Intelligent buildings: infrastructure in the target of the cybercriminals 

ESET presented their analysis of the security risks to which intelligent buildings are exposed; an infrastructure that grows and seems to be in the target of Crooks.

In the last edition of the Ibero-American Information Security CongressSegurinfo-which took place on April 23rd in Buenos Aires, Argentina, ESET, a leading company in proactive threat detection, approached its analysis of intelligent buildings detailing the security risks associated with this type of infrastructure.

Intelligent buildings use technology to control different dynamics in order to provide greater comfort, contribute to the health and productivity of those who inhabit them. To do this, they use building automation systems (BAS). With the advent of the Internet of Things (IoT) the intelligent buildings were redefined and the technological equipment allows to analyze, to predict, to diagnose and to maintain the different environments, as well as to automate processes and to monitor in real time variables such as ambient temperature, lighting, security cameras, elevators, parking, water management, among others.

During the opening talk of the Congress, Tony Anscombe, the Global Security Evangelist of ESET, mentioned that in the United States, the growth of intelligent buildings is estimated to be 16.6% for 2020 with respect to 2014; And that this reality of expansion is occurring at the global level. This growth is due to the technology that crosses process automation and the search for energy efficiency, representing a contribution towards sustainability and a reduction of costs, the objective of any industry.

In terms of security, the risk in intelligent buildings is that the entire smart grid can be connected to a single database. IoT devices are manufactured by different vendors and are unlikely to take into consideration safety aspects during their manufacturing process. Anscombe opined that “it is potentially likely that many of those who today do not inhabit such a building at some time do,” given the growth of building intelligent buildings that use IoT comes on the rise.

The risk of a security incident in this type of infrastructure is associated with the motivations of the cybercriminals, who mainly seek to obtain an economic benefit from their actions, but also to generate impact and transmit fear.  As Anscombe explained, if you search for BAS specifically, you can find thousands of building automation systems on these lists with information that could be used by an attacker to compromise a device. In February 2019 they appeared in Shodan, a tool that allows to find vulnerable systems connected to the Internet including IoT devices

 

One type of attack that was observed on several occasions is the so-called Siegeware, whereby a malicious actor has the ability by code to make a Extorsiva demand from taking control of the digital features of a building.

“The low cost of IoT devices for buildings and the advancement of technologies for building automation systems is generating changes that affect security. This search for automation and the use of intelligent devices that collect data to provide comfort to its occupants, as well as make more efficient use of resources, such as energy, depending on their implementation could also increase the risk for security. In this sense, the possibility of a cybercriminal executing an attack of the type ransomware that affects an intelligent building is already part of the reality. “, said Camilo Gutierrez, head of the Research Laboratory of ESET Latin America.

ESET shares security considerations and requirements that should be present:

• Review the safety specifications of the devices and work aligned to the concept of security by design

  • Allocate a budget according to the Security
  • Select partners who have knowledge in the field of security
  • Counting with a program for Managing Vulnerabilities
  • Cooperation between the various areas and/or departments

With regard to the recommendations from the operational point of view:

  • Update devices on a regular basis
  • Establish a replacement plan if the life cycle of a device ended
  • Prevention about what is connected
  • Monitor connected devices