For quite some time, large organisations have been prime targets for cyber-attacks due to their profitable nature. However, with more advanced techniques and the development of artificial intelligence, small and medium sized businesses are increasingly finding themselves in the crosshairs as well.
Despite cybersecurity being integrated into every aspect of our world, research shows only 2% of organisations in the UK have the ‘mature’ level of readiness against cybersecurity risks. From office complexes to residential blocks, ensuring the cybersecurity of buildings is a key aspect to safeguarding both physical assets and personal data.
Jasper Nota, an esteemed ethical hacker from Secura, which is a subsidiary company of Bureau Veritas, discusses how building operators and security officers can safeguard their smart buildings.
Network security
Networks must be designed with security in mind. Firewalls, intrusion detection systems, intrusion prevention systems and proper network security protocols can all help to safeguard the infrastructure. However, it’s imperative to presume that cybercriminals could bypass one of these adopted defence mechanisms. Therefore, a defence-in-depth security architecture is recommended.
For example, dividing a network into separated sub-networks will help prevent the lateral movement of attackers whenever they gain a foothold within the network. Implementing (certificate-based) network access controls will ensure that unauthorized individuals who gain entrance to the premises will not automatically gain access to the internal network whenever they plug a device into a network port.
With all this in place, it’s still critical to continuously monitor network traffic as it can enable early detection of suspicious activities, allowing for a timely response to potential threats.
Physical access controls
Using robust access control systems, such as key cards that cannot easily be cloned, will help regulate who can enter the building, and designated restricted areas within the building. Restricting physical access to networking equipment, smart devices and server rooms can prevent an attacker from tampering with electrical devices. Through insecure (debug) interfaces, an attacker could easily compromise a device they have physical access to. The trust relationship between that device and other devices within the network could be abused to further attack the environment. Thus, it is crucial that systems are only accessible by authorized personnel. In case that this is not achievable, proper anti-tampering mechanisms should be added to the system design. Additionally, applying security cameras, and security guards may help to deter unauthorized access to equipment.
Device authentication and exposure
Security officers should ensure that only authorized users can access resources and perform specific actions on systems. Enforcing strong password and lockout policies, using multi-factor authentication, and using IP-based allowlisting are several examples that can decrease the likelihood of unauthorized access to sensitive resources. It is also advisable to map the external attack surface to determine which systems can be reached remotely. For example, conducting a search on Shodan, which is a search engine for connected devices, to determine whether the BACnet protocol is externally exposed. In addition to this, recurring audits of user permissions can help identify any gratuitous privileges, reducing the attack surface for potential breaches.
Regular updates
System manufacturers often release security updates to mitigate newly discovered vulnerabilities in software and hardware components. Security officers must stay aware of these and promptly push these updates to mitigate the risk of exploitation by cybercriminals. Note that updates should always be tested in a test environment before pushing them to production. Whenever vulnerabilities that cannot be mitigated with a security update are discovered within hardware components, manufacturers tend to released new hardware designs. Security officers should decide whether the risk can be accepted for their environment or whether they need to replace the device.
Third-party security
Ensure that all third-party vendors and suppliers adhere to strict security standards (e.g. IEC 62443) and protocols to minimize the likelihood of incorporating insecure devices into the infrastructure, and supply chain attacks. Inquire from third-parties whether they conduct security assessments to assess the security posture of their products, and whether products obtained any security certifications such as Common Criteria.
Educate building occupants
Human error can play a huge role in weakening the security posture of (smart) buildings. Occupants and staff should be educated about best practices for cybersecurity, including the importance of strong passwords, recognising phishing attempts, noticing when people are shoulder surfing or tailgating, and reporting suspicious activities promptly. Regular training sessions and awareness campaigns can empower individuals to play an active role in protecting building assets and data.
Prepare for the worst
Preparation is key. Despite proactive measures, security breaches can still occur. In the event that this happens, building operators and security officers should have a comprehensive incident response plan ready, which outlines procedures for detecting, containing, and mitigating cyber-attacks. This includes designated teams, communication protocols with stakeholders, and procedures for data recovery and restoring the systems in place. Regular drills and simulations can help test the effectiveness of these plans and prepare in advance.
In an increasingly interconnected world, prioritising cybersecurity is not just a matter of protecting the building itself, but about safeguarding the safety, privacy, and well-being of everyone within these spaces. By implementing robust access controls, securing network infrastructure, staying vigilant with updates and educating occupants and staff, buildings can strengthen their defences for the future.