In countries like the United States, the growth of smart buildings is estimated to reach 16.6% by 2020 compared to 2014, although this expansion is not limited to the US but rather is taking place on a global scale. This growth is largely due to the fact we live in a world increasingly permeated by technology, in which process automation and the search for energy efficiency contribute not only to sustainability, but also to cost reduction – a goal pursued in all industries, public and private alike. Naturally, the construction industry is no exception, says Carey van Vlaanderen, CEO at ESET South Africa.
Smart buildings use technology to control a wide range of variables within their respective environments with the aim of providing more comfort and contributing to the health and productivity of the people inside them. To do so, they use so-called Building Automation Systems (BAS). With the arrival of the Internet of Things (IoT), smart buildings have redefined themselves. With the information they obtain from smart sensors, their technological equipment is used to analyse, predict, diagnose and maintain the various environments within them, as well as to automate processes and monitor numerous operational variables in real time. Ambient temperature, lighting, security cameras, elevators, parking and water management are just some of the automatable services currently supported by the technology.
To put the possibilities of this smart infrastructure into perspective, is the example of a smart building in Las Vegas where, two years ago, they decided to install a sophisticated automation system to control the use of the air conditioning (keeping in mind Las Vegas has a hot desert climate and very little rain), so it is turned on only when there are people present. This decision led to a saving of US$2 million during the first year after the smart system was installed, due to the reduction in energy consumption achieved by automating the process. Marriott Hotels implemented a similar system across the entire chain that is expected to generate an estimated US$9.9 million in energy savings.
Another example of automation through smart devices is that of a supermarket in the United Kingdom. The store installed a smart system in its parking lot that generates a kinetic energy from the movement of cars passing through it, and then uses that energy to power the checkouts.
At first glance, we may not see any security risk in these smart buildings. It is likely, however, that at some point the entire smart network is connected to a single database, and that is where the risk is. Particularly if we consider that many IoT devices are manufactured by different suppliers, who may not have paid due attention to security considerations during their design and manufacturing process.
Possibility of a smart building being attacked
The risk of a security incident taking place in an intelligent building is linked to the motivations of cybercriminals, who mainly seek to achieve economic gain through their actions, as well as to impact and spread fear.
There are already some tools such as Shodan that allow anybody to discover vulnerable and/or unsecured IoT devices connected publicly to the internet. If you run a search using the tool, you can find thousands of building automation systems in its lists, complete with information that could be used by an attacker to compromise a device. In February 2019, around 35,000 building automation systems worldwide appeared in Shodan within public reach via the internet.
This means that someone could take control of a BAS after finding it through a search. If, for example, a criminal used Shodan for building automation systems to attack, they will find IP addresses. If they copy those IP addresses into the address bar of a web browser, in many cases this will bring up an interface for gaining access, where they need to enter a username and password. If the password is a default password of if it can be cracked easily through a brute force attack, the attacker will gain access to the system monitoring panel, which contains information similar to the companies located in the smart building.
Once the attackers have access to this public information and can monitor, for example, how the air conditioning works, they could make a phone call pretending to be from the maintenance company and say they are going to send a technician. At the same time, the attackers could request remote access, which would give them access to the server and allow them to control the building. Once they have control, they could alter the building’s heating or air conditioning or adjust the way any of the other automated systems operate and then demand payment of a ransom in using a system that allow them to remain anonymous, such as cryptocurrency, in exchange for not shutting the building down.
Siegeware: a very real threat
Cybercriminals are already carrying out such attacks when they have the opportunity. This kind of attack is siegeware, or “the code-enabled ability to make a credible extortion demand based on digitally impaired building functionality”
In conclusion, the low cost of IoT devices for buildings and the advances of technology for building automation systems is leading to changes with an impact on security. This drive toward automation and the use of smart devices to gather data – in order to give a building’s users more comfort and to make more efficient use of resources such as energy – is also leading to increased security risks. As a result, the possibility of a cybercriminal launching a ransomware attack on asmart building is already a reality.
Considerations to keep in mind
There are a number of security considerations and requirements to keep in mind:
- Review the devices’ security specifications and work on the basis of the ‘security by design’ concept
- Set a suitable budget for security
- Choose partners that have knowledge of security issues
- Install software for managing vulnerabilities
- Ensure cooperation between the different areas and/or departments
For operational issues:
- Update the devices regularly
- Implement a replacement plan for when devices’ support life cycles end
- Exercise a precaution in respect of connected devices
- Monitor connected devices
Cloud makes business magic
A cloud summit conference last week illustrated the dramatic way the cloud can transform an organisation’s capacity.
