UL highlights dangers of IoT devices and building control systems

UL, the global independent safety science company, has issued a warning to businesses in the Middle East of the dangers posed by increasingly sophisticated cyberattacks that target unsecured internet-accessible devices and building control systems (BCS).

An increasing number of companies are connecting to the Internet of Things (IoT) to run an ever-increasing network of life safety and security products. By doing so, they are leaving themselves open to attack by hackers who can access secure and sensitive systems via a web-connected BCS such as security alarm control panels, access control systems, intrusion detection units, smoke and fire alarm control units, and mass notification systems.

Hamid Syed, vice president and general manager in the Middle East for UL, said “The increasing use and dependence on devices that are connected to the internet exposes users to sophisticated attacks. Whereas in the recent past these would require on-site access, nowadays they can be launched from anywhere.

“This is a worrying proposition for companies who depend on building control systems and other life safety and security products.

“However, this need not be the price we pay for the ‘always on’ environment we now take for granted in the 21st century. Effective measures, some of which are relatively simple, can protect buildings and companies from attack by cyber criminals and hackers,” said Syed.

“As a global safety science company, UL is ideally placed to offer the most up-to-date systems, procedures, compliance to the prevailing, certification and global market access that can protect a business or a building from a potentially costly cyberattack.”

The UL 2900 series of cybersecurity standards have been developed to address cybersecurity for life safety and security products, providing a foundational set of criteria that manufacturers of network-connectable products can use to establish a baseline of protection against known vulnerabilities, weaknesses and malware.

Louis Chavez, principal engineer for life safety and security products within UL’s Building and Life Safety Technologies division, said “Introducing proper security measures can help to reduce any vulnerabilities in a company’s cybersecurity network and prevent hackers from using a BCS to remotely disarm security systems, take control of CCTV cameras or access essential fire and smoke alarm systems.

“IoT devices can expose a BCS to attacks that would otherwise require local on-site access. These can emanate from anywhere and can potentially lead to broader systems being compromised.”

Implementing proper security measures and controls can help mitigate the cybersecurity vulnerabilities of web-connected BCS products. These include viewing a building’s system holistically, and not as a series of separate products.

Chavez added “It is important to analyze and test how products securely communicate with each other once they are connected to the larger system. All devices connected to the internet should be considered being at risk as even the most secure life safety and security products can be hacked if they are sharing an internet connection with less secure devices.”

Another simple way to protect from cyberattack is to change default passwords, such as “1234” or “admin,” set by the manufacturer before a new product is connected.

Remote connectivity is also an area of vulnerability. The rise in smartphones means many building systems can be controlled remotely. However, if a remote connection is not secure then such a network is highly susceptible to attack.