Navigant Research Blog

It Happened Again: Another Leak

— March 10, 2017

A major cybersecurity vulnerability has happened again. A bug in the code of Cloudflare, a provider of content delivery networks, Internet security services, and distributed domain name services, appears to have leaked encrypted, private data from some of the company’s 4 million clients.

According to security researcher Tavis Ormandy, “private messages from well-known services, [personally identifiable information] from major sites that use Cloudflare, and even plain text application program interface requests from a popular password manager” were included in website code generated by Cloudflare’s ScrapeShield feature.

Intelligent and Vulnerable Buildings

There is no reason to believe the bug in Cloudflare will present a vulnerability to any intelligent building. Cloudflare is used for websites, not buildings. But this incident is a reminder of how easily data can leak onto the Internet, even with the best of intentions. An increasing amount of building data is being collected and stored using the Internet. Indeed, large datasets have the potential to improve energy and operational efficiencies. In Navigant Research’s Data Integration for Intelligent Buildings report, the market for the incorporation of data from commercial buildings to develop analytics platforms is forecast to grow by an order of magnitude over the next decade.

With more gateways necessary for data collection, more points are available for cyber attacks to occur. Attackers seeking entry into corporate networks look for the path of least resistance. This could be an unpatched or improperly configured gateway for a building management system. But—perhaps the more pervasive threat (as demonstrated by the Cloudflare vulnerability)—is that data stored anywhere could be leaked. The very reasons why building data promises better business operations can turn sinister in the wrong hands.

Retailers, for instance, can analyze occupancy data to create consumer heat maps to optimize store layout. But that same data could be used to estimate financial performance based on customer footfall; this non-public information could be used to boost a trader’s position on the retailer’s stock. Moreover, the same occupancy tracking could be used to facilitate theft, stalking, or even terrorism in a variety of commercial facilities, including offices, healthcare, or education buildings. Despite these potential risks and the inherent difficulty in keeping data secret, the improved energy and operational efficiencies created by better connected buildings promise to change commercial buildings for the better.

 

The Sensors Are Coming

— March 9, 2017

Data is the key to transforming regular facilities into intelligent buildings. The key to collecting that data is the proliferation of connected sensors. Buildings that gather and analyze information on occupancy, CO2 levels, light levels, humidity, and temperature are able to operate more effectively. As the Internet of Things gains adoption in the broader business world, building sensors are increasingly being connected to the Internet to drive energy efficiency improvements with substantial cost savings. Navigant Research puts the current size of the advanced sensor market at $1.2 billion in 2016 and expects that figure to nearly triple over the next decade.

As data collection has evolved from monitoring building conditions to being able to monitor individual behavior, some of those individuals are beginning to get creeped out. A recent Marketplace article explores some of the sensor technologies gaining adoption in commercial offices and came away wholly uncomfortable at the level of data employers can collect.

Hanlon’s Razor

In all likelihood, these fears are likely irrational and overblown. Gathering, processing, and analyzing data remains a significant challenge in building operations, particularly for existing facilities. Most building owners simply do not have the bandwidth and technological sophistication to use that data for nefarious purposes. It will likely take several years for building technology to evolve to the point where privacy is a rational concern. However, it is an important conversation to have now.

The promise of increased efficiency from better data and concerns about privacy are two sides of the same coin. The information that helps facilities operate well can be used to determine how much time an employee spends at their desk. As technology is developed and adopted, occupants need to be a part of the decision-making process. Building technology providers will ultimately need to ensure both physical comfort and emotional comfort around privacy protections.

 

Safer, Stronger, and Brighter Streets through Lighting Controls

— October 6, 2016

SmartCityWhat impact do street lights have on a city’s populace? According to Washington, DC Mayor Muriel Bowser, street lights make the city’s streets “safer, stronger, and brighter.” This is the justification being used for the launch of a new service that allows residents of the district to report street light outages via text message. The challenge with city street lights is that they have a greater impact on how citizens feel than on more quantifiable measures.

The conventional wisdom says that brightly lit streets reduce crime and traffic collisions. Yet, a 2015 study published by the Journal of Epidemiology and Community Health found little evidence of harmful effects of reduced levels of street lighting on road collisions or crime in England and Wales. Researchers analyzed 14 years of data from 62 local authorities that implemented strategies such as switching lights off permanently, reducing the number of hours that lamps are switched on at night, dimming lights, and replacing traditional orange lamps with energy efficient white light LED lamps. Empirically, permanently switching off lights did not lead to an increase in crime or car crashes.

But it is too simplistic to conclude that better street lighting has no impact on a community. Another study, this one published in Safety Science, found that well-lit streets make pedestrians feel safer. Politicians, the ones who often shape street lighting decisions, get elected by what the electorate feels to be true, not what actually is true. Moreover, advanced control of street lights can reduce energy and save money.

