Vulnerability in building management systems shines light on cybersecurity for smart cities

ELP_SmartCityCyberattack
Sponsored by

By Michael Rothschild, Contributor

The Department of Homeland Security (DHS) recently issued a security advisory regarding a vulnerability in a popular smart building automation system used to control air conditioning, heating, door locks, etc. through a web interface. If exploited, this vulnerability would allow an attacker to gain full access to the system and disrupt building operations. 

In many ways this threat to Building Management System (BMS) software illustrates the security risks associated with Smart City technologies, all of which are connected to and reachable via the internet. 

Cyberattacks on critical infrastructure are becoming increasingly common place. In fact, the New York Times recently reported that the US is stepping up online attacks against Russia's Power Grid. The adversaries in this new battleground include nation states, terrorists and cyber criminals. Fortunately, many of the same controls that help mitigate negligence, malicious insiders and employee mistakes – can also address external threats from hackers and saboteurs. 

While Smart City technologies can yield huge benefits when it comes to streamlining processes and reducing operating costs, they can be equally detrimental if security is not considered as part of their deployment and management. 

Consider the following examples of threats posed by external attacks on Smart City technologies:

  • Disabling physical security and monitoring systems would allow anyone access to otherwise secure buildings, public works facilities, and utility infrastructure without the police being notified of the breach
  • Modifying or tampering with HVAC can cause temperature sensitive physical processes and infrastructures to fail (e.g. datacenters).
  • Making changes to traffic control systems can create chaos in cities
  • Changing water pressure levels can render fire extinguisher and abatement systems inoperable or flood buildings to destroy property 
  • Disabling elevator systems can threaten the safety of occupants in large real estate complexes

In the DHS advisory, the authors cautioned that an attacker could gain “full system access” to the BMS through an “undocumented backdoor script.” This would allow an attacker to run commands on a vulnerable device with the highest privileges. The advisory also noted that the vulnerability required a “low level” of skill to remotely exploit and could make it possible to “shut down a building with one click.” Extending this attack scenario to Smart City systems would result in impacts on a much larger and damaging scale.

 This development underscores the importance of having robust industrial security controls which can monitor for threats at the network and device level. This has long been the security posture for IT-based systems, yet the same approach has lagged in critical infrastructure, utilities, and new digital building management and Smart City technologies.  

Digital transformation is taking hold in every industry, including electricity generation and distribution. One of the byproducts of Smart Grids, Smart Buildings and Smart Cities is the convergence of two once separate environments -- IT and operational technology (OT) networks. Since IT tools don’t speak OT, and vice versa, identifying threats that originate in either environment and move laterally between the two, requires greater security integration, collaboration and intelligence sharing. 

Protecting Smart Cities from security threats that can result in massive disruption of operations, physical damage or worse, requires closer cooperation between OT and IT to achieve the requisite levels of visibility, security and control across both infrastructures. Unless we bake cybersecurity into the control fabric for Smart Cities, the likelihood of an incident taking a major metropolitan center offline remains a distinct possibility.


A person wearing a suit and tie

Description automatically generated

Michael Rothschild is director of product management for industrial security vendor Indegy. He has more than 20 years of experience in IT security with Thales, RSA, SafeNet (now Gemalto), Dell, Juniper Networks and Radware. In his spare time, Michael volunteers as an Emergency Medical Technician.

Sponsored by

Get All the Electric Light & Power and POWERGRID International to Your Inbox

Subscribe to Electric Light & Power or POWERGRID International and the email newsletter today at no cost and receive the latest news and information.

Related Articles

Tesla Motors restarts solar-panel business with rental plans

08/20/2019

The company will allow residents of six states to rent solar-power systems starting at $50 a month — or $65 a month in Cal...

ABB and Hitachi respond to Japan’s digitization needs

08/15/2019

ABB and Hitachi have announced a collaboration to advance Japan’s electricity balancing market system, allowing for market...

Next-Gen Grid Architecture: A grid coordination primer

08/13/2019 Grid coordination is the operational alignment of assets to provide electricity delivery. Although the grid has always rel...

Senators look to help rural businesses be energy efficient

08/12/2019

Independent Sen. Angus King and Republican Sen. Susan Collins say the move would benefit businesses in rural states such a...