networks can also be partitioned internally using VLANs or physical network separation to provide a clear delineation between the network used for IoT and other building system devices and the general corporate network, with specifically designed and carefully controlled access points linking the protected network to the wider corporate network only as required.

8. Botnet Attacks

A collection of compromised Internet-connected computers or other devices—such as security cameras or baby monitors—controlled by an outside party without the owners’ knowledge is called a botnet. A botnet attack can remotely control vast numbers of these devices, many of which have little or no security, and the damage can be significant. 

For example, on October 12, 2016, a widespread distributed denial of service (DDoS) attack left much of the US East Coast without Internet access. Feared to be the work of a hostile nation-state, it turned out to be bots seeking to make money from Minecraft fans. Access in this case resulted from hackers scanning for IoT devices that still had their default passwords. The moral to the story: always change default passwords.

9. Privacy & Industrial Espionage

Hackers can take over network-connected surveillance cameras, making privacy a key IoT cybersecurity challenge. While spying through IoT-connected cameras is an issue, other devices such as smart toys, wearables, and even health equipment that records information on users can be hijacked. In one case, a doll with Bluetooth capabilities had vulnerabilities exposed when it was discovered that certain cell phones could access it to communicate directly with children. It was labeled an espionage device and banned in Germany. 

When used on an industrial level, companies’ big data can be collected and exposed, causing unprecedented damage. Any device which connects to the public internet could potentially pose such a risk, and careful consideration should be taken to assure default passwords are changed, software is up to date, and the implications of the internet-connected nature of these types of devices are understood.

10. Adapting Security Protocols 

The world isn’t static, and IoT cybersecurity challenges will continue to develop and evolve. Best practices will change as hackers and other bad actors seek ways to use smart technology against its users and to their advantage. The best thing to do is develop robust strategies to address security issues and patch vulnerabilities. Organizations should define their approach and plan ahead to keep their networks safe. This includes training and creating protocols for all current and future IoT cybersecurity challenges. 

Strengthening Cybersecurity in Smart Buildings

Risks abound with anything connected to the Internet, particularly in commercial buildings and other large facilities. It is critical to acknowledge and remedy such vulnerabilities through effective and cost-efficient strategies.  

Deployment of cutting-edge management systems and intelligent analytics within smart buildings will help you integrate gathered data and assist with:

• Building security into automated systems and networks.
• Customizing reporting in real-time to create action from insights and track status of network devices and their bandwidth usage.
• Flagging suspect system access immediately.
• Identifying and addressing threats through a fault detection system proactively and quickly, with minimum human intervention.
• Managing traffic logs and remote access by roles and users.
• Navigating end-to-end controls, design, precision monitoring and analytics through effective change management of intelligent BMS network automation.

Working to minimize IoT cybersecurity challenges, Buildings IOT helps you develop strategies and solutions around smart building technology, such as the use of onPoint Analytics. Through use of multiple security layers and with extensive expertise, our dedicated team of experts can help you integrate and manage your system to create custom IT solutions that provide 24/7 security, control, and visibility for smart infrastructure.

Buildings IOT offers the services and technologies you need to securely integrate  IoT technologies in your building. Contact our team of experts today.