Cybersecurity for Smart Buildings

Author photo: Larry O'Brien
ByLarry O'Brien
ARC Report Abstract

Executive Overview

Addressing the crucial issue of cybersecurity in today’s smart buildings is a challenge.  Like the manufacturing sector, the building automation sector is going through its own digital transformation.  Increasingly, end users are moving away from the older proprietary systems of the past and adopting edge-to-cloud computing architectures.  There is a drive to deploy more lower cost sensors, both wired and wireless, to gather as much data as possible.  At the same time, the industry has a considerable installed base of legacy building automation systems, applica-tions, devices, and networks that must be managed, maintained, and gradually modernized. 

All these factors create unique cybersecurity challenges. The ubiquitous connectivity and remote operations promised by IoT brings with it many security concerns.  Legacy systems pose their own risks and vulnerabilities and are no longer the obscure systems that nobody is interested in any more.  Attackers take advantage of known vulnerabilities in both new and existing systems to disrupt operations, steal customer data, and cause destruction. 

The application space for building controls is also varied and complex.  ARC Advisory Group’s own research into building automation systems encompasses HVAC, energy management systems, lighting control systems, video surveillance systems, access control systems, elevator control systems, as well as their attached sensors and devices, from cameras to thermostats to light sensors.  Each system and device, including its multiple versions and iterations, has its own level of cybersecurity risk.

End users and owner-operators of today’s smart buildings are also confronted with shrinking resources and other organization challenges such as IT/OT convergence. Having a good plan and developing the right organization is just as important as implementing the right technologies.  It helps to have access to information about the latest standards, best practices, and relevant industry groups.  For the building automation sector, many of these activities are just getting started. 

Smart Buildings, Digital Transformation, and Cybersecurity

Rapid adoption of IoT-based systems with the promise of significantly reduced operational costs is driving rapid growth in the building and facility automation marketplace.  The major objectives of these systems are to improve occupant comfort, reduce energy consumption and total cost of ownership, operate building systems efficiently, and increase the lifecycle of utilities. 

cybersecurity for smart buildings Edge-based%20Systems%20Are%20Already%20Replacing%20Conventional%20Systems%20for%20Building%20Automation.JPG

Digitizing these systems presents a huge opportunity to reduce energy and operational costs for building or facility owner-operators.  Commercial buildings consume over 70 percent of the electricity produced in the US.  Many buildings are older and incorporate dated legacy technology and could significantly benefit from retrofitting the building control infrastructure to help reduce total cost of ownership and enhance security and safety.

Digitization Can Reduce Lifecycle Cost and Increase Cyber Risk

According to the latest information available from the US Energy Information Administration, most of the installed base of commercial buildings in the country were built before 1980, while the newer buildings that are being constructed are often much larger in scale and much more complex in terms of the types of building controls required.  According to the US Department of Energy, both commercial and residential buildings produce about 38 percent of the greenhouse gas emissions, representing a significant opportunity for the new generation of IoT-enabled systems to reduce the sector’s significant carbon footprint.

HVAC systems and lighting, for example, are the largest energy consumers in office and residential buildings.  Buildings and, to a lesser extent, HVAC systems typically have lifecycles that top out at 20 years or more.  When upgrading HVAC systems, modifying building spaces, or changing usage patterns, it is important to revisit the control strategies.  New smart, digital technologies for building monitoring and control can help improve occupant comfort and provide information to help the building operate as efficiently as the physical building and equipment allow.

But the increasing digitization of all buildings increases cyber-risk.  Many owner-operators are realizing the importance of a sound cybersecurity strategy because of their digitization efforts.  Assets are increasingly connected, driving the need for secure remote building monitoring and management.  Owner-operators must also get a better perspective of the kinds of potential vulnerabilities that exist among their installed base of cyber and control system assets.  Data flows must be planned and monitored, possibly making it necessary to use one-way data diodes.

Smart Buildings, Cybersecurity, and IT/OT Convergence

The convergence of information technology (IT) and operational technology (OT) is a hot topic today.  Successful IT/OT convergence requires close cooperation between the previously separate IT and OT groups within an organization.  IT and OT cybersecurity teams need to follow suit.  Convergence of their efforts will close gaps in existing, siloed programs and help defend the organization against new challenges.

