Introduction
When it comes to modern smart buildings, blending cutting-edge technology with daily operations opens up a world of possibilities—and potential risks. One of our recent projects involved securing a smart building for a large client, a leader in their industry, who was looking to integrate smart systems throughout their facility. They wanted to ensure that their building’s advanced infrastructure was not only efficient but also secure from potential cyber threats.
To protect their interests, we conducted a comprehensive Security Risk Assessment (SRA) and followed it up with Operational Technology (OT) Penetration Testing (OTPT). Here’s a peek behind the scenes at how we helped secure a fully automated, interconnected building without sacrificing innovation.
The Challenge
Smart buildings operate on a hybrid network of both IT and OT systems, and this client’s building was no exception. Integrating their HVAC, lighting, elevators, and energy management systems into one cohesive network was a marvel of engineering. But this convenience also raised serious cybersecurity concerns.
Challenge 1: Legacy Systems and Modern Cybersecurity
One of the most common challenges in OT environments is dealing with legacy systems. Many of the OT components used in smart buildings were designed decades ago, with little to no built-in cybersecurity measures. In our client’s case, some of their building management systems (BMS) were running on old protocols, like Modbus and BACnet, which lacked encryption and were vulnerable to man-in-the-middle attacks.
Solution: We focused on segmentation and encryption. First, we recommended segmenting the OT network from the IT network to limit exposure to potential attacks. Next, we proposed setting up secure gateways between the legacy systems and modern networks, which would add a layer of encryption and authentication to their data exchanges without needing to completely overhaul the infrastructure. This allowed the client to keep their legacy systems but operate them in a more secure environment.
Challenge 2: Misconfigured Remote Access for Third-Party Vendors
Many smart buildings rely on third-party vendors to manage and maintain various systems remotely. While remote access improves convenience and response times, it can also open the door to unauthorized access if not properly managed. In this case, we discovered that several third-party vendors had unrestricted access to critical systems, including HVAC controls and surveillance cameras, using weak password protection.
Solution: We recommended role-based access controls (RBAC) and multi-factor authentication (MFA). By restricting vendor access only to the systems they directly managed and enforcing MFA for remote access, we significantly reduced the attack surface. Additionally, we implemented a system to monitor and audit all vendor activity, providing real-time alerts for any suspicious behavior.
Challenge 3: Unsecured IoT Devices
The building’s IoT devices—such as smart thermostats, security cameras, and lighting systems—were all connected to the same network, creating a large attack surface. What’s more, several of these devices had default credentials that had never been changed, making them easy targets for cybercriminals.
Solution: We initiated a device inventory and credential management overhaul. First, we conducted a comprehensive inventory of every connected device, identifying those with outdated firmware, weak passwords, or open ports. Then, we helped the client implement a password rotation policy and automatically assign unique, strong credentials to each device. Additionally, we proposed isolating the IoT devices on their own subnet, which prevented an attacker from using a compromised device to access more critical systems like the BMS.
The Approach: Security Risk Assessment (SRA)
Our first step was conducting a Security Risk Assessment to map out the potential risks across the building’s infrastructure. This involved:
- Identifying Assets: We mapped every connected device—from the elevators and security cameras to the building’s HVAC system. Each asset was analyzed for its potential vulnerabilities and level of criticality to the building’s operation.
- Assessing Threats: Our team identified possible attack vectors, both external and internal. These ranged from direct cyberattacks targeting weak points in the OT network to insider threats that could compromise building systems. One concern, for example, was the use of legacy protocols in older systems that were never designed with cybersecurity in mind.
- Evaluating Vulnerabilities: Through detailed vulnerability scanning, we assessed existing gaps. The building’s energy management system, for instance, had default passwords still in use, while network segmentation was insufficient between critical systems like the fire alarms and non-essential components like lighting control.
- Prioritizing Risks: The SRA helped us rank the risks based on likelihood and impact. For instance, an attack on the HVAC system could disrupt the entire building’s operations, whereas a breach of the lighting system, while still serious, had less critical consequences.
The Test: OT Penetration Testing (OTPT)
Once the risk assessment was complete, we moved on to OT Penetration Testing, simulating real-world cyberattacks to see if the building’s OT systems could stand up to the challenge.
- Reconnaissance: We began by gathering as much information as possible about the building’s OT network—mapping out its structure, identifying devices, and pinpointing weak spots like outdated software versions and unprotected open ports.
- Vulnerability Exploitation: Next, we tested how easily an attacker could exploit these vulnerabilities. We simulated various attack scenarios, including attempts to gain unauthorized access to the building’s BMS. During one test, we were able to breach the security camera system, demonstrating how a hacker could monitor the building remotely if the network wasn’t properly segmented.
- Post-Exploitation: Once inside the system, we tested the extent of our access. Could we move laterally across the network? Could we gain control over other connected systems? The tests showed that once a single system was compromised, it was relatively easy to jump between devices that weren’t properly isolated from each other.
The Outcome
The SRA and OTPT gave the client a detailed roadmap for strengthening their smart building’s security. We provided key recommendations, including:
- Better Network Segmentation: We recommended stronger segmentation between critical systems (like the HVAC and energy management) and less critical systems (such as lighting) to minimize lateral movement within the network.
- Password and Access Control Improvements: We advised the client to remove default credentials across all systems and implement stronger password policies and multi-factor authentication to prevent unauthorized access.
- Software Updates and Patching: We helped the client understand the importance of regular patching, especially for legacy systems running outdated software that could leave the building vulnerable to attack.
- Enhanced Monitoring and Detection: Finally, we recommended more robust monitoring tools to detect and respond to any suspicious activity in real time.
Key Takeaways
In today’s world, smart buildings are the future of efficiency, but they also require new levels of security. For this client, a comprehensive Security Risk Assessment and OT Penetration Testing were critical in identifying vulnerabilities and creating actionable steps to mitigate those risks. By staying ahead of potential threats, the client could ensure that their cutting-edge smart building remained secure—without sacrificing any of the innovation that makes it stand out.
This project serves as a reminder that even the most advanced buildings need solid defenses. Cybersecurity for smart buildings isn’t just about protecting data; it’s about safeguarding the physical infrastructure and operations that power them every day.
Whether you’re in the planning stages of a smart building project or already managing an operational site, it’s crucial to stay proactive. Security Risk Assessments and OT Penetration Testing are not just optional—they’re essential steps in safeguarding your smart building from evolving cyber threats.
