Exacerbating the situation is the fact that many of the communications protocols for building automation and control networks, such as BACnet and LonTalk, are open and transparent, said Jim Sinopoli, managing principal at Smart Buildings LLC.
Device manufacturers have adopted these protocols for product compatibility and interoperability purposes, Sinopoli said. However, the openness and transparency also increase the vulnerability of building automation networks.
"None of these systems are isolated any longer," Sinopoli said. A security breach in one system could have a cascading effect on multiple building automation systems and networks, he said.
The threat is not only about someone penetrating a building system to cause serious disruptions. There is also a potential impact on IT, such as a loss of communications due to a building system outage or unauthorized access to enterprise data because of poor segmentation between the building automation network and the IT network.
"The penetration of IT into building systems is an issue that is front and center," at a growing number of companies, Sinopoli said.
As buildings have become smarter, vendors of consumer devices have begun entering the space, said Rolf von Roessing, president of German security consulting company Forta AG and a member of ISACA's Professional Influence and Advocacy Committee. ISACA is a trade group focused on IT governance issues, with 128,000 members.
"Building automation, including critical functionality, is now readily available through web shops and hardware or electronics stores. While professional solutions usually feature in-built security and protection against hacking, consumer offerings are less well protected," von Roessing said.
In terms of preparation, IT practitioners should extend their information security and cybersecurity management processes to cover buildings and building management systems, he said.
"In many cases, these will be controlled through a Windows-based or compatible interface, using standard PC equipment and network connectivity via standard IP," von Roessing said. "Where remote control is a known or desired feature, security practitioners should look long and hard at mobile devices, the remote control apps and underlying processes. If and where critical building functionality can be controlled and manipulated from an unprotected mobile device, there is a significant risk of breaches," he said.
For a growing number of companies, the issue is already upon them, said John Pescatore, director of emerging security trends at SANS.
In a SANS survey on the security of the Internet of Things, smart buildings and industrial control systems were the second most frequently cited near-term concern behind consumer devices, Pescatore said.
Often, IT has little idea of the sheer scope of the issue, Pescatore said, He gave the example of one university's chief information security officer at a recent SANS conference who ran a security scan of a new building on the campus. "In a single six-story building, he found nearly 1,500 sensors," in elevators, doors, camera systems, lighting and heating systems and elsewhere, Pescatore said.