'Smart' school facilities aren't always safe – expert

The buildings we live and work in are getting smarter and more connected. An example of this is building automation systems (BAS) – control systems that manage core physical elements of building facilities such as air conditioning, fire control, elevators, door access control and video surveillance.

Although there hasn’t yet been malware specially crafted for smart buildings, malicious software targeting industrial control systems (ICS) have seen enormous growth in the past decade. These attacks can be devastating and malware targeting smart buildings may be an inevitable next step.

In recently published research from Forescout’s Industrial Security research team, proof-of-concept malware was developed to highlight the risks exposed by building automation systems and demonstrated the relative ease with which the multiple systems can be exploited and used to move within an enterprise.

In this research, two potential attack examples were described: controlling the physical environment (changing temperature setpoints or crashing devices used for heating, ventilation or air-conditioning) and controlling access to the building.

Smart isn’t always safe

Steve Hunter, ForeScout’s senior director for systems engineering – APAC and Japan, said that because of this, vulnerabilities in smart buildings are potentially very dangerous.

“Schools, just like many organisations, can improve their network security to become fully equipped to deal with today’s emerging threats,” Hunter told The Educator.

“Specifically, attacks to BAS are proving to be fairly easy and cheap to implement, requiring proper security tools to prevent. They will also be difficult to detect without the right BAS-focused threat detection tools.”

Hunter said a common mistake is to think that smart buildings are just another incarnation of ICS and that their security should be handled like ICS security.

“This is a misunderstanding because smart buildings are much more open and interconnected than ICS, and while Internet of Things [IoT] devices will likely not get through the perimeter of ICS, they will certainly enter, and likely reshape, the building automation industry,” Hunter explained.

“We are also seeing the introduction of new building automation technologies into old buildings, but without being able to wholesale replace all of the existing systems.”

Hunter said this means an integration of old operational technology (OT) systems with the latest information technology (IT) devices, including IoT.

Early detection a must for schools

One way to increase BAS visibility, says Hunter, is to adopt an advanced network monitoring and situational awareness platform for building automation.

“These types of tools provide much-needed visibility into the BAS and raise an immediate alert if a new connect device appears on the network or a communication pattern becomes abnormal or dangerous,” he said.

“They also empower users to enforce compliance with internal network and maintenance policies, alerting when network behaviours that are suspicious are observed or when device vulnerabilities are targeted.”

As with securing the traditional IT environment that schools have had to deal with for decades, Hunter said starting with complete visibility into BAS networks is key to identifying this type of attack.

“Adding enhanced security with network monitoring can give schools a thorough understanding of the BAS environment and its connections,” he said.

Hunter pointed out that this makes it easier to design effective security architectures, identify attack vectors and locate blind spots.

“Any approach taken should encompass both IT and BAS/OT where possible, as the challenges around complete device discovery and ensuring only approved devices are connected is an ongoing need that must be addressed for both domains,” he said.