Smart buildings merit smarter security

Architects and city planners first began promoting the concept of Smart Buildings, or Building Automation Systems (BAS), around ten years ago. Smart buildings were meant to deliver untold benefits from energy efficiencies and greener lifestyles to cost savings and improved living standards for all.  Early examples of IP-connected appliances, however, were not built to cope with the demands of an evolving threat landscape.

As we enter the Internet of Things (IoT) era there is an understandable desire to connect more and more devices together despite their lack of in-built security.  To counter these risks there are a number of security measures property companies can adopt including the greater use of virtual private networks (VPNs).

Although it has been technically possible to construct smart buildings for quite some time the relatively high costs often prevented property developers from installing high-speed data cabling in building renovation or new construction projects. The extra expense invariably didn’t add up, especially when the available choice of IP-enabled devices was severely limited. Instead the vast majority of buildings continued to run their lighting, heating, cooling and security systems along conventional lines. To save money Ethernet capability would be introduced by extending it across traditional copper 2-wire networks.

First generation smart devices such as thermostats or automated machinery may have an element of intelligence embedded inside but really they weren’t that smart. For example, once fitted they were not designed to be updated easily. When a security bug was discovered the standard practice was to replace the whole unit. But this was costly, so more often than not the guiding principle was ‘if it ain’t broke don’t fix it.’

For this reason many early devices are still in place today. Designed for networks that are completely self-contained the management interface is very basic with limited security. They are certainly not meant to withstand the types of attack most websites face on a day-to-day basis.

As vendors begin introducing new, more affordable Internet-connected devices into buildings there is renewed optimism surrounding the future of smart buildings.   With so many buildings connecting old and new smart devices together it is perhaps inevitable that hackers will seek to exploit any weaknesses they can find. Thankfully attacks to date have been rare –the last high-profile breach of this kind occurred at Target at the end of 2013 when hackers broke in via the retailer’s HVAC systems supplier. However as the value of the data held by smart buildings rises the risks will become more tangible.

The way connectivity has been implemented in many buildings appears not to have been considered by some device manufacturers.  All access points are vulnerable and without proper encryption it is relatively easy for hackers to break in and steal private data. For those designing smart buildings the need to plug the gaps through judicious use of VPNs in data transmission networks, data processing and data aggregation connectivity has never been more pressing.

One advantage with VPNs is manageability. They enable building automation systems to be set up with a multitude of stations connecting to a central control server. Administrators can log into the central server to obtain real-time access to sensor data and remotely control various devices securely.

In many cases the vulnerabilities used to gain access to smart buildings can be prevented simply by device manufacturers paying more attention to secure engineering and software coding methods. Including improved controls for those who need access to the software at the design stage of Internet of Things (IoT) devices also helps avoid information leakage and better encryption for passwords.

VPNs allow a building’s private network be extended securely over the public Internet. VPN enables a smart building’s devices to share data securely with any device of the Internet. VPNs are also flexible and may be readily customized to protect specific data exchange requirements.

There are several other steps that building automation management companies and manufacturers can take to improve security at a basic level:


  • Application security scanning tools can be used to spot software vulnerabilities before go live
  • IP address restrictions when connecting to building automation system devices over the Internet
  • Add controls like two-factor authentication and login anomaly detection at wireless access points and, where no controls are needed, disable remote administration features altogether
  • Scan network activity using security information and event management (SIEM) systems to identify suspicious activity on the network
  • Introduce strong network security rules on all devices — specifically, safer password practices such as never reusing or sharing passwords between devices
  • Keep device software up to date

Changing mindsets, policies and technologies to create secure connected buildings takes time, effort and investment. In the meantime, companies must start paying attention to the potential cybersecurity risks within their physical spaces to protect their building, employees and data. VPNs are an important first step towards substantially enhancing smart building security for the good of all.