Don’t be afraid of the dark: pitfalls of the smart office

Have you ever considered your smart office from an IT security viewpoint? Did it occur to you that by equipping your office with devices designed to provide life’s comforts, cybercriminals are handed even more opportunity to gain access to your corporate information and even to cause physical damage?

It’s hard not to notice that the modern office space is no longer just a building with windows, desks and a ceiling. With various automation systems becoming commonplace, the office has essentially become a huge cybernetic organism on its own. All sorts of engineering and logistical solutions, sensors and controllers encompass technologies providing access control, video surveillance, climate control, water supply, lighting, fire extinguishing, elevator control, etc.

This same system can also, to some extent, control information and communications technologies, monitor the state of communication channels, restrict employee access to undesirable Internet resources, and block file downloads by size and type.

All of these solutions, sensors and controllers are tied together into a sophisticated telecommunications network that has a single control center – a server or any modern computer with specialized software providing support for all the relevant protocols.

These systems are designed to create and maintain comfortable working conditions for the company’s employees, as well as provide a more centralized and less complicated process for managing these technologies. These systems also help to improve efficiency. For example, the early detection of a gas or water leak by the system’s sensors could reduce company’s costs significantly.

A study carried out by Allied Market Research found the market for smart building systems is evolving and growing rapidly. The research company forecasts that the market will grow by 29.5% by 2020 and reach a volume of $35.3 billion. This means that more and more office buildings will be built based upon these principles.

But have you ever considered your smart office from an IT security viewpoint? Did it occur to you that by equipping your office with devices designed to provide life’s comforts, cybercriminals are handed even more opportunity to gain access to your corporate information and even to cause physical damage?

It makes no difference in this context whether you are renting an office or have a smart building of your own. Incidentally, the size of your business and its area of work does not matter either, because your company may be of interest to cybercriminals both on its own and as a stepping-stone for attacks against your partners.

This is because the telecommunications network used in the system, while being a key element that is essential to its operation, is also the system’s weak spot. It is used for all communications between the command center and the end devices. The network can use both wired and wireless technologies (such as Wi-Fi and Bluetooth). Moreover, the central computer itself may have an Internet connection to make management and control easier.

For cybercriminals, this is the primary target, since access to the command center, or the corporate network, enables them to take over the entire system.

For example, after gaining access to the network, cybercriminals can monitor the office’s operation using the video surveillance system – they may even be able to see the information on employees’ monitors. Taking advantage of the access control system’s vulnerabilities, criminals can get into the building disguised as employees without attracting anyone’s attention. After all, the security service does not necessarily know all employees by sight. Taking control of other life-support systems can seriously undermine the office’s ecosystem, to the point of making work impossible. This can result in downtime, missed deadlines, damage to property and other financial losses.

This is why a multi-tier, comprehensive approach to IT security is a must. It is essential that security is not limited to protecting corporate resources internally using IT security solutions on employees’ endpoints. It is crucial to provide reliable protection for all elements of the smart building management system that are connected to your corporate system in any way.

We recommended the following approach to ensure your company’s systems remain reliably protected:

  • A comprehensive IT security audit will help to identify all the weak spots in the company’s IT network.
  • Developing a threat model will enable you to create a detailed map of potential attack vectors.
  • Implementing a specialized, multi-layered IT security solution will help to provide protection for all nodes on the corporate network, including protection against Internet threats, data encryption on endpoints, protection of financial transactions, protection for mobile devices, the mail server and data storage facilities connected to the network, timely software and signature database updates, etc.
  • Employee training in IT security and office system operation rules, as well as the rules of conduct in critical situations, will help to reduce the chances of attackers gaining access to your data by using social-engineering techniques.

With the market for embedded solutions evolving at such a pace, some vendors are now looking to develop specialized technologies to cater for this growing market. Our own company, Kaspersky Lab, for example is developing an embedded secure operating system and is now close to the pilot stage. Specifically, one of its components, Kaspersky Security System, is already available in the market as an embedded OEM solution. The component can be built into any real-time operating system, providing security for operations performed under that operating system.

The operating system itself can be built directly into controllers and sensors used in smart building systems. All of these end devices are microcomputers that need protection as much as other computers that are better known to the world. Since conventional security tools cannot be installed on such devices, a specialized solution implemented as a secure operating system can provide security of smart building systems at the end device level, safeguarding the company against cyberattacks that use the system as an entry point into the company’s corporate network.