Why Hackers Love Smart Buildings
Kanebridge News
Share Button

Why Hackers Love Smart Buildings

When all of a building’s systems are online, the cybersecurity risks become much greater.

By Suman Bhattacharyya
Fri, Sep 10, 2021 11:31amGrey Clock 4 min

Buildings are getting smarter, and that opens them up to a host of new cybersecurity risks.

In recent years, building managers increasingly have relied on internet connections and computer networks to manage pretty much any part of a building you can think of—including elevators and escalators; ventilation, heating and air conditioning systems; office machines like printers and conference-room audiovisual equipment; security and fire-safety systems; and appliances like refrigerators and coffee makers.

These smart technologies can make buildings more efficient and monitor maintenance and repair needs, allowing building operators to address problems proactively, rather than fixing malfunctions as they occur. During the pandemic, they have made it easier to monitor airflow and people’s movements within buildings.

Smart buildings “satisfy a lot of things that we’re trying to do in real estate,” says Jason Lund, a managing director at commercial real-estate services company Jones Lang LaSalle. He says, among other things, it allows building managers to create more-sustainable and greener buildings, deal with Covid risks more effectively, and maximize space more efficiently.

“All of those things being managed technologically is a good thing,” Mr. Lund says. “The backside of it is that all of them become hackable.”

The problem isn’t just that hackers can gain access to any one building-management system. The real danger is if they are able to gain access to a single system—say, lighting—and then find their way from there into many or all of the building’s other systems, whether those systems are linked to a common network or not.

“They can control lights, they can control air flow, they can control the elevators—anything that you can think that a building does can be exposed,” says Fred Gordy, director of cybersecurity at Intelligent Buildings, a smart-building consulting and advisory firm. “We had a particular case where it was a hospital group” whose systems were attacked for a ransom, he says, “and they were unable to do anything with the systems, so they had to cancel surgeries [and] send people away.”

Mr. Gordy says the number of ransomware attacks on the firm’s clients grew 600% in 2020. In 2019, he says, “our customers that were attacked represented 100 million square feet in commercial real estate. In 2020, our customers that were attacked represented 1.8 billion square feet of commercial real estate.”

What’s more, hackers who infiltrate building-management systems might also be able to work their way into a company’s corporate communications and databases, where they can loot the company’s proprietary information or hold it for ransom.

Getting in and around

So how does all this happen? One way hackers commonly gain initial access is to steal the login credentials—or obtain the stolen credentials from a third party—that a vendor uses to upload invoices to the building manager’s billing system, says Mr. Lund.

Once they’ve gained access to a billing system, or gotten into the building manager’s computer system through any other internet-connected point, hackers have many ways of broadening their access. One of the most common is to use whatever information they have found to create convincing phishing emails that prompt employees or other vendors to reveal login and password information for other systems.

One way to cut down on that risk is to link all the various building services to a single network that can be monitored and controlled by cybersecurity experts, says Adam Stark, senior technology consultant for smart buildings and smart workplaces at JLL.. But that network—and everything on it—remains vulnerable if it isn’t sufficiently protected.

Hackers can move around a network like this by taking advantage of weak safeguards in place for the various systems and devices connected to the network, says Ron Cirillo, vice president of cybersecurity and service excellence at Oxford Properties Group.

“There’s a lot of very lazy work that went into designing authentication methods and identity-management methods” at many buildings, he says, citing weak passwords as one example, particularly for what might be considered relatively unimportant devices whose vulnerability to hackers might be overlooked.

“It has been my experience that operators do not tend to think of these smart devices—your coffee maker, for example—in the same way that they would think of a server or desktop computer,” Mr. Cirillo says. “As such, they will often neglect to change a factory default password, or if they do change it, they will often assign poor passwords and/or assign all devices the same password to keep it simple.”

Systems that are clearly essential also often aren’t well protected, he says, and so are easy prey for a hacker who has broken into a network. For instance, a hacker using the guest Wi-Fi in a shopping mall could find a building-management system on the same network, and “if that building-management system is using a factory default password, you could Google the password and you could sit in a mall food court and take over the air conditioning or the lighting,” he says.

Setting up barriers

Cybersecurity experts cite what they call network segmentation as crucial to keeping hackers from running amok once they’ve gained access to a computer network. Segmentation simply means building barriers into a network so that someone who has access to one system can’t easily gain access to other systems on the network.

“We logically segment every system, so in other words that if you are the air-conditioning vendor you can log into the air conditioner using our privileged access-management system, but you’re not able to route to, say, the lighting system, or the overall building-management system,” says Mr. Cirillo.

“The challenge is that putting that kind of network segmentation in place requires hiring skilled network engineers, and it requires time and effort,” he says.

Requiring multifactor authentication for anyone to access any part of the network is another basic step that goes a long way toward thwarting attacks and keeping them from spreading, the experts say.

But, of course, even with the most conscientious controls in place, no system is invulnerable. A breach is always possible “because the human-being side of it is one of the hardest to monitor,” says Mr. Lund, pointing to the risks from phishing emails, stolen user credentials and uncancelled login access for departed employees.


This stylish family home combines a classic palette and finishes with a flexible floorplan

35 North Street Windsor

Just 55 minutes from Sydney, make this your creative getaway located in the majestic Hawkesbury region.

