Why Hackers Love Smart Buildings
When all of a building’s systems are online, the cybersecurity risks become much greater.
4 min
Buildings are getting smarter, and that opens them up to a host of new cybersecurity risks.
In recent years, building managers increasingly have relied on internet connections and computer networks to manage pretty much any part of a building you can think of—including elevators and escalators; ventilation, heating and air conditioning systems; office machines like printers and conference-room audiovisual equipment; security and fire-safety systems; and appliances like refrigerators and coffee makers.
These smart technologies can make buildings more efficient and monitor maintenance and repair needs, allowing building operators to address problems proactively, rather than fixing malfunctions as they occur. During the pandemic, they have made it easier to monitor airflow and people’s movements within buildings.
Smart buildings “satisfy a lot of things that we’re trying to do in real estate,” says Jason Lund, a managing director at commercial real-estate services company Jones Lang LaSalle. He says, among other things, it allows building managers to create more-sustainable and greener buildings, deal with Covid risks more effectively, and maximize space more efficiently.
“All of those things being managed technologically is a good thing,” Mr. Lund says. “The backside of it is that all of them become hackable.”
The problem isn’t just that hackers can gain access to any one building-management system. The real danger is if they are able to gain access to a single system—say, lighting—and then find their way from there into many or all of the building’s other systems, whether those systems are linked to a common network or not.
“They can control lights, they can control air flow, they can control the elevators—anything that you can think that a building does can be exposed,” says Fred Gordy, director of cybersecurity at Intelligent Buildings, a smart-building consulting and advisory firm. “We had a particular case where it was a hospital group” whose systems were attacked for a ransom, he says, “and they were unable to do anything with the systems, so they had to cancel surgeries [and] send people away.”
Mr. Gordy says the number of ransomware attacks on the firm’s clients grew 600% in 2020. In 2019, he says, “our customers that were attacked represented 100 million square feet in commercial real estate. In 2020, our customers that were attacked represented 1.8 billion square feet of commercial real estate.”
What’s more, hackers who infiltrate building-management systems might also be able to work their way into a company’s corporate communications and databases, where they can loot the company’s proprietary information or hold it for ransom.
Getting in and around
So how does all this happen? One way hackers commonly gain initial access is to steal the login credentials—or obtain the stolen credentials from a third party—that a vendor uses to upload invoices to the building manager’s billing system, says Mr. Lund.
Once they’ve gained access to a billing system, or gotten into the building manager’s computer system through any other internet-connected point, hackers have many ways of broadening their access. One of the most common is to use whatever information they have found to create convincing phishing emails that prompt employees or other vendors to reveal login and password information for other systems.
One way to cut down on that risk is to link all the various building services to a single network that can be monitored and controlled by cybersecurity experts, says Adam Stark, senior technology consultant for smart buildings and smart workplaces at JLL.. But that network—and everything on it—remains vulnerable if it isn’t sufficiently protected.
Hackers can move around a network like this by taking advantage of weak safeguards in place for the various systems and devices connected to the network, says Ron Cirillo, vice president of cybersecurity and service excellence at Oxford Properties Group.
“There’s a lot of very lazy work that went into designing authentication methods and identity-management methods” at many buildings, he says, citing weak passwords as one example, particularly for what might be considered relatively unimportant devices whose vulnerability to hackers might be overlooked.
“It has been my experience that operators do not tend to think of these smart devices—your coffee maker, for example—in the same way that they would think of a server or desktop computer,” Mr. Cirillo says. “As such, they will often neglect to change a factory default password, or if they do change it, they will often assign poor passwords and/or assign all devices the same password to keep it simple.”
Systems that are clearly essential also often aren’t well protected, he says, and so are easy prey for a hacker who has broken into a network. For instance, a hacker using the guest Wi-Fi in a shopping mall could find a building-management system on the same network, and “if that building-management system is using a factory default password, you could Google the password and you could sit in a mall food court and take over the air conditioning or the lighting,” he says.
Setting up barriers
Cybersecurity experts cite what they call network segmentation as crucial to keeping hackers from running amok once they’ve gained access to a computer network. Segmentation simply means building barriers into a network so that someone who has access to one system can’t easily gain access to other systems on the network.
“We logically segment every system, so in other words that if you are the air-conditioning vendor you can log into the air conditioner using our privileged access-management system, but you’re not able to route to, say, the lighting system, or the overall building-management system,” says Mr. Cirillo.
“The challenge is that putting that kind of network segmentation in place requires hiring skilled network engineers, and it requires time and effort,” he says.
Requiring multifactor authentication for anyone to access any part of the network is another basic step that goes a long way toward thwarting attacks and keeping them from spreading, the experts say.
But, of course, even with the most conscientious controls in place, no system is invulnerable. A breach is always possible “because the human-being side of it is one of the hardest to monitor,” says Mr. Lund, pointing to the risks from phishing emails, stolen user credentials and uncancelled login access for departed employees.
