Can Your Building Be Hacked?
Posted on Thu, Aug 12, 2010 @ 03:13 PM
Think about it. You know that computers can be hacked. You know your building is controlled by computers. Therefore, your building can be hacked, right?
Our company was reminded of this several years ago—in rented space that we do not control, mind you—when we moved into a new office and held an open house, only to find out that the building management system had succumbed to a computer virus. The result was that we did not have the air conditioning that we had contracted to extend into the evening hours. Worse still, everyone from the management company had gone home, and they couldn’t alter the settings remotely.
In an era of increasingly frequent and often blindly automated attacks on computer systems, the possibility that your building can be hacked is a very real one. The question is, what can you do to prevent it?
Short of sequestering all your management systems on a private network that not even your staff can reach, there are a number of good recommendations from the IT world that should be applied to your building management, access control, and video surveillance systems as a matter of course:
- Make sure they are in a secure data center.
Placing a computer system that is part of your company’s “critical infrastructure” in an open office setting is just asking for trouble, especially if they are sharing LAN with users who may be bringing viruses and other malware onto the network. That’s how our building AC system was infected.
- Make sure that access to systems is both restricted and audited.
If access to your building management systems is not restricted through strong identity, password, and authorization mechanisms, then you really can’t be sure that you are protecting your assets as you had planned. And without an independent audit to assure that controls on the system are actually practiced, you are just trusting in blind faith. Like those guys who were supposed to give us air conditioning.
- To keep systems useful, provide for safe remote access.
We all know that service expectations these days are for problems to be fixed right now. That’s why it sounded so lame when our building engineers said that they couldn’t remotely access the building management system and just override the problem because —get this—they couldn’t change the setting from the Internet. This was especially hard to hear for an Internet company like Brivo, and, believe me, the irony was not lost on us.
The moral of the story is that many times viruses and hackers have better access to your critical infrastructure than your employees do, and that’s just wrong.
Keeping this in mind, we’ve scheduled our next party outdoors, on what promises to be a fine late summer afternoon.
- Steve Van Till