Can you trust your Smart Building? - the issues associated with Internet of Things Cyber Security. Includes details of the Secure IoT 2019 conference: https://tvsecureiot.uk/ Presentation given by Duncan Purves, 2 Insight, (duncan@2insght.co.uk) at the IoT Thames Valley Meetup on 11th September, 2019: https://www.meetup.com/Internet-of-Things-Thames-Valley/

1. Can you Trust your Smart
Building?
Understand the security issues associated
with ‘smart’ building systems and why they
are important to you
Duncan Purves | 2 Insight Ltd | duncan@2insight.co.uk

2. Smart Building – A complex System of Systems
Lighting
Occupancy
sensing
HVAC
Fans, Variable Air Volume,
Air Quality, Maintenance
Water
Smart Meters,
Flow Sensors
Fire/Safety
Detectors,
Functionality &
Compliance Checks
Security/Access
Cameras, Badge Readers, Doors,
Floors, Occupancy, Perimeters
Elevators
Breakdown Alerts,
Maintenance, Performance
Power/Energy Management
Smart Meters
Parking
Lot Utilisation
Digital Signage
Electronic Displays

3. Benefits
Savings in energy and water usage
Reduction in costs and carbon footprint
Improved working conditions, safety and security
for occupants
Improved customer service levels
Visibility and management of occupancy levels
Optimisation of resources (physical, space and
human)
Reduced maintenance costs

4. IoT for intelligent buildings
global market
is expected to grow from
$6.3 billion in 2017 to
$22.2 billion in 2026
Source:
Navigant Research, 2017, “IoT for Intelligent Buildings”
https://www.navigantresearch.com/reports/iot-for-intelligent-buildings

5. Risks - IoT devices and networks
Deployment of sensors and IoT networks introduces new:
§ System elements and components that can be exposed
to possible attacks (attack surface)
§ Mechanisms by which the attack can take place (attack
vectors)

6. Cyber Criminals
States and state sponsored
Hacktivists
Malicious insiders (employees)

7. Potential damage to an organisation or individual
Through poor security practice could impact:
§ Reputation
§ Share price
§ Costs (operational, replacement, sales, legal, fines etc.)
§ Health & Safety

8. Bring your own IoT Device or Network - Shadow IoT
Shadow IoT (the use of unauthorized Internet of Things devices and
networks) poses a new level of threats for enterprises
2018 Infoblox report found that:
§ A third of enterprise companies have more than 1,000 shadow-IoT
devices connected to their networks on a typical day
§ A quarter of US employees are unclear as to whether their
organization has an IoT security policy
§ 20 percent of UK employees rarely or never follow security policy
for personal and IoT devices

9. Criminals Hacked a Fish Tank to Steal Data from a Casino
In 2017, it was revealed that criminals had managed to steal 10GB of data from a North American
casino high-roller database via an internet connected thermometer in a lobby aquarium

10. Cybercriminals Hack Into Factory
In 2012, Hackers exploited vulnerabilities in industrial heating systems which
were connected to the internet, and then changed the temperature inside the
buildings. Utilised a flaw in the building management software.
Source: https://www.fastcompany.com/3008148/cybercriminals-hack-factory

11. Poor installation by electricians and HVAC engineers who don’t understand security can
lead to BMS controllers being exposed on the public internet and vulnerable to attacks
https://www.pentestpartners.com/security-blog/too-cold-to-work-school-closed-sure-your-bms-hasnt-been-hacked/

12. Shodan

13. School’s Boiler Room Unsecured BMS
I can create a new user

14. Your building could become part of Botnet to launch DDoS
attacks
In 2016, Mirai malware infected CCTV video cameras and digital video recorders and was
used to launch a DDoS attack that caused a massive Internet outage affecting Twitter,
Amazon, Tumblr, Reddit, Spotify and Netflix

15. No-one would
be interested in
hacking us,
we’re not a
bank
Source: Beazley Group

16. Unintended victim of collateral damage
WannaCry - May 2017
§ Over 200,000 devices infected in more than 150 Nations
§ Impacted FedEx, Spanish telecoms and gas companies, French
Renault car production factories, Russian interior ministry, and the
U.K. National Health Service
Maersk wasn't the only company affected:
Pharma giant Merck was, FedEx, WPP and TNT were also hit

17. Security Best Practice, Policies and Procedures
Protecting your investments in Smart Buildings requires a structured approach
to implementing and maintaining security best practice, policies and procedures
US National Institute of Standards and Technology (NIST)
“Framework for Improving Critical Infrastructure Cybersecurity”
Core Functions

18. Common flow of information and decisions at the
following levels within an organization

19. NIST
Framework
Core Functions &
Categories

20. Preparing for your Risk Assessment
Example Questions
§ Have you identified your critical digital assets? Not all systems and data are
created equal.
§ Have you identified which systems are critical for health and safety reasons
and therefore must be fail-safe?
§ Do you have and maintain lists of all your assets (devices, software, and any
sensitive information/data)? If so, do you know who has access to them and
where the data resides?
§ Are you able to detect unusual behaviour/activity on your network/do you
use real time monitoring solutions?
§ Would you know if a rogue device came on to the system?
§ If the building systems are attacked do you have processes and policies in
place and are your staff familiar with these?

21. Stakeholder Responsibilities
Cyber Security Role Stakeholder/Actor
Vision, purpose and objectives – how will the building be used and what cyber security threat
landscape might it experience? How will cyber security be managed and maintained in the life of the
building?
Occupier and/or Developer in conjunction
with the Architect.
Building Design – what cyber security goals and standards should be met? What cyber security
functions will be delivered, and by which systems? Ensuring that security requirements are specified
for procurement.
Architect, Engineers
Systems Design – ensuring that cyber security foundations and key functions are built into
individual systems and components (e.g. HVAC, fire and security, lifts etc.) and that individual
systems can operate securely with others.
Systems and Device Manufacturers
Build and Integration – ensuring that security requirements are correctly procured and integrated
and set up to correct security configurations.
Building Contractor, Engineers
Facilities Operation/Maintenance – managing and maintaining secure system operation,
configurations and secure access for maintenance.
Facilities Management, Engineers, Systems
Manufacturers
Systems Maintenance – keeping security up to date (e.g. patches) and supporting facilities
management in having patches applied.
Systems and Device Manufacturers
Building Occupation - Integration of security status reporting and management with enterprise
cyber security – e.g. identity management, vulnerability status & alert detection.
Building Occupier, Facilities Management
Source: IoT Security Foundation, “Can you Trust your Building’, Whitepaper

22. IoT Security Foundation Whitepaper and other Best
Practice Guides are available for download:
https://www.iotsecurityfoundation.org/best-practice-
guidelines/
To find out how you can be involved with the Smart
Buildings Working Group, please contact:
smartbuildings@iotsecurityfoundation.org

23. Secure IoT Conference | 7th November 2019
Green Park Conference Centre, Reading
Learn about Risks & Threats | Best Practice | Meet Experts
https://tvsecureiot.uk

24. MEET LEADING EXPERTS
Confirmed Speakers
§ Amazon Web Services
§ Arm
§ Copper Horse
§ Device Authority
§ GSMA
§ IBM
§ IoT Security Foundation
§ Knowledge Transfer Network
§ NCC Group
§ Pen Test Partners
§ SAS

25. https://www.eventbrite.co.uk/e/secure-iot-2019-tickets-59043403409
20% Discount for IoT Thames Valley Members
Promo code: IOTTV19
Student/Academic Ticket