What do the movies have in common with banks? Aside from the billions of rands and dollars that flow through both industries, they seem worlds apart. Yet, in the world of cloud computing, they are suddenly close neighbours.
It’s not just that both now tend to host their services in the cloud, accessible from any connected device anywhere in the world. Now, they can take advantage of the lessons, systems and strategies that each has adopted in the cloud.
One of the best-known examples of leveraging the cloud for global impact is Netflix, which hosts its content in the data centres of Amazon Web Services (AWS), the world’s largest cloud computing service. Along with videos and movies, it also uses applies regional licensing frameworks via this cloud platform, meaning it can instantly launch new services and videos worldwide that comply with local regulations in every country.
At last week’s AWS Summit in Cape Town, it became clear just how powerful the cloud can be for South African organisations. One of South Africa’s oldest insurance companies, one of the country’s largest universities and the country’s newest bank all took to the stage to share case studies of how the cloud had transformed their operations.
That is probably all that Old Mutual, the University of Pretoria and TymeBank have in common, but they slotted in neatly to a bigger story: the cloud is available to any institution or business, large or small, old or new. This is the underlying secret to the astonishing growth of TymeBank, South Africa’s first fully digital bank, and the first entity to receive a banking license in this country in 19 years.
Launched earlier this year, it currently brings 100,000 new customers on board every month. To achieve this, it uses no less than 54 distinct services available on the AWS platform, says Dieter Botha, chief information officer of the bank.
“We’ve got so many services in the ecosystem. From a security point of view, every single one of our customers’ conversations with banks comes into the AWS world via a security layer, a content delivery network, web application firewall and AWS’s Advanced Shield, so we are pretty resilient from cyber attacks. The primary purpose is to make sure our face to the world is protected from attack.”
The most fascinating aspect of their ability to leverage the AWS cloud, however, was the fact that they were able to piggyback on processes and systems that streaming video giant Netflix had created for its own services in the cloud.
“They’ve got what we call the Netflix stack, a set of tools they put together that makes it easier to manage microservices, small elements of computer processes that run in what are called containers.”
Netflix built its own application containers, on top of an open-source platform, meaning that anyone could use and adapt the systems it had developed. However, that was only a starting point while TymeBank was pulling itself up by its own bootstraps.
“This is where we say, if you take a step back, this stuff is very cool, but it translates into an element of risk. From a risk point of view, rather than using that scaffolding, we said let’s take our microservices container, and get an animal like AWS to run it for us. So we’re effectively replacing the Netflix stack with AWS and its native services.
“Now our techies can just focus on the code inside our operations rather than build the heavy scaffolding we had to worry about. The documentation is so good on AWS, because they have real technical gurus who understand the systems, that it de-risks our services.”
Netflix wasn’t the only everyday consumer service that played its part on building TymeBank. It turns out that many of the global giants have made their systems and learnings available to anyone on the world. The bank turned to a product from none other than Facebook to help build its Web presence.
As TymeBank refines its services and migrates deeper and deeper into the Amazon cloud, it has also been able to cut costs dramatically.
“We found as we’ve grown and become more comfortable in that cloud and more skilled in the use of the cloud, we began consuming more native services, meaning they are designed to run in the cloud. That’s a really big deal for us. That’s when you see the benefits of the cloud ecosystem. One native service can trigger another, because they talk to each other well.
“This includes a set of services that help you manage your life and bills in the cloud. People forget about costs. Now we can tag a lot of our services in the AWS cloud to understand exactly what is driving cost points, and we are able to manage costs right down to the level of the techies.
“Traditionally, if you sign a contract with a big supplier, it gets filed away, and the techies don’t even know what is driving costs. By tagging services in the cloud, you’re giving cost knowledge to your techies, and it’s in their power to push it up and down. You give them the power to understand costs and manage them. That’s never been possible before.”
This partly explains why TymeBank is able to bring the monthly cost of having a bank account to exactly zero. It is only when one starts using its services that banking fees kick in.
