SecurityMatters is now part of Forescout
SecurityMatters is now part of 

Stay up to date, subscribe to our blog.

published on February 19, 2019

BAS Research Report: The Current State of Smart Building Cybersecurity

The buildings that we live and work in are getting smarter and more connected. As we speak, the scenes we have only watched in sci-fi movies are becoming a reality, beginning with our homes and offices transforming into “smart buildings”. Only a few years ago, buildings offered very basic services. They had a central building management system (BMS) and one or two sub-systems, isolated from each other, typically used to control heating and air conditioning, the elevator or lighting systems. The control implemented by the BMS included simply switching the right equipment on or off at the right time of the day or year.Smart Building Cybersecurity BAS

Yesterday’s BAS, Consisting of a Few Interconnected Systems in a Single Building 

This situation is rapidly changing. Driven by the demand to reduce energy consumption and make buildings self-sustainable and more comfortable, a wide range of new systems are entering the smart building ecosystem. We now have badges to access specific areas of a building, solar panels to produce electricity and smart meters to lower energy bills. A staggering amount of new applications and services are enabled by by the integration and communication of these systems. BMS are now called iBMS, with the ‘i’ standing for integration, and the buildings are called “smart” because of the complex functions they can support.

It’s easy to think that smart buildings are just another incarnation of industrial control systems (ICS) and that their security should be handled with traditional OT/ICS security methods. This is a misunderstanding for several reasons: (a) smart buildings are much more “open” and interconnected than ICS, and (b) while Internet of Things (IoT) devices will likely not get through the perimeter of ICS, they will certainly enter (and likely reshape) the building automation industry. The new generation of smart buildings will most likely not replace existing legacy systems, but rather enhance them with new technologies. This means that we will witness the integration of old operational technology (OT) systems with the latest information technology (IT) devices, including IoT.

Unfortunately, this evolution does not come without risks. The threat surface is large and the consequences of a security breach can be significant. In the past few years, there have been many cases of cyberattacks on smart buildings. In 2016, for example, people were locked out of their rooms at a hotel in Austria until a ransom was paid, and in Finland, a DDoS attack targeting the heating system left residents of two apartment buildings in the cold. The consequences of these attacks could become increasingly dangerous and costly if…Continue reading



New call-to-action

Join the conversation