Electronics Weekly
Smart buildings rely on technologies such as IoT sensors, cloud services and real-time data analytics to offer greater insights and higher efficiencies with quantifiable outcomes. At the same time they face cybersecurity threats primarily due to the inherent vulnerabilities within building control communication protocols.
Identifying security risks
Inherent control communication vulnerabilities are typically exacerbated by poor security practices, such as unchanged default passwords, which pose major risks ranging from compromising sensitive data and tampering with environmental controls to unauthorised access.
Major security risks in smart buildings, in addition to unauthorised access, are data theft/breaches, man-in-the-middle (MtM) attacks, denial of service (DoS), distributed DoS (DDoS) attacks, configuration and legacy vulnerabilities, social engineering attacks, malware attacks, and siegeware and building automation system (BAS) attacks.
DoS and DDoS attacks shut down a network by overwhelming the target with internet traffic and using several compromised computer systems as attack traffic sources, respectively, making the network inaccessible to its intended users.
In MtM attacks, the attackers breach, interrupt, or spoof communications between two systems. Attackers can then inject malicious content into the communication or steal sensitive data. Malware encompasses any software designed to cause damage to a server, computer, or computer network, such as Trojan horses, spyware and viruses.
Hardware-based security
Software- and hardware-based security approaches are primarily implemented to mitigate the smart building security risks. Although software encryption is easy to implement and cost-effective, any security flaw in the operating system can easily compromise the security provided by the encryption code.
Hardware-based security is more effective in protecting against the existing and evolving security risks in smart buildings as the physical layer prevents malware from infiltrating the operating system and reaching the virtualisation layer.
Silicon-based security, including secure storage, attestation, authentication and cryptography, allows leveraging hardware-based functions to secure their services and products. Security capabilities can be designed into silicon by providing a root of trust for services and functions.
Coupling these safeguards with certification and attestation by groups such as Common Criteria and platform security architecture (PSA) certified could significantly improve cybersecurity throughout a smart building’s digital environment in a scalable, sustainable and effective way.
The root of trust is a critical building block for creating a trusted execution environment (TEE). A trusted platform module (TPM) is commonly used to provide a hardware root of trust in devices with several components due to availability and cost.
The TPM provides the host system with secure key storage and secure cryptographic algorithm implementations in a tamper-resistant separate hardware module. A hardware root of trust can also be achieved using smart card technology. Smart cards are implemented as an IC embedded within a typical credit card form factor.
Arm TrustZone is an example of silicon-based security features that enable the root of trust. The TrustZone technology in Cortex-A-based application processors is used to run untrusted operating systems and boot to create a TEE.
This offers a system-wide, efficient approach to security with hardware-enforced isolation built into the CPU and provides a good starting point for establishing a PSA guideline-based device root of trust.
TrustZone provides two execution environments, namely a secure world for running trusted code and a normal one for running general code. This provides a foundation for creating a trusted SoC with any part of the system, including memory, interrupts and peripherals, designed as part of the secure world.
The Rambus RT-600 series root of trust hardware IP cores are built around the Verilog register transfer level, which allows the modular and customisable root of trust to be integrated easily in any FPGA or chip design.
The layered architecture provides hardware design security with the flexibility of software. The memory protection unit cannot be altered by malicious code as it locks at boot time, while the isolated CPU bus and private SRAM ensure control flow integrity and prevent call stack modification.
Preventing cloning
Physically unclonable function (PUF) technology enhances the level of protection offered by hardware-based security against cyberattacks when chips that implement cryptographic functionality are used.
Security is obtained from the variable and complex physical/electrical properties of ICs. It relies on the random physical factors that either exist natively or are introduced incidentally during a manufacturing process and thus is virtually impossible to clone or to duplicate.
The PUF natively generates a digital fingerprint for its associated security IC, which can be used as a unique key to support cryptographic algorithms and services such as authentication, digital signature and encryption/decryption.
ChipDNA embedded security
This is a PUF implementation that operates on the naturally occurring mismatch and random variation of the analogue characteristics of fundamental semiconductor mosfets.
The randomness primarily originates from interconnect impedances, device-to-device mismatch in threshold voltage and oxide variation. Additionally, the wafer manufacturing technique introduces randomness through non-uniform/imperfect etching and deposition steps.
In the PUF-based ChipDNA secure authenticators every key exists as an accurate analogue characteristic of the IC, making it resistant to all known invasive capabilities and attacks. Every IC’s distinct ChipDNA-generated key is repeatable over voltage, temperature and IC operating life conditions.
Network protocols
In smart buildings the major protocols such as LonWorks, Konnex (KNX), and building automation and control network (BACnet) were not initially conceived considering the cybersecurity risks because these networks were traditionally isolated. As a result several protocols lack the basic security mechanisms and implementing them now in the deployed and used protocols presents numerous financial and technical problems.
For example, the BACnet protocol had been developed without any authentication mechanism, meaning internet-facing BACnet devices can be easily compromised. Similarly, simple sniffing techniques can fully compromise KNX protocols as KNX nodes authenticate commands using a clear-text password sent over the network.
Security has been significantly improved in the newest versions of these protocols. The BACnet Secure Connect (BACnet/SC) for example, allows two BAS devices to establish a highly encrypted and secure connection over which conventional BACnet messages can be received and sent.
BACnet/SC uses transport layer security and WebSockets to implement reliable connection-oriented communication, message encryption and peer authentication between BACnet/SC devices. This protocol can be implemented on any IPv6 or IPv4 network.
KNX IoT is an extension of KNX technology, allowing KNX devices to communicate with cloud-based services and IoT devices. It has been designed to be backwards-compatible and interoperable to ensure that new IoT devices can operate with existing KNX installations.
The Thread Group recently unveiled the Thread 1.4 specification. Thread is IPv6 2.4GHz wireless mesh network technology for connected products in buildings. The new specification addresses critical areas such as security credentials management, network diagnostics and infrastructure-network integration.
Energy and space
Although IoT devices have a small energy budget and are resource-constrained the security approaches often introduce a high energy overhead.
Security or energy constraints can vary: high levels of security are necessary while encrypting sensitive data but other data such as sensor measurements require lower security.
Security measures also increase latency and overhead, which can lower processing efficiency. TPMs, for example, require additional space in a device.
A dynamic trade-off between security, performance and power consumption is necessary. Adaptive masking, or tuning the protection level dynamically can optimise the security and energy consumption of encryption.
