Framework to assess cyber security maturityof smart buildings

MSc Internship

CyberSecurity

SiddhantStudent ID: x18203884

School of Computing

National College of Ireland

Supervisor: Mr Vikas Sahni

www.ncirl.ie

National College of IrelandProject Submission Sheet

School of Computing

Student Name: Siddhant

Student ID: x18203884

Programme: CyberSecurity

Year: 2020

Module: MSc Internship

Supervisor: Mr Vikas Sahni

Submission Due Date: 07/09/2020

Project Title: Framework to assess cyber security maturity of smart build-ings

Word Count: 886

Page Count: 7

I hereby certify that the information contained in this (my submission) is informationpertaining to research I conducted for this project. All information other than my owncontribution will be fully referenced and listed in the relevant bibliography section at therear of the project.

ALL internet material must be referenced in the bibliography section. Students arerequired to use the Referencing Standard specified in the report template. To use otherauthor’s written or electronic work is illegal (plagiarism) and may result in disciplinaryaction.

I agree to an electronic copy of my thesis being made publicly available on NORMAthe National College of Ireland’s Institutional Repository for consultation.

Signature: Siddhant

Date: 6th September 2020

PLEASE READ THE FOLLOWING INSTRUCTIONS AND CHECKLIST:

Attach a completed copy of this sheet to each project (including multiple copies). �Attach a Moodle submission receipt of the online project submission, toeach project (including multiple copies).

�

You must ensure that you retain a HARD COPY of the project, both foryour own reference and in case a project is lost or mislaid. It is not sufficient to keepa copy on computer.

�

Assignments that are submitted to the Programme Coordinator office must be placedinto the assignment box located outside the office.

Office Use Only

Signature:

Date:

Penalty Applied (if applicable):

Framework to assess cyber security maturity of smartbuildings

Siddhantx18203884

1 Potential smart building attacks

Denial of service attack: Denial of service attack is used to shut down the targetedmachine or a network by flooding the junk request on the server [1]. For example Ifin smart buildings air conditioning of data server room stops working than organizationcan face huge loss and can also lead to ddos attack, Or server face lot of requests at thesame time than server will be busy on junk request and can not serve to the originalusers which can also impact the reputation of an organization by restricting user accessto resources.

Table 1 shows a matrix for checking cyber maturity of smart buildings. It describesabout impact areas of smart building’s, possible breach incidents, cyber defence compon-ents, preventative aspects.

Table 1: Matrix for checking cyber maturity of a smart buildingsImpact areas Cyber Breach in-

cidentsCyber defence com-ponents

Preventative as-pects

Users failure in Systems Identity validation Access to fire sys-tem (False alarm toevacuate building)

Third party remoteaccess

Nuisance tech-niques to lifethreatening dam-age

Security for endpoint devices

Access to securitysystem (Unauthor-ized access)

Physical access toapps, networks andconnected devices

Malicious soft-wares and virusinfections

Network security Access to commu-nication network

Integration plat-forms

Attack by unau-thorized outsider orfraud by staff

Data security Access to utility-installed device

Communicationgateway

Unintentionaldamage by thirdpart access becausethere infrastructuregot compromised

Multi layer security Hijack BAS forransomware

1

Improper access control: Improper access control can lead to very dangerousattack because if granting access is not proper than any person can access anything andwhich may lead to exposure of sensitive information.

Intrusion detection and prevention: Intrusion detection is a process of monitoringmalicious signs inside the network for predicting the incidents [2]. Moreover intrusionprevention is used to stop the potential threats found by analyzing the network. So ifintrusion detection and prevention system is compromised than anyone can hack intoyour smart buildings and can compromise your system and information.

Weak Encryption: If smart buildings are using weak encryption than anyone can doman in middle attack while transmitting data and can decrypt the information becauseencrypting technique is weak which will lead to exposure of sensitive information and canalso damage the reputation of an organization.

2 Matrix for checking smartness of smart buildings

Here is a matrix which checks about smartness of smart building by checking what arethe components present in that building and what is the impact of that component onsmart buildings in terms of smartness as well as security. Moreover according to impactcomponents is defined in three part low, medium and high.

Table 2: Matrix for checking smartness of smart buildingsSmart components Impact level on smart-

nessSecurity impact

Fire Detection devices High (Fire detectiondeal with human life)

High (False alarm can evacuatewhole building and attackers canattack in that specific time)

CCTV High (It can help inbacktracking)

High (If CCTV is compromisedthan attacker can monitor allyour activities and it will be diffi-cult to backtrack)

Access control High (Only allow au-thentic persons)

High (Attacker can easily get intoyou infrastructure if access con-trol gets compromised)

Command and control sys-tem

Medium (Systemtransform actionabledata into real time)

Medium (False public announce-ment can be made if system iscompromised)

Lightning control systems High (Helps to saveenergy)

Low (Impact is low because light-ning can impact the work in nightonly and that for few minutesonly)

Elevator Low (Fast mode oftravelling betweendifferent floors insidebuilding)

Low

2

Smart components Impact level on smart-ness

Security impact

Boiler Low (Helps to in-crease the temperat-ure of water )

Low

Databases High(Helps to main-tain the data of an or-ganization in an sys-tematic way)

High (Data is the main asset forevery organization because it in-cludes all the information aboutthe organization)

Generator High (Backup devicefor providing energyto an organization )

High (Organization can go un-der DDOS attack if energy sup-ply cut down and generator alsostops working)

Heating, Ventilation, Airconditioning (HVAC)

High (Helps in main-taining temperature ofan organization)

High (If air conditioning of dataserver room stops working thanorganization can face huge lossand can also lead to ddos attack)

Network monitoring devices High (Helps in monit-oring different activit-ies)

High (Looks for malicious activ-ities in an organisation and beepsalarm if anything suspicious )

3 Smart buildings survey

Survey is filled by industry specialist who are currently working in smart building securityin Ireland. In addition to this survey suggestions also gives real world flavour to this thesisfrom industry specialist inputs.

So here are some graphs from a survey filled by industry specialists of smart buildingssecurity.

Figure 1: Smart buildings considerations survey

3

Figure 2: Smart buildings threats survey

Figure 3: Smart buildings mitigation’s survey

4

Figure 4: Smart buildings potential surveys

Bar graphs give description about what do you consider as smart buildings, threatsto smart buildings, mitigation of those threats, and potential features for future smartbuildings.

5

4 Internship Task Report

6

References

[1] N. Komninos, E. Philippou, and A. Pitsillides, “Survey in smart grid and smart homesecurity: Issues, challenges and countermeasures,” IEEE Communications SurveysTutorials, vol. 16, no. 4, pp. 1933–1954, 2014.

[2] E. Bajramovic, K. Waedt, A. Ciriello, and D. Gupta, “Forensic readiness of smartbuildings: Preconditions for subsequent cybersecurity tests,” in 2016 IEEE Interna-tional Smart Cities Conference (ISC2), 2016, pp. 1–6.

7