Copyright 2020, Dow Jones & Company, Inc. All Rights Reserved Worldwide. LEARN MORE
This stylish family home combines a classic palette and finishes with a flexible floorplan
Just 55 minutes from Sydney, make this your creative getaway located in the majestic Hawkesbury region.
4 min
As Paris makes its final preparations for the Olympic games, its residents are busy with their own—packing their suitcases, confirming their reservations, and getting out of town.
Worried about the hordes of crowds and overall chaos the Olympics could bring, Parisians are fleeing the city in droves and inundating resort cities around the country. Hotels and holiday rentals in some of France’s most popular vacation destinations—from the French Riviera in the south to the beaches of Normandy in the north—say they are expecting massive crowds this year in advance of the Olympics. The games will run from July 26-Aug. 1.
“It’s already a major holiday season for us, and beyond that, we have the Olympics,” says Stéphane Personeni, general manager of the Lily of the Valley hotel in Saint Tropez. “People began booking early this year.”
Personeni’s hotel typically has no issues filling its rooms each summer—by May of each year, the luxury hotel typically finds itself completely booked out for the months of July and August. But this year, the 53-room hotel began filling up for summer reservations in February.
“We told our regular guests that everything—hotels, apartments, villas—are going to be hard to find this summer,” Personeni says. His neighbours around Saint Tropez say they’re similarly booked up.
As of March, the online marketplace Gens de Confiance (“Trusted People”), saw a 50% increase in reservations from Parisians seeking vacation rentals outside the capital during the Olympics.
Already, August is a popular vacation time for the French. With a minimum of five weeks of vacation mandated by law, many decide to take the entire month off, renting out villas in beachside destinations for longer periods.
But beyond the typical August travel, the Olympics are having a real impact, says Bertille Marchal, a spokesperson for Gens de Confiance.
“We’ve seen nearly three times more reservations for the dates of the Olympics than the following two weeks,” Marchal says. “The increase is definitely linked to the Olympic Games.”
Getty Images
According to the site, the most sought-out vacation destinations are Morbihan and Loire-Atlantique, a seaside region in the northwest; le Var, a coastal area within the southeast of France along the Côte d’Azur; and the island of Corsica in the Mediterranean.
Meanwhile, the Olympics haven’t necessarily been a boon to foreign tourism in the country. Many tourists who might have otherwise come to France are avoiding it this year in favour of other European capitals. In Paris, demand for stays at high-end hotels has collapsed, with bookings down 50% in July compared to last year, according to UMIH Prestige, which represents hotels charging at least €800 ($865) a night for rooms.
Earlier this year, high-end restaurants and concierges said the Olympics might even be an opportunity to score a hard-get-seat at the city’s fine dining.
In the Occitanie region in southwest France, the overall number of reservations this summer hasn’t changed much from last year, says Vincent Gare, president of the regional tourism committee there.
“But looking further at the numbers, we do see an increase in the clientele coming from the Paris region,” Gare told Le Figaro, noting that the increase in reservations has fallen directly on the dates of the Olympic games.
Michel Barré, a retiree living in Paris’s Le Marais neighbourhood, is one of those opting for the beach rather than the opening ceremony. In January, he booked a stay in Normandy for two weeks.
“Even though it’s a major European capital, Paris is still a small city—it’s a massive effort to host all of these events,” Barré says. “The Olympics are going to be a mess.”
More than anything, he just wants some calm after an event-filled summer in Paris, which just before the Olympics experienced the drama of a snap election called by Macron.
“It’s been a hectic summer here,” he says.
AFP via Getty Images
Parisians—Barré included—feel that the city, by over-catering to its tourists, is driving out many residents.
Parts of the Seine—usually one of the most popular summertime hangout spots —have been closed off for weeks as the city installs bleachers and Olympics signage. In certain neighbourhoods, residents will need to scan a QR code with police to access their own apartments. And from the Olympics to Sept. 8, Paris is nearly doubling the price of transit tickets from €2.15 to €4 per ride.
The city’s clear willingness to capitalise on its tourists has motivated some residents to do the same. In March, the number of active Airbnb listings in Paris reached an all-time high as hosts rushed to list their apartments. Listings grew 40% from the same time last year, according to the company.
With their regular clients taking off, Parisian restaurants and merchants are complaining that business is down.
“Are there any Parisians left in Paris?” Alaine Fontaine, president of the restaurant industry association, told the radio station Franceinfo on Sunday. “For the last three weeks, there haven’t been any here.”
Still, for all the talk of those leaving, there are plenty who have decided to stick around.
Jay Swanson, an American expat and YouTuber, can’t imagine leaving during the Olympics—he secured his tickets to see ping pong and volleyball last year. He’s also less concerned about the crowds and road closures than others, having just put together a series of videos explaining how to navigate Paris during the games.
“It’s been 100 years since the Games came to Paris; when else will we get a chance to host the world like this?” Swanson says. “So many Parisians are leaving and tourism is down, so not only will it be quiet but the only people left will be here for a party.”
This stylish family home combines a classic palette and finishes with a flexible floorplan
Just 55 minutes from Sydney, make this your creative getaway located in the majestic Hawkesbury region.
