In an Internet of things (IoT) world, smart buildings with web-enabled technologies for managing heat, lighting, ventilation, elevators and other systems pose a more immediate security risk for enterprises than consumer technologies.
The increasing focus on making buildings more energy efficient, secure and responsive to changing conditions is resulting in a plethora of web-enabled technologies. Building management systems are not only more tightly integrated with each other, they are also integrated with systems outside the building, like the smart grid.
[ It's time to rethink security. Two former CIOs show you how to rethink your security strategy for today's world. Bonus: Available in PDF and e-book versions. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
The threat that such systems pose is two-fold, analysts said. Many of the web-enabled intelligent devices embedded in modern buildings have little security built into them, making them vulnerable to attacks that could disrupt building operations and pose safety risks.
Web-connected, weakly protected building management systems also could provide a new way for malicious attackers to break into enterprise business systems that are on the same network.
The massive data theft at Target for instance, started with someone finding a way into the company's network using the access credentials of a company that remotely maintained the retailer's heating, ventilation and air conditioning (HVAC) system. In Target's case, the breach appears to have happened because the company did not properly segmelol! nt its data network.
Such issues could become more common as buildings and management systems become increasingly intelligent and interconnected, said Hugh Boyes, cybersecurity lead at the U.K.'s Institution of Engineering and Technology.
"It creates some interesting challenges for enterprise IT," Boyes said. "They need to know there are some increasingly complex networks being put into their buildings that are running outside their control."
As one example, Boyes pointed to the growing use of IP-enabled closed-circuit security cameras at many buildings. In some cases, the cameras might be used instead of a motion sensor to detect whether someone is in a room, and whether to keep the lights or heat turned on.
In such a situation, the camera, the lighting and the heating systems would all need to be integrated. Each of the systems could also have web connectivity linking them with an external third party for maintenance and support purposes. "You quickly get into a situation where a network that was just inside the building goes to locations outside the building," Boyes said.
It's not only heating, lighting and security systems that are integrated in this manner. An elevator manufacturer might stick smart sensors on all the elevators in a building to detect and spot a failure before it happens. Or, a building manager might have technology in place to monitor and conserve water use in a facility.
Many of these technologies will have a path out of the building and over an IP network to a third party supplier or service provider, Boyes said. Often the data from these systems are captured not only for real-time decision support but also for longer-term data analytics.