CISM, CTO & CISO, Virtually Informed

September 1, 2020


Lithium-Ion batteries. A guide to the fire risk that isn’t going away but can be managed

IoT Security

Why we need to pay attention to attacks on the smart built environment

Are attacks on IoT physical security devices real or just theoretical? Should we be worried or ignore the hype? Sarb Sembhi explains why professionals need to be aware of the real-life examples in an effort to guard against future attacks on their own businesses.

List of attacks to smart built environments

I’ve been compiling a list of attacks related to smart built environments for upcoming guidance which will be available through the IoT Security Foundation. My aim is to use this list in the introduction, to ensure readers would fully understand that these attacks are real and that they should not only pay attention, but actually do something about them – covered in the rest of the guidance.

As I was researching the attacks, I was reminded of similar work I had done a few years earlier, which was related to attacks on mobile phones. At that time, there was a view (and I don’t think it has changed much) that users don’t need to bother with such attacks, as such things were rare. A report from the anti-malware vendor McAfee recently disclosed that new mobile malware had increased 71% during Q1 in 2020 compared to the previous quarter, primarily due to trojans. Also, that total mobile malware grew nearly 12% over the previous four quarters.


Even now, recent research has shown that most users still do not use any mobile anti-malware on mobile devices.

The same McAfee report states that new IoT malware grew by over 700,00 in the first quarter of 2020. This is very interesting as it shows that IoT devices are growing in interest to a point that attackers are increasing the malware targeted specifically at IoT Devices.

Growth of IoT malware – are they real?

I know that some will say that evidence of malware is not the same as actual attacks on IoT devices, and that there aren’t enough examples of actual attacks, there is only circumstantial evidence of possible attacks. For this reason, I created three lists of evidence:

  1. Actual real attacks
  2. Evidence of attack or compromise as recorded by vendors collating evidence on their service infrastructures of attacks to smart building devices and systems
  3. A list of attacks on corporate systems which use the same underlying technologies as IoT devices and smart building systems – the assumption being that if the technology is the same then it’s irrelevant that the attack is on an IoT device or not, since they can both be compromised using the same vulnerabilities.

While I tried not to give greater preference to any single list over the other, I did decide to reduce the third list of attacks to related technologies down to two examples. This is an important set of attacks and examples because these do not differentiate IoT from other devices, just the underlying related technologies – if they use the same technology, and it has an exploitable vulnerability the device or app is irrelevant. I needed to ask the question “how many examples is enough to illustrate a point?”

Ultimately, I didn’t want to create a list that would cause fatigue or complacency in a way that may lead a reader to think that it would be a futile to attempt to secure their devices and systems – which would have the opposite effect to the one intended.

FUD is not helpful for creating action

The challenge in compiling these three lists started with being able to provide enough evidence to show that there are a wide range of attacks, while avoiding creating uncertainty and doubt which may lead to inaction or inactivity.

Cyber security professionals have often been criticised for creating Fear, Uncertainty and Doubt, known as FUD, and many of us have fought against attempts by other professionals, writers and journalists who try to do so. But here I was, in a position where I felt in danger of overkilling a risk, whilst in the process of trying to create an interest in exploring and responding to it.

In reality, the challenge is much wider. What evidence do physical security, cyber security, risk, building owners, manufacturers, installers and integrators, facilities staff and the boards responsible for all of these professional teams need to see to ensure that they take all the risks that smart buildings technologies may be exposing them to?

READ: “If it ain’t secure, it ain’t smart” – why today’s devices aren’t truly ‘smart’

Unlike personal mobile security, or information security, the number of professionals and different key stakeholders who all need to play their part is much greater, with a high degree of interdependencies. These dependencies cannot be underestimated, because in some organisations (where there is little or no security governance) it is all too easy for different teams to point the finger at others for things that go wrong, while simultaneously ensuring that no one else is able to impact their little empire.

Every one of these professionals not only have biases around risk from their profession, but also from their industry and personal experiences too. So, how does one explain – using past attacks as evidence of risk – the likelihood of possible future attacks to a wide audience of professionals who have only the existence of a smart building in common? It is the building that brings all stakeholders together. Yet, they are all relying on the security credentials of the building. When any one team does not understand the risks in the same way that others do, there are likely to be problems.

