According to the latest IBM study, the IoT-based networking of buildings offers a lot of potential for hackers to attack.

© IBM

Networked, intelligent 'smart buildings' via the Internet of Things (IoT) are in vogue because they reduce operating costs, save energy and are easier to monitor and maintain: Remote maintenance and remote control of air conditioning, heating and lighting are key keywords. Until now, however, these remote maintenance and control systems were isolated systems that were not connected to the internet as proprietary solutions. Special security precautions against cyberattacks were therefore not necessary. This is currently changing and this is precisely where new security risks arise: In an "Ethical Hacking Experiment" conducted by IBM, the consequences of a lack of security were simulated. The results are not reassuring.

Carelessness as the greatest danger

According to Gartner, smart homes, intelligent factories and administrative buildings already represented around 45% of all "connected things" worldwide last year. The analyst firm estimates that there are over 206 million networked devices in operation in these 'smart buildings', and that this number will more than triple to 648 million by 2017.

A development that could also cause headaches: Because the biggest danger is carelessness. Connected buildings are creating a kind of "shadow IoT" - a constantly growing network of devices that are connected to the internet but have not yet been detected by the radar of standard security measures in the course of digital networking. This means that buildings that are connected to the IoT are pretty much defenceless against cyberattacks. Little thought has been given to the associated risks. However, there is a considerable danger lurking here. Not only can sensitive data be stolen or IT systems manipulated in the event of an attack on a networked building, but there is also a risk of physical damage to people and buildings. This is because modern building systems often also control elevators, escalators, fire alarm systems and building-internal security systems.

In particularly security-sensitive facilities such as airports, power stations or sewage treatment plants, hospitals or prisons, the consequences of a lack of security could be even more dramatic. IBM recently simulated this in its Ethical Hacking Experiment.

Result of the simulated hacker attack

In an ethical hacking experiment, IBM simulated an attack on a real networked building. A good dozen security vulnerabilities were discovered that not only enabled them to penetrate the building system, but also to gain access to the central server that controls over 20 other buildings across the USA. If cybercriminals were able to gain control of this server, it would have serious consequences for the entire building security, from controlling the elevators to the power supply. That was the sobering conclusion of this experiment.

There is a real need for action here, as the IoT-based networking of buildings is progressing inexorably, as the figures from Gartner show. Furthermore, in a recent survey of building automation system managers, 84% of respondents stated that they manage at least one building system that is connected to the internet. And four out of ten confirmed that such systems are also connected to higher-level company networks. Nevertheless, not even a third of those surveyed have taken measures to adapt the cyber security of their smart buildings to the new developments.

"Technologies and solutions are available to protect smart, networked buildings against cyberattacks," says Gerd Rademann, Business Unit Executive, IBM Security Systems Germany, Austria, Switzerland. "But in many cases, there is still a lack of awareness of how vulnerable smart buildings can be. Those responsible should definitely take action here."

IBM provides further information in its Security Intelligence Blog.