Many end users and owner-operators in the building automation sector still view IT and OT cybersecurity as separate challenges.  Different concerns and practices seem to justify siloed efforts and separation of responsibilities.  However, attackers are already exploiting gaps between IT and OT defenses.  For example, spam phishing is commonly used to gain privileges and entry into OT systems.  Hackers are using HVAC and other poorly defended OT systems as entry points into data centers and corporate IT networks. 

OT Systems Incorporate More IT

Like it or not, building automation systems are incorporating more IT technology, and are moving away from the proprietary and highly specialized designs of the past.  Incorporating commercial off-the-shelf IT technology is not a new phenomenon for the building automation industry.  The adoption of standard PC workstations, operating systems, and board-level components has been happening for decades. 

The rise of the Internet of Things, Industry 4.0, and other sweeping technology initiatives, however, are creating a huge wave of IT adoption at every level of the system architecture.  Edge computing devices are already replacing proprietary controllers in a variety of applications.  ARC sees the adoption of a wider range of cheaper, smarter, more pervasive sensors.  Adoption of emerging technologies like 5G is just getting started.  Aside from the functions performed by the systems and their unique sensing requirements, it will be more difficult to distinguish between building automation systems and enterprise-level systems from a computing perspective. 

IT/OT cybersecurity convergence will be challenging.  The different priorities, practices, and technologies can be hard to reconcile.  Cultural issues, such as overcoming the longstanding distrust between IT and OT groups can be an even larger hurdle.  A convergence plan that anticipates these roadblocks is essential.

IT/OT cybersecurity convergence also has the potential to solve many cybersecurity challenges for smart buildings.  Shared responsibility for securing IT/OT interfaces can help companies eliminate malware propagation across systems.  Cross-trained, collaborative teams can fill critical expertise gaps and improve incident response efforts.   Common processes and metrics can increase visibility of risks and help companies focus efforts and investments on the most critical issues.   

Integrating cybersecurity teams is probably the biggest challenge for companies considering IT/OT cybersecurity convergence.  Significant differences in IT and OT cultures must be overcome to drive effective collaboration and cross-domain support.  Establishing the right organizational structure is essential.  The most common strategy seems to be creating a single cybersecurity organization charged with three major objectives:

  • Shared, end-to-end responsibility for securing all business processes
  • Global corporate governance of all cybersecurity policies, procedures, technology, and guidelines
  • Continuous management of all cyber-assets, vulnerabilities, and threats regardless of where they appear

This may be implemented through formal organizational changes or through virtual teams of people who work in all the related areas like IT operations, OT operations, and security operations centers (SOCs).  Most organizational plans also include third parties with specific expertise.  These are often used for peripheral tasks like program audits, system assessments, and pen testing. 

The Rise of OT-level Cyber-attacks and Changing Threat Landscape

Cyber-attacks on smart buildings, along with related attacks on smart cities and infrastructure, can have wide-ranging impacts and can pose risks to human safety.  An attack in a large public building or structure (particularly in a densely populated area), could potentially cause chaos.  The recent power failure at the Atlanta Airport, while not an official cyber-attack, shows what can happen when densely populated public spaces are thrown into darkness and everything shuts down and highlights the critical nature of availability and uptime and its relationship to safety in today’s smart buildings. 

Cyber-physical assets in smart buildings, cities, and infrastructure are becoming more distributed, particularly when you look at the new trend toward monitoring entire fleets of buildings from a centralized location.  On a campus or in a medical complex, these systems cover multiple city blocks and can be crucial to the overall functioning of a city or community. 

Being Mindful of Cyber Risk in New Technology

Today’s smart buildings feature many systems and interconnections.  These broaden the threat landscape for an attack.  In the case of the hack at the Target retail chain, the HVAC system was accessed and used to gain access to financial systems to steal the credit card information of over 40 million people.  The HVAC system that was breached was also connected via the Internet to the system supplier to enable remote monitoring of temperature, system performance, and other variables at multiple Target locations.  These remote access privileges were exploited to gain access to the facility. 