Other approaches to grouping attack evidence

My approach had been to try to convincingly illustrate the risks using three groups of evidence, but I could very easily have taken other approaches. Listed below are some of the other approaches, as well as an explanation of why I ignored them:

  • Group evidence by each of the key stakeholders – this would enable each of them to see what their colleagues in the industry had previously got wrong. However, using this approach could possibly have embarrassed the company which had the incident, and perhaps alienate them and others. At a time when we were trying to encourage everyone to work together and take their own responsibilities for working with others, we may have ended up encouraging ‘finger pointing’ rather than cooperative working.
  • Group evidence by the mistakes that were made – this would enable each stakeholder to see what the human cause of the attack to the smart building was. Again, using this approach could have had a similar result to above, but also made people focus on certain mistakes, rather than to understand the wider risk aspects of what didn’t go right.
  • Group evidence by individual technologies – this could highlight that there are certain technologies that should be avoided. Using this approach could result in a focus of individual technologies as being vulnerable, rather than to assume that all technologies may be proven to be vulnerable eventually.

However, as interesting as all this is, in terms of what will convince physical security professionals that cyber attacks to physical infrastructures are more regular than first assumed, something a little more obvious is needed. If one looks at the maturity of attacking tools criminals use and the stages they go through, there are similarities that can be observed in the attacks to PCs and mobiles, which one could assume about will be similar to the IoT device attacks that are to come.

This is probably a better way to look at future attacks to IoT devices and smart buildings, but the challenge is that many senior professions don’t bother looking at what is coming – they want proof of what has happened that they need to worry about. They often want analysts to tell them what their colleagues are worrying about, rather than what they should be preparing for tomorrow. The belief seems to be that someone from the board might ask, “what are we doing about X” that they have read in an analyst report.

Growth in sophisticated attack tools

Coming back to what attacks we might expect to see to IoT devices and smart buildings, based on current attack tools research, I would include the following:

  • A report from McAfee found that new IoT Malware grew by over 70,000 in a single quarter, compared to over 1.4m new mobile malware and over 1.2b overall malware. Malware on IoT is growing faster every quarter. As the growth in IoT malware catches up with that of mobile or other types, if systems are not yet currently able to stop this malware, waiting for a few years to respond may be too late.
  • Research by Kaspersky found that the North Korean Government has aggressively deployed a malware framework which is capable of deploying more than 15 malware components. Foreign governments are just one of several attackers and once their tools become available on the open market, they often create the scene for far more malicious tools to be created with greater levels of sophistication.
  • A report by FireEye found that industrial control system hacking tools have been created vendor agnostic to be able to target some of the largest manufacturers. There is little difference in some industrial control systems and smart building systems. The sophistication in attack tools has been there for several years.

These are just three of many recent examples (in the last month) of the growth in attack tools and malware. If a rational person can be persuaded to accept that what has been happening with attack tools on PC, mobiles and other devices is the same way that such tools will develop further for smart building devices and systems, then why won’t physical security professionals accept the same?

IoT attack tools get highly sophisticated functionality in less time

It is not important that anyone believes that there are mass attacks to IoT systems right now – that makes a difference, but only little difference. But more importantly, if we observe past trends of attack tools, each iteration has seen a shorter period between malware created for fun or experimentation to full blown sophisticated tools. This basically means that attack tools capable of breaking into and bringing down IoT devices and systems will take a shorter time period than it did for all the other groups of devices and systems that came before them.

However rational this may seem to me or those involved in the cyber security profession, others still want to see proof that it is happening right now and what the damage is. In some cases, attackers will evade detection to maintain control for longer. The obvious and less obvious proof is out there, you only need to look for it.

What proof or evidence do you or your organisation need before you include such risk into your forward plan?

Keep up with the access control market

The physical access control market is moving fast. Find out where you stand with the latest edition of IFSEC Insider's comprehensive 2022 State of Physical Access Control trend report, covering all the latest developments within the market. We assess the current technology in use, upgrade plans and challenges, and major trends on the horizon after receiving the views of over 1000 security, facilities and IT professionals.

Get your copy for free today.

Related Topics

Notify of
1 Comment
Newest Most Voted
Inline Feedbacks
View all comments
September 10, 2020 5:44 pm

I’d be very interested in seeing your list if possible. Is it available?