Reading this analysis on the threat posed to (and by) smart buildings, I was struck by the advantages and disadvantages the nature of these environments present when viewed through the lens of security. This could be a continuation of my run on Industrial Control System (ICS) security - however there are both similarities and significant differences that set this specific area apart.
In terms of the physical control that smart building technology, the reach is extensive; sensors and control systems for HVAC, video surveillance, alarms systems, elevator and lift control. On the other side, the systems or over-arching management interfaces have a much higher chance of being internet accessible; and share system architectural similarities more with traditional IT than the far more specific equipment found in pure ICS.
This then leads on to looking at the security of such systems, and the wider impact bad security might have. Most of us are familiar with one of the large historical breaches that involved third-party vendor access into a network; via an HVAC company route.
The two stats that stood out for me in this analysis were that by far and away the largest group of attack types were generic; and not ICS-specific. The common system architecure of smart building technology allows these standard threats to pass across. Secondly, over 40% of systems researched (41.2%) - had been attacked; which is consistently higher than ICS networks face.
Both of these statistics tie in to the methods we look to when trying to prevent lateral movement; namely visualisation of how these systems are linked to other networks (as in the case of the famous un-named breach), and also the ease of which typical malware campaigns and threat actors can move through these systems without being hampered by esoteric technologies - something that east-west network segmentation exists to provide.
The security of automation systems in buildings — industrial versions of the now common smart home. Such automation systems are used not only in office and residential buildings, but in hospitals, shopping malls, prisons, industrial production, public transport, and other places where large work and/or living areas need to be controlled.