Author(s): Jesse Roman. Published on February 8, 2021.

Weak Spots

High-tech building and fire systems offer a wealth of benefits—but they are also becoming targets for cybercriminals. What can we do to harden these vulnerable systems?  




LIKE MILLIONS OF AMERICANS, Ken Donaldson spent a chunk of his Thanksgiving weekend perusing online holiday sales, in particular markdowns on those popular multi-pot pressure cookers that can make a pot roast in minutes. After a bit of sleuthing, he’d found a potentially killer deal.

“Did you know they’re making wireless pressure cookers now?” Donaldson told me, shaking his head incredulously when we met over video conference in December.

To a layperson, a cooker that connects to a smart phone and allows the user to monitor a roast from afar may sound like a handy feature. To Donaldson, though, it’s practically an invitation for a hacker to steal your data, or possibly blow up your kitchen. 

Related Content

READ: A knowledge race between hackers and researchers is underway


ALSO: The biggest building system hacks

That’s because Donaldson, a cyber security expert with the technology firm M.C. Dean, spends his days trying to thwart cyber criminals. To demonstrate the ease with which a knowledgeable hacker could proceed, Donaldson shows me a device called a “software defined radio receiver,” a small rectangular box, available online for about $200, that can intercept and collect wirelessly transmitted data. Hackers recently used a similar tool to capture the digital footprint of a Tesla key fob, then reverse engineered it to create a clone key to unlock vehicles at will. Though perhaps not as sexy as a Tesla, a pressure cooker could nevertheless provide a hacker with a portal to a trove of valuable information. 

A quick search of the Federal Communications Commission’s database would yield the device’s test report data, the wireless frequencies it uses, its encoding mechanisms, and possibly even its chip and encryption data. The website Shodan, a search engine that crawls the Internet looking for connected devices, could tell the hacker where the device is located, and possibly what else in the house it’s connected to.

“If somebody spent enough time at it, they are going to find vulnerabilities and they’ll get into the inner workings of that device,” said Donaldson—inner workings they can use as a gateway to a home network and the devices connected to it.

The pressure cooker is a small example of what has become a burgeoning and alarming trend: bad actors breaching vulnerable points of entry to access larger networks that can yield all manner of valuable information. As devices and building systems rapidly evolve from simple to smart and interconnected, savvy hackers have identified a cornucopia of new avenues they can exploit to launch attacks on both private and corporate networks. The average home may have a dozen or so of these vulnerable entry points, from smart appliances to personal webcams and computers. By comparison, corporations, hospitals, and manufacturing facilities—far more appealing targets for cybercriminals—can contain thousands of smart, interconnected devices and systems, many ripe for attack, including sprinkler and fire alarms, HVAC systems, security cameras, elevators, badge systems, parking ticket machines, automatic door locks, and many more.

The consensus among cybersecurity experts is that there is a long way to go to harden these systems against attacks. “The exact concept as the pressure cooker applies to a fire alarm, a sprinkler, or any smart or connected component of a building system, life safety system, or automation system you can think of,” Donaldson said. “They are all vulnerable.”

Once a hacker breaks into, say, a fire alarm system of a large corporation, he often needs only to follow the digital pathways that connect systems to reach the critical databases that companies pay dearly to defend. If a cybercriminal can breach the databases’ defenses, he can steal that information, often customer credit card numbers. Increasingly, hackers will seize and encrypt the information, and demand the organization pay a ransom to get it back.

The number and frequency of these schemes are soaring worldwide. Cybercrime now costs the global economy an estimated $600 billion per year, up from $445 billion in 2015, according to a report by the cybersecurity firm McAfee and the Center for Strategic and International Studies. Ransomware attacks in the United States alone cost an estimated $7.5 billion in 2019, according to a report by the cybersecurity company Emsisoft, and are expected to grow.

Experts are concerned that cybercriminals could use fire- and life-safety protection systems as means of attack, either as backdoor ways into larger corporate networks or as targets to disable or manipulate. Triggering a fire alarm, for instance, could unlock external emergency doors, giving bad actors physical access to a building in order to steal data or to disable systems.

