- Security TWENTY
- Women in Security
Mike Gillespie of Advent IM offers a starter guide to the Internet of Things (IoT) and ‘smart buildings’.
I often find myself being asked about ‘smart buildings’ and the Internet of Things. Given the nature of the questions, I can see a lot of confusion (quite naturally) exists and so I thought it might be a good idea to offer you an overview of what these terms really mean in practical terms.
The IoT is a catch-all term for all of the systems and equipment we have web-enabled and use over internet protocols (IP). When you stop and think about it, this is a huge scope and runs from the fitness tracker you put on your wrist in the hope of fulfilling your New Year’s resolution (to wear more fitness trackers, presumably) to building management systems that help control our working environments in a safe and secure way, and traffic management systems that control things like tram systems.
Smart buildings or buildings that operate ‘intelligently’ contain many and various aspects of the IoT. These may be automated or semi-automated in some cases. Not all buildings will have been born smart, some may have had smartness thrust upon them. But if a building has systems that are operating over IP then they will generally be termed as smart. As such, there are a range of vulnerabilities that will arise and augment the modern threat assessment and there is new language to be learnt and collaboration bonds to form.
There are a variety of threat vectors and actors when it comes to smart buildings. Given the range of IoT we have discussed that sits in these buildings, you can see that an attack could come through HVAC [heating, ventilation, air-conditioning] or building management systems (BMS); just as easily as it could be a virus unintentionally downloaded from a phishing email or watering hole attack (when targeted individuals are drawn to a specific site with express intention of infecting them with malware).
Threat actors are just as varied as are their motivations. For instance, in classic pharmaceutical industrial espionage, let’s say the actor decided to ruin a formula being created by a rival chemist. To do this they might break in to the building and laboratory and tamper with the temperature which would render the formula useless. This quiet method would be preferable as it would not draw attention and would allow the wrong-doer ample time to slip away. In the cyber version, the HVAC may be compromised through an attack and them from anywhere, the batch of experimental formula could be invalidated and the actor cover his digital tracks so effectively it might take a long time to understand.
Think again about the number of IP systems in a smart building and you being to realise the greatly increased attack surface we are talking about. It is also worth noting that when we talk about motivation, the need to disrupt, steal or damage may not always be the case. The systems we are talking about generate data of their own. Door entry, CCTV, BMS, cooling systems and many other systems; working day and night, sometimes entirely automated, creating the right environment and creating reams of data at the same time. This data is sometimes used in creating business insight to enhance productivity, increase efficiency and harmonise workspaces and users. We sometimes refer to this data as Big Data. Whilst Big Data is in fact, even bigger than this, the information gleaned from these systems is a big contributor to the over data sets that eventually become insight to drive greater efficiencies in business. They use it to increase agility and give themselves a greater competitive advantage. Individually the data may not seem valuable. Two things need to be considered here. What could the data be used for and how much more valuable does it become upon aggregation?
If we go back to our classic industrial espionage story, the actor might know from looking at the temperature data stolen from servers hosing remotely controlled environmental controls, that between the hours of 8am and 6pm the offices in the laboratory vary between 20 and 23 degrees, however one area is consistently kept at 17 degrees regardless of the time. So we now know where the formula is most likely kept. Aggregation of this and the door entry data might tell us that no one enters that room after 7pm. So the actor knows the location and optimum time to mess adjust the temperature to destroy the formula without anyone knowing until 8am the following morning at the earliest. Of course there is the scenario that the chemists would have the foresight to place an alarm on the temperature but if the actor has hacked the temperature control, chances are they know this too.
This is just an example; a flight of fancy to illustrate a threat that this new kind of building means we have to prepare for. Yes, they may be taking the data for a further attack, as in the example above but they may also be accessing it for a physical attack; removing CCTV images or deactivating cameras for instance; dropping barriers to physical entry and preventing alarms from being triggered. As the systems we are talking about here are all sat in cyberspace now, their location is simply that, cyberspace. As soon as you web-enable something it is ‘cyber’ and so the smart building as well as being a wonderful new environment, also offers an increased attack surface and increased threat vectors to consider in our threat assessments. One thing is for sure, smart buildings are here to stay, our ability to treat the risk that they represent needs to keep pace with the creation of more web enabled IoTs that contribute to this landscape.
About Advent IM
Visit http://www.advent-im.co.uk/about-us/advent_im_what_makes_us_tick/. Established in 2002, Advent IM, with offices in the Midlands and London, works nationwide and is members of the Institute of Information Security Professionals (IISP), the Security Institute (SyI) and British Computer Society (BCS).