Why Hackers Love Smart Buildings
When all of a building’s systems are online, the cybersecurity risks become much greater.
When all of a building’s systems are online, the cybersecurity risks become much greater.
Buildings are getting smarter, and that opens them up to a host of new cybersecurity risks.
In recent years, building managers increasingly have relied on internet connections and computer networks to manage pretty much any part of a building you can think of—including elevators and escalators; ventilation, heating and air conditioning systems; office machines like printers and conference-room audiovisual equipment; security and fire-safety systems; and appliances like refrigerators and coffee makers.
These smart technologies can make buildings more efficient and monitor maintenance and repair needs, allowing building operators to address problems proactively, rather than fixing malfunctions as they occur. During the pandemic, they have made it easier to monitor airflow and people’s movements within buildings.
Smart buildings “satisfy a lot of things that we’re trying to do in real estate,” says Jason Lund, a managing director at commercial real-estate services company Jones Lang LaSalle. He says, among other things, it allows building managers to create more-sustainable and greener buildings, deal with Covid risks more effectively, and maximize space more efficiently.
“All of those things being managed technologically is a good thing,” Mr. Lund says. “The backside of it is that all of them become hackable.”
The problem isn’t just that hackers can gain access to any one building-management system. The real danger is if they are able to gain access to a single system—say, lighting—and then find their way from there into many or all of the building’s other systems, whether those systems are linked to a common network or not.
“They can control lights, they can control air flow, they can control the elevators—anything that you can think that a building does can be exposed,” says Fred Gordy, director of cybersecurity at Intelligent Buildings, a smart-building consulting and advisory firm. “We had a particular case where it was a hospital group” whose systems were attacked for a ransom, he says, “and they were unable to do anything with the systems, so they had to cancel surgeries [and] send people away.”
Mr. Gordy says the number of ransomware attacks on the firm’s clients grew 600% in 2020. In 2019, he says, “our customers that were attacked represented 100 million square feet in commercial real estate. In 2020, our customers that were attacked represented 1.8 billion square feet of commercial real estate.”
What’s more, hackers who infiltrate building-management systems might also be able to work their way into a company’s corporate communications and databases, where they can loot the company’s proprietary information or hold it for ransom.
So how does all this happen? One way hackers commonly gain initial access is to steal the login credentials—or obtain the stolen credentials from a third party—that a vendor uses to upload invoices to the building manager’s billing system, says Mr. Lund.
Once they’ve gained access to a billing system, or gotten into the building manager’s computer system through any other internet-connected point, hackers have many ways of broadening their access. One of the most common is to use whatever information they have found to create convincing phishing emails that prompt employees or other vendors to reveal login and password information for other systems.
One way to cut down on that risk is to link all the various building services to a single network that can be monitored and controlled by cybersecurity experts, says Adam Stark, senior technology consultant for smart buildings and smart workplaces at JLL.. But that network—and everything on it—remains vulnerable if it isn’t sufficiently protected.
Hackers can move around a network like this by taking advantage of weak safeguards in place for the various systems and devices connected to the network, says Ron Cirillo, vice president of cybersecurity and service excellence at Oxford Properties Group.
“There’s a lot of very lazy work that went into designing authentication methods and identity-management methods” at many buildings, he says, citing weak passwords as one example, particularly for what might be considered relatively unimportant devices whose vulnerability to hackers might be overlooked.
“It has been my experience that operators do not tend to think of these smart devices—your coffee maker, for example—in the same way that they would think of a server or desktop computer,” Mr. Cirillo says. “As such, they will often neglect to change a factory default password, or if they do change it, they will often assign poor passwords and/or assign all devices the same password to keep it simple.”
Systems that are clearly essential also often aren’t well protected, he says, and so are easy prey for a hacker who has broken into a network. For instance, a hacker using the guest Wi-Fi in a shopping mall could find a building-management system on the same network, and “if that building-management system is using a factory default password, you could Google the password and you could sit in a mall food court and take over the air conditioning or the lighting,” he says.
Cybersecurity experts cite what they call network segmentation as crucial to keeping hackers from running amok once they’ve gained access to a computer network. Segmentation simply means building barriers into a network so that someone who has access to one system can’t easily gain access to other systems on the network.
“We logically segment every system, so in other words that if you are the air-conditioning vendor you can log into the air conditioner using our privileged access-management system, but you’re not able to route to, say, the lighting system, or the overall building-management system,” says Mr. Cirillo.
“The challenge is that putting that kind of network segmentation in place requires hiring skilled network engineers, and it requires time and effort,” he says.
Requiring multifactor authentication for anyone to access any part of the network is another basic step that goes a long way toward thwarting attacks and keeping them from spreading, the experts say.
But, of course, even with the most conscientious controls in place, no system is invulnerable. A breach is always possible “because the human-being side of it is one of the hardest to monitor,” says Mr. Lund, pointing to the risks from phishing emails, stolen user credentials and uncancelled login access for departed employees.