Even more alarming, it’s possible that hackers could gain control of systems with the intent of hurting people or destroying property. Researchers have shown, for instance, that it might be possible to hack a large energy storage system and intentionally cause it to become unstable and perhaps even explode. These worries aren’t all hypothetical: In 2014, hackers infiltrated the controls of a German steel mill and disabled the shutdown of a blast furnace, causing widespread damage to the plant.

All smart building systems, from door locks to elevators are vulnerable to attack. GETTY

While brazen physical attacks remain uncommon, the breadth of attacks against building systems appears to be on the rise [see “Knowledge Race”]. That has given officials in the fire protection industry pause—and led to action. Last year, NFPA’s research arm, the Fire Protection Research Foundation, launched a project called “Cybersecurity for Fire Protection Systems” to begin discussions on preparing the industry to defend against such attacks. The project is spearheaded by Donaldson’s employer, M.C. Dean, which specializes in intelligent building systems and security. A literature review of past research and the standards that address the topic will be published in early 2021, followed by a workshop where experts in related fields will meet to map out the actions that should come next.

“Cybersecurity is such a broad topic that we really needed a starting point, and I look at this project as a great start,” said Jens Alkemper, research area director for equipment, cyber, and materials science at the insurance company FM Global and an advisor to the FPRF project. “We are hoping that the project will influence thinking and bring much more awareness to the issue. In my mind, education and awareness are the two biggest issues we have right now. Everything else flows from that.”

System vulnerabilities
For seasoned hackers like Tyler Robinson, breaking into building systems can sometimes be embarrassingly easy.

Robinson is known in industry parlance as a “white hat” or “ethical” hacker. Companies hire him to try to infiltrate their systems and report back on the vulnerabilities he finds. “I get paid to break into stuff and I don't have to go to jail,” he told me, grinning. What he finds is often his clients’ worst cybersecurity nightmares. Robinson claims that, during his more than two decades in the business, he’s never failed to take down a mark, whether by physically entering a building to steal data or hacking it remotely. He’s broken into power grids, data centers, factories, and car manufacturers, among other targets.

While not every cyberattack originates in a building system, those features and their vulnerabilities are becoming increasingly attractive targets for hackers who tend to favor the path of least resistance, Robinson said. “All of these smart devices and all of these interconnectivities leave a pretty large footprint from an attacker standpoint, and many are running out-of-date software and out-of-date operating systems,” making them easy marks, he told me. “These devices are typically a little bit older, and they're often not segmented [from the main networks]—they're usually put into a network and forgotten about. Look at some of the breaches that have been in the news recently—it’s the HVAC systems, the automation systems, or even the industrial control systems that are initially accessed by the hackers.”

In addition to being easier to access than a typical computer network, building systems are also often well-connected, giving hackers an easy pathway to more valuable targets. HVAC systems and alarm systems, for instance, are usually on the same network as the main building controls, because building operations managers want the convenience of accessing these systems from a central location. “That becomes very valuable from an attacker standpoint, because once they're able to access the building control, that connects them to a hundred other systems,” Robinson said.

Alarmingly, Robinson has discovered that exploiting a company’s own fire safety management practices is also an effective tool. “You figure out who the fire extinguisher company is, and then come in and emulate them and pretend like you're looking at fire extinguishers throughout the whole building,” he said. “You can gain access to really sensitive areas because these safety devices must be inside these areas. People don't often associate or scrutinize inspectors who come in and do this particular work because it's required and it's normal. It's not really thought of as a threat vector.”

A pervasive problem is that many companies have been slow to consider operational systems in their buildings as vulnerable to cyberthreats, said Phil Owen, the director of information assurance and cybersecurity at M.C. Dean. And, despite the immense growth in smart and web-connected systems in buildings, few professionals responsible for installing and maintaining them have any background in cybersecurity—until now, nobody thought they needed it. “The general mindset for so long has been, ‘We've got to protect our corporate intellectual property, our payroll information, our finance information, our HR data.’ It is a relatively recent mindset to think that you also now have to protect the system that controls the emergency lighting or the fire alarm,” Owen said.