Where DC Gets It Wrong

Washington, DC’s street light outage monitoring plan relies on residents reporting which of the city’s 70,000 street lights are out. At one point, crowdsourcing a problem like this was innovative; the ubiquity of smartphones and other connected devices only recently permitted such engagement. But, as noted in Navigant Research’s Outdoor Lighting Systems report, adding controls and communication networks to street lights enables municipalities to reduce energy consumption and make monitoring and management more efficient.

The City of Oslo, Norway faced the same challenge in 2010 (back when crowdsourcing was still a thing). The city relied on reports from residents to identify street light failures for its 55,000 street lights. Oslo wanted to make repair crews more efficient and also be able to reduce light levels as needed. In response, the city connected its street lighting into a single remotely accessible network that allows monitoring and control of light levels through Internet-based applications. The move reduced energy use by 62% while also reducing lamp downtime.

 

Cybersecurity and Intelligent Buildings

— September 12, 2016

Intelligent BuildingFor several years, information technology (IT) and operational technology (OT) have been converging. In commercial buildings, building automation systems (BASs) are trending toward more IT integration as building owners and facility managers see the value the technology creates. However, this increasing connection and interconnection of building systems also exposes them to malicious attacks from cybercriminals.

There have been a number of high-profile cybersecurity attacks recently, from Anthem to Sony to Target. The FBI now ranks cybercrime as one of its top law enforcement activities. Most of these attacks have focused on stealing credit card numbers, social security numbers, and other forms of personal information. But it’s important to remember that these types of attacks are not the extent of the damage that could be done. The Stuxnet worm was designed to attack programmable logic controllers and was discovered in 2010 after it had ruined almost one-fifth of Iran’s nuclear reactors. In some ways, this attack served as a proof of concept of attacks that could target building systems.

Building Vulnerabilities

Cyber attacks on computer networks are a ubiquitous and constant threat, costing victims hundreds of billions of dollars in damages each year. Organized crime groups, disgruntled employees, adversarial nation states, and even hobbyists are constantly scanning systems to identify entrances into networks. Poorly designed and maintained BAS networks can serve as access points for attacks.

Should companies really worry about the impact of a breached BAS network? It seems like the worst that a hacker could do is turn off the lights. Of course, in critical facilities (such as hospitals and data centers), disruption in building conditions can have direct operational impacts. But the threat is greater than that. A cybersecurity breach launched through a building management system (BMS) or BAS can also compromise the integrity and security of corporate networks that are operating within the building.

In 2012, security researchers Billy Rios and Terry McCorkle identified a vulnerability in the Tridium Niagara AX Framework that would allow such an attack. The team uncovered the ability to execute a directory traversal attack, which allows access to restricted directories and the ability to execute commands outside of the web server’s root directory by downloading and decrypting the file containing user credentials from the server.

In 2013, these two security researchers were able to bypass the restrictions of the BMS at Google’s Wharf 7 office in Sydney, Australia using the vulnerabilities in the Tridium Niagara AX platform. By this point Tridium had issued security patches to eliminate such vulnerabilities, but the patches were never installed in this facility. Facilities managers are accustomed to operating with equipment lifespans that reach as long as 20 years. Constantly identifying and updating building system software is a fundamental shift in thinking—and one that a sophisticated tech giant like Google apparently could not manage.

Making Buildings More Secure

Building networks were never created with security in mind, and the sophistication of hacking is evolving at an incredible pace. Traditionally, breaches of security followed a flow of infiltration to aggregation to exfiltration. However, attacks are now rarely restricted to a single system and are now designed to propagate after infiltration. Moreover, the threat isn’t just technological—it also includes social engineering by obtaining account information through spying or misrepresentation.

The IT industry has established protocols for monitoring and protecting computers and IT networks against these attacks. These protocols are well understood, as are the responsibilities that each IT stakeholder has to adequately defend a network. But these are new concepts in building systems, and there is a lack of clarity among most stakeholders. IT departments may expect facilities departments to manage cybersecurity threats of buildings systems, or vice versa. Alternatively, both groups may expect the solution vendor to provide a security solution out of the box.

The threat of cybersecurity is beginning to change attitudes and has created interesting challenges in the commercial building controls market. Awareness and education of building owners and operators remain a persistent challenge. Some are completely unaware of the potential damage a cyber attack on building systems can cause their business. However, even building owners and operators who are aware of and concerned about the vulnerabilities of their building systems are often unaware of what to do about the threat. Relatively few facilities have robust defense strategies in place.

Join Benjamin Freas at the Navigant Research webinar The IoT Transformation of Buildings on Tuesday, September 13 at 2 p.m. ET to learn more about cybersecurity risks in the buildings controls market.

 

Blog Articles

Most Recent

By Date

Tags

Clean Transportation, Digital Utility Strategies, Electric Vehicles, Energy Technologies, Finance & Investing, Policy & Regulation, Renewable Energy, Smart Energy Practice, Smart Energy Program, Transportation Efficiencies

By Author


{"userID":"","pageName":"Benjamin Freas","path":"\/author\/benjaminfreas","date":"5\/1\/2017"}