The built environment is increasingly becoming smart– the separate pieces of our buildings as well as the people within them are being linked together through the cloud, integrated facility systems, and a constantly evolving tech landscape. The Internet of Things offers more environmentally friendly, human friendly, cost effective spaces that are changing the way we do everything – live, play, work, socialize.
But smart buildings are introducing their own new, critical challenges in security.
Connected lighting, HVAC and other building infrastructure systems controlled via software – we can include our contract furniture systems, as they become increasingly tech-integrated – opens a window for hackers to break into all IT systems being used in that building. Our buildings are getting smarter, but the software systems we use to control and connect our building systems are much the same as they were 50 years ago.
Are the smart spaces architects and interior designers create protected from exterior attacks? What are the security risks we should be preparing for? Does the proper technology needed to do so exist on the market? What should the future of smart building security look like?
We spoke to security expert Ian Eyberg, the CEO of the security systems company NanoVMs.
“The term ‘smart building’ has been around forever, coined in the 1970s,” said Mr. Eyberg. “First, we developed the ability to control HVAC and boiler room systems. Then, we built the technology to control monitors and screens within a space. But now, buildings are adopting massive amounts of technology that is rendering it impossible for our building operating systems to be able to properly manage and secure them.”
The Internet of Things and adjacent technologies are presenting data manageability and security problems.
“We’re creating unbelievable amounts of data,” said Mr. Eyberg. “And in the past, property building managers might contract with someone outside to manage it. But that’s no longer sufficient in protecting ourselves and our data. Now, we’re developing a new way of securing and managing data. A lot of that data is now being gathered and analyzed onsite. Companies are beginning to install racks of servers onsite in order to keep up with the amount of data entering the cloud. And managing the data is a huge pain, but securing it is even worse.”
Mr. Eyberg notes that the design concept driving our legacy systems is inherently flawed, and that has to do with a timing perspective. Linux came out in 1991, just before the concept of virtualization. All of the old operating systems were built around deploying to physical servers; but now, we’re deploying to virtualized servers – the cloud.
In essence, we are trying to manage and secure our virtualized servers using operating systems that were built to manage physical servers – and this reality opens us up to major vulnerabilities.
“Politians often talk about the state of roads and bridges, and the need to rebuild and improve them,” said Mr. Eyberg. “Our operating systems are very similar; they’re crumbling, everyone knows it, and we need to rebuild them. New technologies like machine learning make the attack surface way bigger for hackers.”
NanoVMs offers to clients what is called a unikernel platform – what is likely the future of managing and securing cloud infrastructure. What is a unikernel? NanoVMs defines:
“A unikernel is simply an application that has been boiled down to a small, secure, light-weight virtual machine. The resulting virtual machine image does not contain an operating system like Linux or Windows. There are no users and no shell to login. Since it is one application it prevents other applications from running by design. Unikernels are widely considered to be the next generation of cloud infrastructure for their speed and security.”
Explained another way, by the bimonthly computer magazine ACM Queue in a feature titled, “Unikernels: Rise of the Virtual Library Operating System”:
“A unikernel is a specialized, single address space machine image constructed by using library operating systems. A developer selects, from a modular stack, the minimal set of libraries which correspond to the OS constructs required for their application to run. These libraries are then compiled with the application and configuration code to build sealed, fixed-purpose images (unikernels) which run directly on a hypervisor or hardware without an intervening OS such as Linux or Windows.”
Legacy systems (Linux and Windows) are multiple process systems, but unikernals are single process systems, that do not – cannot – run code that was not intended to run. NanoVMs’ website holds that this infrastructure removes the vast majority of security problems. On a unikernel platform, hacking is rendered near-impossible because it doesn’t have a “shell” – a user interface for access to an operating system’s services, and it also has no actual “users” and therefore, no unintended users (hackers). From the NanoVMs.com:
“Unikernels are single process systems. By design they can *not* run code that was not intended to run…Shell code exploits by definition do not work on unikernels…The shell is at least a 40 year old construct designed in a different time period. Today in Silicon Valley engineers are used to working with tens, hundreds, thousands or even more systems at a time. It’s an antiquated concept that only lends its hands to those who want to do your company harm. There are no shells on unikernel systems – they simply don’t exist. They cannot exist. This is by design.”
In addition to vastly improved security and performance (single process systems have extremely quick boot times as compared to legacy systems), unikernel platforms offer more specialization; because the systems don’t have to communicate with each other, they can be highly customized. This point also presents a drawback to unikernels – running multiple applications side-by-side in unikernel systems presents its own complexity, and also requires regularly rewriting drivers to support updated hardware.”
“The systems a building runs on can be very complex, and even more so in a smart building,” said Mr. Eyberg. “HVAC systems are connected to lighting systems, media surface systems, and systems that count people as they come in or out of the building, to adjust temperature or switch on the lights, for example. All of these systems are connected, and once the attacker is on the network, the entire system is compromised.”
The physical space is clearly one that is more noticeable to humans, and people do a pretty good job of securing their physical space. And we’re beginning to think seriously about our own personal virtual security as well – the continuous and increasingly more ominous data security breaches from companies like Equifax and Facebook have forced the issue out and into the spotlight.
But, how can we shift peoples’ perception of their own virtual security to include a larger, connected, physical-virtual world?
Mr. Eyberg of NanoVMs said, “We’re one of a few companies that are providing this new form of software infrastructure. We’re trying to reduce the attack surface, and trying to secure the buildings at each touchpoint.”
Smart buildings will continue to multiply in the coming years and will continue to present greater security concerns. Our coverage of this important subject will continue in 2019. Stay tuned!