According to a poll by the Ponemon Institute, a cybersecurity research firm, the average time it takes a small business to install a software patch that closes a known security vulnerability is 102 days. One problem is that many building systems professionals aren’t even aware they should be checking and performing these tasks. “It's just not within their skillset and not really what they have been accustomed to doing,” Donaldson said.

There are other challenges as well. Even if there is a level of awareness on the part of the building manager, sometimes the equipment manufacturer may not come out with new security patches for previous systems, Donaldson said. In other cases, the onboard computing in the device itself may be too limited to handle a modern security system patch, leaving it vulnerable to attack. Building and facility managers should be aware of these problems and make sure that these outdated systems are separated from other networks, but many don’t know how to do so.

Ideally, facility managers need to think about building systems the same way IT professionals think about computer networks—as a security threat the requires constant vigilance and monitoring, said Jessica Chevreaux, the cybersecurity program manager at M.C. Dean and the co-author of the FPRF report. The reverse is also true: few IT people know much about building systems, she said. Training on both sides about how to work together to holistically protect a company’s digital assets is essential but is not yet widespread.

“The HVAC and fire systems engineers don't necessarily speak the same language as the IT people, and they definitely don't understand each other’s systems and vulnerabilities,” Chevreaux said. “This is such a new concept that there isn’t necessarily even a structure in place within companies to handle it. There isn’t really anyone bridging that gap.”

Security fundamentals
With cybersecurity in building systems still in its infancy, experts hope that projects like the Foundation’s can provide the framework necessary to put building security on a solid track.

“Success is going to come down to getting the fundamentals right from the beginning,” Robinson said. That includes providing clear, actionable guidelines on what’s known as “cyber hygiene,” such as network segmentation, minimum system and security requirements for wireless or passwords, authentication mechanisms, and training workforces to better understand the threat and their responsibilities.

“This educational piece has to be part of everyone’s thinking and everyone’s planning,” said Alkemper, of FM Global. “We have to start thinking of this as a threat like any other threat. Your building can burn down, yes. Things can get hacked, so be ready. If you plan for it and anticipate it, this can be managed.”

Experts also see a need for additional guidance from codes and standards, including possibly from NFPA. Currently, there are at least 16 NFPA standards with cybersecurity references, including NFPA 72•, National Fire Alarm Signaling Code•, which includes guidance and requirements to address cybersecurity for equipment, software, firmware, tools, and installation methods, as well as the physical security and access to equipment, data pathways, testing, and maintenance. The document also recently included a new reference section in its annex called Guidelines for Cybersecurity.

The ongoing Foundation project on cybersecurity will help stakeholders “better understand vulnerabilities, the severity of consequences, and the awareness issues that exist within the fire protection community … and will (further) inform the standards development process,” Jim Pauley, NFPA’s CEO and president, said in a recent virtual speech.

Alkemper says that additional installation and maintenance standards with cybersecurity at the forefront could be a help both workers and manufacturers. “You can have a great product, but if you don't set this up properly, if you don't manage your access rights properly, if you don't control this and that, many of the building’s security features will not work,” he said. “I don't know exactly what that standard would look like, but will there be one? I would think so.”

Meanwhile, promising new tools and technology are also starting to emerge. They include artificial intelligence and machine learning programs that might one day be able to automatically detect anomalous behavior on a network by performing analysis on millions of data points in a matter of milliseconds, then alert system administrators. Manufactures of smart devices are also coming out with new and better security updates and more hardened products, a trend that experts say will continue to advance as consumers become savvier about cyber threats and begin demanding better protection.

Ultimately, it will be up to individual organizations to adopt protocols, train their employees, and install a robust process to protect themselves. While it may not be possible to completely stop a motivated attacker with time and limitless resources, Robinson and others say, you can at least offer enough resistance to deter them. “Those layers of defense make a huge difference in the level of effort and the level of sophistication required to get into your system,” Robinson said. “At the end of the day, if it costs me a lot of time and energy, and I only get 10 minutes in a network, that's a high level of cost and entry for most attackers. Unless you're a very high-value target, they are probably going to move past you and on to the next target.” 

JESSE ROMAN is the associate editor at NFPA Journal.