Related Stories
Should AI Have Access to Your Medical Records? What if It Can Save Many Lives?
How an Ex-Teacher Turned a Tiny Pension Into a Giant-Killer
By MATT WIRZ 27/05/2024
The Problem With Behavioural Nudges
By Evan Polman and Sam J. Maglio 27/05/2024
Should AI Have Access to Your Medical Records? What if It Can Save Many Lives?

We asked readers: Is it worth giving up some potential privacy if the public benefit could be great? Here’s what they said.

Tue, May 28, 2024 4 min

We’re constantly told that one of the potentially biggest benefits of artificial intelligence is in the area of health. By collecting large amounts of data, AI can create all sorts of drugs for diseases that have been resistant to treatment.

But the price of that could be that we have to share more of our medical information. After all, researchers can’t collect large amounts of data if people aren’t willing to part with that data.

We wanted to see where our readers stand on the balance of privacy versus public-health gains as part of our series on ethical dilemmas created by the advent of AI.

Here are the questions we posed…

AI may be able to discover new medical treatments if it can scan large volumes of health records. Should our personal health records be made available for this purpose, if it has the potential to improve or save millions of lives? How would we guard privacy in that case?

…and some of the answers we received. undefined

Rely on nonpartisan overseers

While my own recent experience with a data breach highlights the importance of robust data security, I recognise the potential for AI to revolutionise healthcare. To ensure privacy, I would be more comfortable if an independent, nonpartisan body—overseen by medical professionals, data-security experts, and citizen representatives—managed a secure database.

Anonymity cuts both ways

Yes. Simply sanitise the health records of any identifying information, which is quite doable. Although there is an argument to be made that AI may discover something that an individual needs or wants to know.

Executive-level oversight

I think we can make AI scanning of health records available with strict privacy controls. Create an AI-CEO position at medical facilities with extreme vetting of that individual before hiring them.

Well worth it

This actually sounds like a very GOOD use of AI. There are several methods for anonymising data which would allow for studies over massive cross-sections of the population without compromising individuals’ privacy. The AI would just be doing the same things meta-studies do now, only faster and maybe better.

Human touch

My concern is that the next generations of doctors will rely more heavily, maybe exclusively, on AI and lose the ability or even the desire to respect the art of medicine which demands one-on-one interaction with a patient for discussion and examination (already a dying skill).


People should be able to sign over rights to their complete “anonymised” health record upon death just as they can sign over rights to their organs. Waiting for death for such access does temporarily slow down the pace of such research, but ultimately will make the research better. Data sets will be more complete, too. Before signing over such rights, however, a person would have to be fully informed on how their relatives’ privacy may also be affected.

Pay me or make it free for all

As long as this is open-source and free, they can use my records. I have a problem with people using my data to make a profit without compensation.

Privacy above all

As a free society, we value freedoms and privacy, often over greater utilitarian benefits that could come. AI does not get any greater right to infringe on that liberty than anything else does.

Opt-in only

You should be able to opt in and choose a plan that protects your privacy.

Privacy doesn’t exist anyway

If it is decided to extend human lives indefinitely, then by all means, scan all health records. As for privacy, there is no such thing. All databases, once established, will eventually, if not immediately, be accessed or hacked by both the good and bad guys.

The data’s already out there

I think it should be made available. We already sign our rights for information over to large insurance companies. Making health records in the aggregate available for helping AI spot potential ways to improve medical care makes sense to me.

Overarching benefit

Of course they should be made available. Privacy is no serious concern when the benefits are so huge for so many.

Compensation for breakthroughs

We should be given the choice to release our records and compensated if our particular genome creates a pathway to treatment and medications.

Too risky

I like the idea of improving healthcare by accessing health records. However, as great as that potential is, the risks outweigh it. Access to the information would not be controlled. Too many would see personal opportunity in it for personal gain.

Nothing personal

The personal info should never be available to anyone who is not specifically authorised by the patient to have it. Medical information can be used to deny people employment or licenses!

No guarantee, but go ahead

This should be allowed on an anonymous basis, without question. But how to provide that anonymity?

Anonymously isolating the information is probably easy, but that information probably contains enough information to identify you if someone had access to the data and was strongly motivated. So the answer lies in restricting access to the raw data to trusted individuals.

Take my records, please

As a person with multiple medical conditions taking 28 medications a day, I highly endorse the use of my records. It is an area where I have found AI particularly valuable. With no medical educational background, I find it very helpful when AI describes in layman’s terms both my conditions and medications. In one instance, while interpreting a CT scan, AI noted a growth on my kidney that looked suspiciously like cancer and had not been disclosed to me by any of the four doctors examining the chart.


This stylish family home combines a classic palette and finishes with a flexible floorplan

35 North Street Windsor

Just 55 minutes from Sydney, make this your creative getaway located in the majestic Hawkesbury region.

Related Stories
Should AI Have Access to Your Medical Records? What if It Can Save Many Lives?
Judge Blocks Effort to Auction Graceland
By TALI ARBEL 26/05/2024
Anger Does a Lot More Damage to Your Body Than You Realise
By SUMATHI REDDY 24/05/2024
    Your Cart
    Your cart is emptyReturn to Shop