However, the fact that a 174-year-old insurance company like Old Mutual and a 156-year-old like Standard Bank are also rapidly migrating to the AWS platform is a clear message that the cloud is not just for newcomers.
Both institutions began offering their services in the middle of the 18th century, when the concept of technology barely existed. Yet, the constant evolution and falling price of cutting-edge tech like cloud computing has meant they can not only survive, but even thrive, in the presence of young upstarts like TymeBank.
- Arthur Goldstuck is founder of World Wide Worx and editor-in-chief of Gadget.co.za. Follow him on Twitter and Instagram on @art2gee
Think like a hacker
Ethical hackers play a key role in keeping a company secure.
Relevant cybersecurity isn’t perpetuated exclusively through investment and systems; it is reliant on people and their understanding of the cyber threat.
A leading ethical technology hacker in Europe, Jamie Woodruff, gained access to a well-known financial institution by simply posing as a pizza delivery man. He was quoted as saying that it is the mistakes that people make that are the true threat to the business. That said, it is people like Woodruff who can provide the organisation with the insight required to pre-empt attacks, find hidden loopholes and educate employees.
These ethical hackers know how to play the game of cybersecurity thrones. They understand the methodologies and the mindsets of those who make a living from penetrating business defences unlawfully and use this understanding to reshape security infrastructure and investment.
“The role of the ethical hacker has evolved considerably over the past few years,” says Karien Bornheim, CEO of Footprint Africa Business Solutions (FABS). “In the past, they would be hired by organisations to ensure that their security was capable of withstanding a concerted attack and, in some cases, find out if they had already been breached. Many organisations only discover that they’ve had a breach years after it has taken place. Today, the ethical hacker has added to their arsenal – their skills have evolved and so have the methods they use. Not only are they penetrating the front lines of defence, they are also launching attacks from the inside of the organisation.”
There has been a subtle shift from the slide in and out pen testing of the past when ethical hackers would attack organisations over a period of a few days or weeks. Now, many undertake long-term undercover assignments that embed them into the company. These are the ethical hackers that become part of the culture so they can identify the insider threats that are affecting the organisation, and even identify the source of ongoing security challenges. Many ethical hacker training courses specialise in undercover training into very specific technology skill sets that allow them to find the bigger threats to the organisation, particularly those perpetrated by employees.
The insider threat is a very real problem. According to CA’s Insider Threat 2018 Report, 90% of organisations feel that they are vulnerable to an insider attack, 53% have had confirmed insider attacks, and 27% have seen an increase in frequency. This has sparked significant internal investment into insider threat programmes that focus on deterrence, forensics and user behaviour monitoring.
“Ethical hackers are capable of immersing themselves into the culture of the business. They use this to detect behaviour that could potentially indicate if someone is an insider threat,” says Bornheim. “Their skills allow them to find digital proof of misdeeds and rapidly detect certain system issues or behaviours. Those who take on these roles can spend months or even years at an organisation protecting it both from within and without.”
That said, in spite of their security expertise and experience, many organisations remain reluctant to hire external ethical hackers and grant them access to their information. It’s an understandable concern. Many ethical hackers have moved from the so-called black hat (criminal) side of hacking to the white hat (legal) side and bring with them a suitcase of smart skills that few companies want to see thrown at their cybersecurity walls. However, this discomfort is the precise reason why the business should be paying attention and the bill.
“These individuals do command high salaries but what they offer the organisation in terms of reputational and cost-saving benefits, cannot be understated,” says Bornheim. “Should they discover a bug, a loophole, an existing piece of dangerous code, or any other threat to the company, they can save it millions.”
The average cost to the company, according to IBM’s study – Costs of Data Breaches Increase Expenses for Businesses, is around $US3.86 million for a data breach. This cost has risen since 2016 by 6.4% and will likely increase again over the next 12-24 months. Any company facing that reckoning at the end of a cybersecurity hack from a black hat will suddenly see the bill that comes from a certified white hat like a missed opportunity.
“Certified ethical hackers operate under very strict ethical controls,” concludes Bornheim. “They report any issues or information they find and help the organisation to put more stringent or relevant controls in place. The ethical hacker is ultimately a weapon, one that can be safely wielded by the untrained to defend the organisation against future attacks, to rebuild systems and security platforms, and to uncover insider threats. Their role is as critical to the development of a robust cybersecurity stance as the software, solutions and training that are embedded into the human, machine, server, and system.”