OT systems have the potential to improve operational efficiencies in the applications they control, but also to wreak extreme havoc.  The new generation of cyber-attacks, many of which appear to be sponsored by nation states with almost unlimited resources, are sophisticated multistage attacks designed to gain control over OT systems and cause disruption, chaos, and potential loss of human life.

Today’s cyber-attacks are increasingly sophisticated, driving an ongoing need for more sophisticated tools and services.  Successful attacks on large, cyber-sophisticated organizations have also demonstrated the limitations of defensive efforts to block intrusions and the importance of active strategies to minimize their impact.  Early detection of changes in endpoint devices and abnormal communications is fundamental to these efforts.  Tools to help defenders investigate and address these events efficiently are equally important.

Cyber-attack Categories

Cyber threats are dynamic.  Vulnerabilities change rapidly and attackers frequently shift their focus and attack methods.  Trying to address individual threats is ineffective and can quickly overwhelm organizations.  An alternate approach is to focus efforts on three specific attack categories: privilege misuse, malware injections, and insecure protocol exploits.

“Spear phishing,” is the most common method attackers use to compromise individuals within an organization.  These attacks use social engineering techniques and flaws in a company’s security culture and practices to steal passwords and exploit an employee’s IT privileges to inject malware into systems.  They are particularly dangerous because they can provide a foothold for attacks on critical devices that bypass other layers of defense.

Attackers inject malware directly into control devices using vulnerabilities in the software.  Malware injections can occur through external network connections or internal attacks launched at the device.  Researchers identify new vulnerabilities daily, so smart companies assume that sophisticated attackers can exploit any system to which they gain access.  Even when vulnerabilities are known, many stay unpatched for extended periods awaiting operational downtimes.  Sophisticated attackers also exploit “zero-day” vulnerabilities.  These are flaws that software vendors are unaware of or still evaluating.  Keeping attackers away from control systems is the only protection against these kinds of attacks.

Insecure Protocols

Exploiting insecure industrial protocols is another way that attackers can disrupt operations.  This is particularly true for building automation systems.  Popular protocols like BACnet and LonWorks are not inherently secure and, like protocols used in the manufacturing sector, have their own vulnerabilities.  Sophisticated attackers are aware of these and have easy access to the documentation needed to construct commands to disrupt the operation of controllers and other devices.

Changing Cybersecurity Supplier Landscape

Three primary classes of suppliers cover the scope of OT-level cybersecurity hardware, software, and services for smart building applications:  OT-level ICS/SCADA cybersecurity suppliers, building automation system suppliers, and third-party service providers.  OT-level cybersecurity suppliers include those that offer threat monitoring and detection, endpoint protection, network security, and overall cybersecurity management software and services.  While the category encompasses hundreds of different suppliers,  many are still in the VC funding stage.

Building automation system suppliers offer their own cybersecurity services and solutions.  Building automation systems encompass a wide range of applications, from security, lighting, HVAC, energy management, and more. 

The third class of suppliers, third-party cybersecurity service providers, typically offer a wide range of services from assessment to operational lifecycle services. 

OT-level Cybersecurity Suppliers

OT-level cybersecurity suppliers are a specialized subsegment of the cybersecurity products and services marketplace.  These suppliers focus mainly on the control systems and associated assets normally found in industrial operating environments, including building automation applications.  While not all OT-level suppliers actively serve the building automation space, most of the products offered could be deployed in a building automation environment just as in any industrial or critical infrastructure environment that involves specialized ICS or SCADA.

Table of Contents

  • Executive Overview
  • Smart Buildings, Digital Transformation, and Cybersecurity
  • Smart Buildings, Cybersecurity, and IT/OT Convergence
  • The Rise of OT-level Cyber-attacks and Changing Threat Landscape
  • Changing Cybersecurity Supplier Landscape
  • Building a Good Cybersecurity Program
  • Recommendations


ARC Advisory Group clients can view the complete report at ARC Client Portal   

If you would like to buy this report or obtain information about how to become a client, please Contact Us     



Engage with ARC Advisory Group

Representative End User Clients
Representative Automation Clients
Representative Software Clients