Imagine a group of hackers breaching a building’s secure computer network – but they aren’t interested in stealing financial data, sensitive emails or company secrets. Instead, they want to hack the building itself.
Imagine the hackers take control of the building’s heating system and crank up the thermostat, damaging temperature-sensitive servers. They turn off the lights and activate the fire alarm system at random, making it impossible to work in the building. And then they shut water valves, backing up sewage and wreaking havoc on the plumbing – all from behind a computer screen.
This scenario isn’t as far-fetched as it might sound. Building control systems are more connected to the Internet than ever before, allowing remote access, monitoring and greater energy efficiency improvements. But greater connectivity can lead to greater vulnerability for buildings if the proper security measures aren’t in place.
“It can be as benign as brand damage and as dangerous as life safety issues,” said Tom Shircliff, co-founder of SouthPark-based Intelligent Buildings, which provides energy efficiency and smart-building consulting. The company helped design the systems for the Duke Energy Center and was a key partner in launching the Envision Charlotte initiative (behind those energy monitoring screens you see if you work in an uptown building). Now it sees a growing need for building cybersecurity.
“Even a low-level nuisance is a brand problem,” said Shircliff. “If you’re a big developer or portfolio manager and you can’t get the lights on or your elevators working, that’s not good for business.”
With the real estate market largely recovered and building booming, there are more buildings under construction that have to consider security. And the push for “smart buildings,” where building systems are integrated and accessible online, means connectivity is only going to increase. Intelligent Buildings goal now is trying to raise awareness of how building systems can be just as vulnerable to cyberattacks as other corporate networks.
“Whether it’s a lighting system, HVAC, physical access control, video surveillance, elevators, they’re all computer networks,” said Rob Murchison, Intelligent Building’s co-founder. “Since they’re computer networks with servers, they are susceptible to the same vulnerabilities and exploits.”
He pointed to risks such as someone changing the settings on valves feeding a building’s cooling system to break the equipment.
“You can bring the whole system down. It’s not an ‘if,’ it’s a ‘when’ question,” said Murchison, sitting in front of a screen displaying cyberattacks worldwide in real time.
A Government Accountability Office audit in December found that there isn’t enough being done to secure building control systems networks. “Building and access control systems are vulnerable to cyberattacks,” the report said.
The number of attacks reported on such systems rose 74 percent from fiscal 2011 to 2014, the GAO said, to 243 incidents.
But Intelligent Buildings isn’t advocating isolating computer systems from the Internet. Such connectivity makes it far easier to manage buildings and monitor for ways to cut down on energy consumption. However, they say many buildings are using software from many different vendors that can be out of date, missing security patches and have different security standards.
Instead, they say building systems should be on a single, unified network with up-to-date security measures. They also say the numerous vendors who service building systems need security policies, such as strict control over passwords and other access protocols when an employee is fired.
“Would you rather have one secure network or 17 that you don’t know what you’ve got?” said Shircliff.
Data-centered hacks have attracted far more attention in the media. Shircliff and Murchison are trying to make people more aware of building systems risks without panicking people.
Ray Rupuano, a Raleigh-based Cisco executive in charge of smart buildings, said it can be a challenge to convince executives that connecting more systems won’t actually create more vulnerabilities, if it’s done right.
“Customers see putting building systems on the Web as a risk, not as a way to prevent attacks,” said Rupuano. “We’ve got to get rid of the fear.”
Another challenge, Shircliff and Murchison said, is that facilities operations and information technology have been in separate silos.
“Traditionally, facilities management and IT are not having a lot of conversations,” said Shircliff. “We’re really bringing established IT cyber concepts to the building.”
To be sure, Shircliff said the worst-case scenario won’t happen in all, or even most, buildings. But he said developers should still pay attention to securing building systems controls, or risk harassing attacks.