Vulnerability in building management systems shines light on cybersecurity for smart cities

By Michael Rothschild, Contributor

The Department of Homeland Security (DHS) recently issued a security advisory regarding a vulnerability in a popular smart building automation system used to control air conditioning, heating, door locks, etc. through a web interface. If exploited, this vulnerability would allow an attacker to gain full access to the system and disrupt building operations. 

In many ways this threat to Building Management System (BMS) software illustrates the security risks associated with Smart City technologies, all of which are connected to and reachable via the internet. 

Cyberattacks on critical infrastructure are becoming increasingly common place. In fact, the New York Times recently reported that the US is stepping up online attacks against Russia’s Power Grid. The adversaries in this new battleground include nation states, terrorists and cyber criminals. Fortunately, many of the same controls that help mitigate negligence, malicious insiders and employee mistakes – can also address external threats from hackers and saboteurs. 

While Smart City technologies can yield huge benefits when it comes to streamlining processes and reducing operating costs, they can be equally detrimental if security is not considered as part of their deployment and management. 

Consider the following examples of threats posed by external attacks on Smart City technologies:

  • Disabling physical security and monitoring systems would allow anyone access to otherwise secure buildings, public works facilities, and utility infrastructure without the police being notified of the breach
  • Modifying or tampering with HVAC can cause temperature sensitive physical processes and infrastructures to fail (e.g. datacenters).
  • Making changes to traffic control systems can create chaos in cities
  • Changing water pressure levels can render fire extinguisher and abatement systems inoperable or flood buildings to destroy property 
  • Disabling elevator systems can threaten the safety of occupants in large real estate complexes

In the DHS advisory, the authors cautioned that an attacker could gain “full system access” to the BMS through an “undocumented backdoor script.” This would allow an attacker to run commands on a vulnerable device with the highest privileges. The advisory also noted that the vulnerability required a “low level” of skill to remotely exploit and could make it possible to “shut down a building with one click.” Extending this attack scenario to Smart City systems would result in impacts on a much larger and damaging scale.

 This development underscores the importance of having robust industrial security controls which can monitor for threats at the network and device level. This has long been the security posture for IT-based systems, yet the same approach has lagged in critical infrastructure, utilities, and new digital building management and Smart City technologies.  

Digital transformation is taking hold in every industry, including electricity generation and distribution. One of the byproducts of Smart Grids, Smart Buildings and Smart Cities is the convergence of two once separate environments — IT and operational technology (OT) networks. Since IT tools don’t speak OT, and vice versa, identifying threats that originate in either environment and move laterally between the two, requires greater security integration, collaboration and intelligence sharing. 

Protecting Smart Cities from security threats that can result in massive disruption of operations, physical damage or worse, requires closer cooperation between OT and IT to achieve the requisite levels of visibility, security and control across both infrastructures. Unless we bake cybersecurity into the control fabric for Smart Cities, the likelihood of an incident taking a major metropolitan center offline remains a distinct possibility.

A person wearing a suit and tie

Description automatically generated

Michael Rothschild is director of product management for industrial security vendor Indegy. He has more than 20 years of experience in IT security with Thales, RSA, SafeNet (now Gemalto), Dell, Juniper Networks and Radware. In his spare time, Michael volunteers as an Emergency Medical Technician.

Previous articleNRC cites Wolf Creek nuclear plant for false inspection record
Next articleHow vulnerable is the US electric grid this summer?
The Clarion Energy Content Team is made up of editors from various publications, including POWERGRID International, Power Engineering, Renewable Energy World, Hydro Review, Smart Energy International, and Power Engineering International. Contact the content lead for this publication at

No posts to display