Cybersecurity starts at the entrance desk

Securing smart buildings is a challenge due to their complexity. Any device or system connected to the Internet is a potential entry point for bad actors. The security of smart buildings therefore requires a holistic approach, paying attention to the technical, organizational and human aspects of cybersecurity. We spoke to Bas Labordus, from The S-Unit, about the technical aspects.

 By: Eline te Velde

The S-Unit is a security company specialized in cybersecurity issues. They help customers better secure their systems through controlled attacks. They look at the entire process, from pen testing to independent advice. The S-Unit serves a wide range of customers, from companies in the entertainment industry to insurance companies and hospitals.

Crown Jewels

The cybersecurity specialists always start with a research question, Labordus explains. “We are always looking for the most important assets together with the client. What do you want to protect? What are your 'crown jewels'? And what happens if those crown jewels are no longer available, the dates are no longer correct, or the wrong people have access?” The research question determines the scope and from there the testing begins.

There are several possible approaches to testing, such as black box testing, where the attacker has no prior knowledge of the internal workings of the software. On the contrary white box testing, where the attacker has knowledge of the internal structure and has, as it were, been taken along by the company.

“Once we have determined the research question, we run scenarios on it. Then we try to get in by any means possible. This is what we call pentesting. Another approach is Red Teaming, where you test an entire chain. You assume a certain scenario, for example that money has been transferred to an account. To achieve this, several steps must be taken. With this method of testing, we do not try to attack from all sides, but we walk back the steps,” says Labordus.

“With pen testing you take an element from the chain and attack it from all sides. With Red Teaming you go through the entire process and you stay under the radar.”

Password under keyboard

The first step in attacking a building is often physical. To enter the network or find information, we actually visit the building, says Labordus: “We really try to enter the building, for example through an open door or by going in with the smokers. There is a major social aspect involved. Sometimes it is necessary to convince others to gain access, for example to check the printer or internet connection. Everything we encounter next is interesting information. For example, under keyboards you will find usernames and passwords and whiteboards always contain interesting information. All collected information can be used in a follow-up attack. The technical attack actually starts at the downstairs access desk.”

“We really try to enter the building, for example through an open door or by going in with the smokers. There is a major social aspect involved.”

Solar panels

Smart buildings offer numerous advantages. For example, they increase comfort and efficiency and help us save energy. But increased connectivity brings a greater risk of cyber attacks. Labordus explains: “We are currently seeing many buildings installing solar panels. There are of course inverters and the question is how they are connected to the network. This solar panel inverter can be a gateway to enter the network. Here you can draw a parallel with physical access. If the gates are too low, you can easily step over them. This principle also applies to cybersecurity: if doors are open, you can enter.”

Another development that Labordus sees is the desire to automate and integrate more and more. “Companies want to save energy and have insight into their energy consumption in a dashboard. Very good of course, but how does that information get there? We see the same with CO2 meters. If the signal from the CO2 meter is directly connected to a dashboard, I may be able to enter in the opposite direction. In addition, more and more work is being done remotely, so it is becoming easier for others to penetrate remotely. In short: more and more is possible, but we must therefore be alert in more and more areas.”

Would you like to know more about securing smart buildings? During the conference 'Digital Building of the Future' on November 15, 2023 at the AFAS Theater in Leusden, Bas Labordus will give a lecture on cybersecurity in smart buildings. Sign up for a free visit.