Chris Dixon, a partner who led the charge, says he has a ‘very long-term horizon’
Americans now think they need at least $1.25 million for retirement, a 20% increase from a year ago, according to a survey by Northwestern Mutual
Competitive pressure and creativity have made Chinese-designed and -built electric cars formidable competitors
China rocked the auto world twice this year. First, its electric vehicles stunned Western rivals at the Shanghai auto show with their quality, features and price. Then came reports that in the first quarter of 2023 it dethroned Japan as the world’s largest auto exporter.
How is China in contention to lead the world’s most lucrative and prestigious consumer goods market, one long dominated by American, European, Japanese and South Korean nameplates? The answer is a unique combination of industrial policy, protectionism and homegrown competitive dynamism. Western policy makers and business leaders are better prepared for the first two than the third.
Start with industrial policy—the use of government resources to help favoured sectors. China has practiced industrial policy for decades. While it’s finding increased favour even in the U.S., the concept remains controversial. Governments have a poor record of identifying winning technologies and often end up subsidising inferior and wasteful capacity, including in China.
But in the case of EVs, Chinese industrial policy had a couple of things going for it. First, governments around the world saw climate change as an enduring threat that would require decade-long interventions to transition away from fossil fuels. China bet correctly that in transportation, the transition would favour electric vehicles.
In 2009, China started handing out generous subsidies to buyers of EVs. Public procurement of taxis and buses was targeted to electric vehicles, rechargers were subsidised, and provincial governments stumped up capital for lithium mining and refining for EV batteries. In 2020 NIO, at the time an aspiring challenger to Tesla, avoided bankruptcy thanks to a government-led bailout.
While industrial policy guaranteed a demand for EVs, protectionism ensured those EVs would be made in China, by Chinese companies. To qualify for subsidies, cars had to be domestically made, although foreign brands did qualify. They also had to have batteries made by Chinese companies, giving Chinese national champions like Contemporary Amperex Technology and BYD an advantage over then-market leaders from Japan and South Korea.
To sell in China, foreign automakers had to abide by conditions intended to upgrade the local industry’s skills. State-owned Guangzhou Automobile Group developed the manufacturing know-how necessary to become a player in EVs thanks to joint ventures with Toyota and Honda, said Gregor Sebastian, an analyst at Germany’s Mercator Institute for China Studies.
Despite all that government support, sales of EVs remained weak until 2019, when China let Tesla open a wholly owned factory in Shanghai. “It took this catalyst…to boost interest and increase the level of competitiveness of the local Chinese makers,” said Tu Le, managing director of Sino Auto Insights, a research service specialising in the Chinese auto industry.
Back in 2011 Pony Ma, the founder of Tencent, explained what set Chinese capitalism apart from its American counterpart. “In America, when you bring an idea to market you usually have several months before competition pops up, allowing you to capture significant market share,” he said, according to Fast Company, a technology magazine. “In China, you can have hundreds of competitors within the first hours of going live. Ideas are not important in China—execution is.”
Thanks to that competition and focus on execution, the EV industry went from a niche industrial-policy project to a sprawling ecosystem of predominantly private companies. Much of this happened below the Western radar while China was cut off from the world because of Covid-19 restrictions.
When Western auto executives flew in for April’s Shanghai auto show, “they saw a sea of green plates, a sea of Chinese brands,” said Le, referring to the green license plates assigned to clean-energy vehicles in China. “They hear the sounds of the door closing, sit inside and look at the quality of the materials, the fabric or the plastic on the console, that’s the other holy s— moment—they’ve caught up to us.”
Manufacturers of gasoline cars are product-oriented, whereas EV manufacturers, like tech companies, are user-oriented, Le said. Chinese EVs feature at least two, often three, display screens, one suitable for watching movies from the back seat, multiple lidars (laser-based sensors) for driver assistance, and even a microphone for karaoke (quickly copied by Tesla). Meanwhile, Chinese suppliers such as CATL have gone from laggard to leader.
Chinese dominance of EVs isn’t preordained. The low barriers to entry exploited by Chinese brands also open the door to future non-Chinese competitors. Nor does China’s success in EVs necessarily translate to other sectors where industrial policy matters less and creativity, privacy and deeply woven technological capability—such as software, cloud computing and semiconductors—matter more.
Still, the threat to Western auto market share posed by Chinese EVs is one for which Western policy makers have no obvious answer. “You can shut off your own market and to a certain extent that will shield production for your domestic needs,” said Sebastian. “The question really is, what are you going to do for the global south, countries that are still very happily trading with China?”
Western companies themselves are likely to respond by deepening their presence in China—not to sell cars, but for proximity to the most sophisticated customers and suppliers. Jörg Wuttke, the past president of the European Union Chamber of Commerce in China, calls China a “fitness centre.” Even as conditions there become steadily more difficult, Western multinationals “have to be there. It keeps you fit.”
Chris Dixon, a partner who led the charge, says he has a ‘very long-term horizon’
Americans now think they need at least $1.25 million for retirement, a 20% increase from a year ago, according to a survey by Northwestern Mutual