top of page

Cyber Security - is Your IoT system vulnerable?

Cyber Security for IoT

With multiple different IoT systems available and with different market applications and use cases, we are finding that many competitors systems rely heavily on either a WIFI or ethernet connection to a buildings in-house IT network infrastructure to make their systems work. However these systems are often prone to cyber attacks.

So have you asked yourself this, is your IoT system vulnerable?

Many IoT providers are only able connect to a buildings existing IT or BMS backbone infrastructure via either an ethernet or WiFi connection, as that's the only way their systems work. That makes the systems instantly accessible to Cyber security hackers, who effectively use this a back door into a buildings other systems which allow hackers into other systems including potentially individuals personnel records, customer records or other sensitive data etc.

As reported in FMJ magazine, Interserve was recently fined £4.4M for a Cyber Security attack on their systems.

Obviously any IoT business are going to say that their systems are resilient and have been tested, but in reality there are millions of hacks into buildings every year and often these are through connected systems such as a BMS or i.e. a "smart IoT thermostat" such as those similar to Google nest which are highly prone to attacks.

Lack of High-Level IT Security

Many Commercial occupiers - such as Banks and financial institutions have had to beef up their It infrastructure as these have the targets of many professional hackers but that's at substantial cost. The majority however are still vulnerable and still have vulnerable systems. To make matters worse many of these systems offer a level of control, such as switching things on/off, again meaning they have to be permanently connected.

Since the pandemic, cybersecurity attacks have been rising exponentially. There has been a 62 per cent increase in ransomware globally since 2019, according to the 2021 SonicWall Cyber Threat Report. Without sufficient protection against dangers like this, the very technology which is being used to improve the workplace experience could actually significantly damage businesses.

What's the answer?

Firstly make sure that the IoT system being proposed has been fully tested and that the Software platform is a tried and tested system such as the widely used and tested LoraWan system. This is a Global standard used whenever a low power wide are coverage is needed especially when connecting to MEP/HVACR plant

LoraWan Security

Click on the link below to access the LoRaWan security PDF whitepaper

lorawan_security_whitepaper (1)
Download PDF • 447KB

The following was written about the security threats posed by connected Building Management and IoT systems during the pandemic by The IoT Security Foundation (IoTSF) and Institute of Workplace and Facilities Management (IWFM) whom jointly issued guidance on securing Building Management Systems and Internet of Things systems during the Coronavirus crisis.

The impact of the Covid-19 Pandemic is being felt right across society; with the primary focus being that of saving lives and maintaining public health. The current emergency has necessitated new ways of working and changes such as:

  • Homeworking, contractor shutdowns or furlough of staff may mean new, inexperienced or possibly unqualified staff being given access to systems, to login remotely to Building Management Systems (BMS) for maintenance, updates or systems changes.

  • Changes in staffing arrangements and routines may mean patching of software is delayed or not completed.

  • Reduction or changes in on-site physical security arrangements may allow unauthorised access to server rooms or ICT infrastructure.

These new ways of working and changes add risk and creates opportunities for unauthorised exploitation or compromise of facilities and building management systems.

Most buildings have a number of systems, which are connected to the internet and are used to control a variety of functions. These range from IP based CCTV and access control systems through Building Management Systems controlling heating, ventilation, lighting etc. to fully fledged “Smart Buildings” with sophisticated and fully integrated systems.

Any system, which is connected to the internet, is potentially vulnerable to attack from criminals, hacktivists and in some cases foreign state sponsored actors. Attacks on building systems may allow the attacker to not only take control of building systems, but also to use these systems to breach corporate IT networks to which they may be connected. The IWFM has been working with the IoTSF to produce guidance on managing potential security risks associated with building management systems and other IoT building systems in the current emergency.

The following guidance checklist is aimed at building owners and facilities managers and is intended to assist in securing connected BMS/OT Systems and IoT Devices.


For BMS with remote or Corporate network access for operations or maintenance

  1. Assess the potential cyber security risks and agree, with the building stakeholders (owners, facilities managers, IT /cyber security teams), a mitigation plan and process for continual review/action.

  2. Check/scan for unknown IoT devices that may be connected to your network/systems.

  3. Ensure that any IoT devices are secured behind a firewall/DMZ with appropriate network segmentation deployed.

  4. Change any factory default credentials and ensure passwords are unique per building/account/devices. Enforce password policies (password history, minimum characters & complexity). If you can use 2FA (like an authentication app or SMS code) then do so.

  5. Rename default accounts and disable any unused accounts.

  6. Check that the systems and devices software/firmware are at the latest version as specified by the system/device vendor. Any required updates should be conducted securely.

  7. If possible, offer authorised staff remote access to your BMS via a corporate network VPN, rather than you directly connecting from the Internet.

  8. Ensure any staff or third-party contractors with access to the BMS who are working from home follow suitable security guidance such as the UK’s National Cyber Security Centre (NCSC) issued ‘Home working: preparing your organisation and staff’.

  9. Ask your IT/Cyber Security function to monitor attempts to access your BMS system (both unsuccessful and successful) and agree how they can alert you to suspicious activity.

  10. Check that your systems/device suppliers have a Vulnerability Disclosure Policy and how security vulnerabilities will be reported to you if any are discovered.

When did you last follow the above advice?

The EnviroLogik IoT system powered by Simpro and operating on the highly secure LoRaWan platform as detailed earlier, and does not connect to a Building IT or Wi-Fi network. The system gateway operates on any of the available Cellular networks and creates an RF network between it and its various sensors. In fact potentially thousands of sensors can be added to the same network. Its effectively ring-fenced and not affected by network breaches.

Should our IoT system be required to connect to a BMS, then we provide an API so the BMS can pull the data from our system into theirs. An example of this is our Occupancy and multi-sensing IAQ sensors, which provides data to allow the BMS to make any changes to equipment operation should occupancy or IAQ change.

Want to see our Energy Monitoring system in action? Click on the link to access a live site demo.

Simply click this link and enter the information as per this image below.

EnviroLogik Demo Login

Once Logged In click on the highlighted area as shown.

7 views0 comments


bottom of page