Have you ever thought about securing your home or building? It’s an interesting question to ponder. The point here is, do smarter homes and buildings bring greater safety and security (we are looking at you Ring doorbells!) or do these devices put the occupants at greater risk? Surely all these connected devices and automation systems can keep a closer eye on our homes, ensuring greater security on the perimeter of the home—but does it put our data at risk?
First, a primer. We recognize smart-home devices bring home-security opportunities. The 2024 Nationwide Homeowners Survey on Smart Home Insights shows homeowners are embracing the technology, with 34% owning smart video doorbells and 32% investing in smart-home security cameras—and a whopping 60% of smart-home device owners in the United States say they feel safer.
However, in recent years, we have seen a rising trend toward increased breaches in our smart buildings and homes, raising questions about whether these systems and networks are actually as secure as we all like to believe.
Unpacking the Risks
Journey back with me through the past several years for a couple of minutes here, so we can look at how all of this is unfolding—and then I will share the onus on today’s building owners and operators.
Back in 2019, we see Kaspersky release some alarming numbers. Almost four in 10 computers used to control smart-building automation systems were subject to some kind of malicious attack in the first half of that year. Flash forward to 2022, and we see malicious objects were blocked on every third OT (operational technology) computer in the first half of that year. Building automation infrastructure turned out to be the most restless, with nearly half of those computers facing cyber threats.
We have seen some very real threats in recent years too. Back in 2021, there was a lot of talk about a German smart building being attacked by nefarious characters that took control of the security system. Also, in September 2023, we know the Dark Angels ransomware gang executed a cyberattack on Johnson Controls Intl., resulting in financial losses of roughly $27 million. Come on. You’re probably saying to yourself, if Johnson Controls can’t stop an attack that ended up costing $27 million how can you? Just think of all the people and technology it could have spent on training and building up a much stronger cyber warfare effort? But the reality is the bad actors are getting better and faster and the reality is even the giants can’t keep up.
This highlights the need for greater cybersecurity in smart-building infrastructure.
Arizona State University points to some of the biggest threats to our smart buildings and homes and these threats include, but aren’t limited to:
- Siegeware represents a fusion of ransomware tactics with vulnerabilities in building automation systems.
- Phishing aims to collect sensitive information by posing as a trustworthy entity.
- Malware is any software designed to cause damage to a computer, server, client, or computer network.
- Denial of service and distributed denial of service attacks shut down a machine or network.
- Man-in-the-middle attacks occur when an attacker intercepts and relays messages between two parties who believe they are directly communicating with each other.
- SQL injection involves inserting malicious SQL code into a database query.
- Zero-day exploit targets a vulnerability in software or hardware that is unknown to the vendor or has not patch at the time.
- Cross-site scripting injects malicious scripts into benign and trusted websites.
- Advanced persistent threats are when an attacker infiltrates a network and remains undetected.
- Social engineering tricks users into making security mistakes or giving away sensitive information.
Research from NYU (New York University) echoes the sentiment that there are greater privacy and security threats in smart homes, digging into the intricacies of the local network interactions between 93 IoT (Internet of Things) devices and mobile apps.
While most users typically view local networks as a trusted and safe environment, the findings show new threats including the exposure of unique device names, UUIDs, and even household geolocation data, all of which can be harvested by companies involved in surveillance capitalism without user awareness.
Next Steps
With all this in mind, what, then, can be done next? Well, the first step is always awareness. Both building owners and homeowners need to be aware of the inherent risk that comes with owning smart-home devices and systems. They must understand the data each of these devices is collecting.
Next, steps must be taken to proactively protect the data. Let’s look at this from the perspective of the building owner and operator for a few minutes. Arizona State University gives some very clear tips and steps to take to protect a building’s network., including:
- Limit network access.
- Use complex and unique passwords.
- Store passwords in a secured database.
- Multi-factor authentication.
- Monitor network activity.
- Regular tests for vulnerabilities.
- Secure physical media and devices.
- Dispose of sensitive data securely.
- Dedicate time to learn about threats and mitigation.
- Educate your employees.
- Implementation of an information security framework.
- Implementation and maintenance of an information security program.
- Implement policies and procedures for change management, commissioning, and patching.
- Updating firmware and system security.
Did I miss something I should have on this list? What would you add to this list?
What steps are you taking to secure your buildings and homes?
What needs to happen next to make sure our data is secure?
Want to tweet about this article? Use hashtags #construction #IoT #sustainability #AI #5G #cloud #edge #futureofwork #infrastructure #smarthome #smartbuildings