Smart buildings contain dozens, sometimes hundreds, of internet-connected devices with weak built-in security controls — a threat actor’s ideal target if there ever was one. Despite information technology (IT) teams’ best efforts to secure endpoints and entry points, internet-of-things (IoT) attacks are growing more frequent. Can simulations strengthen their defenses? 

The Link Between Penetration Rate and Cyberattacks 

Experts expect the smart building market will steadily grow in the coming years, anticipating an average compound annual growth rate (CAGR) of 17.44% through 2025. Its penetration rate and overall market value will progressively increase, prompting companies to rush implementation to maximize their return on investment — likely accelerating attack frequency. 

Currently, the thorough integration of these technologies into critical building services makes it easier to tamper with security and safety systems, fueling cyberattacks. Disabling smoke alarms or surveillance networks creates panic and urgency, prompting companies to give in to attackers’ demands without attempting recovery. 

Even when attackers target non-essential systems, the results can still be destructive or disruptive. For example, disabling motion-activated lighting could force staff to manually flip central circuit breakers whenever they need to turn on lights. Although interconnected tools offer incomparable efficiency and convenience, significant security weaknesses exist

As building owners incorporate more IoT devices and sensors — and add new integrations to control or monitor them — their vulnerability level increases. The number of IoT attacks reached 10.54 million in the fourth quarter of 2022, an increase of roughly 4.5 million year-over-year. All indicators suggest this figure will only worsen in the coming years.  

Common Smart Building Cybersecurity Weaknesses  

While hackers will exploit any vulnerability and test any entry point if they think it could result in a payout, their most common smart building targets include IoT technology, building automation systems (BASs) and unsecured networks. 

IoT Devices  

As most IT professionals know, these devices are exceedingly vulnerable because they lack basic built-in security features despite their constant internet connection. Attackers increasingly seek to brick them, demanding payment in exchange for restoring functionality. In 2022, 84% of IoT cybersecurity incidents involved denial-of-service (DoS) attacks, making them the leading attack type.  

Once attackers access an IoT sensor or device, they can move laterally through employees’ workstations to disrupt the standard functioning of programmable logic controllers, infecting connected automation technology. Unless IT professionals leverage network segmentation, firewalls and access controls, their internet-connected ecosystem remains high-risk.  

Unsecured Networks 

Many smart buildings have inadequately secured networks, exposing them to man-in-the-middle and DoS attacks. If companies transmit data this way, attackers can access their IoT controller boxes through an external connection. In other words, they have dozens — potentially hundreds — of internet-facing entry points. Every device they add to their tech stack expands their attack surface, further exposing them to cyberthreats.  

Building Automation Systems 

A BAS is a computer networking tool that provides a single interface for operators to monitor and control interconnected technologies. Bad actors frequently target them since they’re fundamental to many digital ecosystems. In 2019, they attacked 37.8% of the computers controlling these systems, intending to destroy them.  

Heirloom models operating on legacy versions of communication protocols — such as building automation and control network (BACnet) with CVE-2019-12480, which contains a segmentation fault — have inadequate built-in security measures, making them vulnerable to corruption, tampering and injection. Businesses utilizing them risk DoS attacks in the application layer protocol data units, rendering their systems unable to communicate with other controllers or the supervisory mechanism. 

The Consequences of a Smart Building Cyberattack 

Despite IT professionals’ best efforts, many smart buildings remain vulnerable to cyberattacks. Even if they heavily fortify one aspect of their digital ecosystem, a single misconfigured integration, flaw in communication protocols or network vulnerability enables lateral movement, allowing attackers to target control systems and cause extensive damage or disruptions. If their incident response plans are insufficient, they risk long-term losses. 

In 2021, a German firm experienced this scenario firsthand after attackers misused a stolen digital security key to lock them out of their BAS. The threat actors bricked 75% of their devices, including lighting, window shutters and motion detectors, forcing them to revert to manual methods or go without until they recovered.  

In addition to damaging companies’ reputations and impacting staff productivity, cyberattacks can trigger unintended device behavior. Bad actors can remotely trigger smoke alarms, disable elevators, override thermostat set points, deactivate surveillance systems or strain components — causing equipment damage, discomfort, energy waste and safety hazards. 

In most cases, organizations suffer substantial financial losses due to unexpected downtime or system damage. Cyberattack-induced information exfiltration, encryption or interception can provoke regulatory action and public backlash, generating further losses. In 2022, a single data breach cost organizations an average of $4.35 million — a debilitating sum for many small and medium-sized businesses. 

Why Should IT Teams Simulate Cyberattacks? 

Simulations are as close as IT teams can get to experiencing real-world cyberattacks without causing lasting damage to their equipment or discomfort to staff. They can passively run these risk-free experiments to expose buildings’ security flaws and weaknesses while actively prioritizing critical alerts, patching vulnerabilities and addressing support tickets. 

Outside of being a safe security posture testing method, simulations are also highly effective. They provide a dynamic, comprehensive overview of smart devices and control systems while offering insight into the potential severity and impact of relevant cyberthreats, enabling IT professionals, operators and staff to respond effectively to cybersecurity incidents. 

For example, one study showed that phishing success rates decreased as simulation frequency increased. The average person’s phish-prone percentage fell to 1.79% with weekly sessions — a sharp decline from the 30% that untested individuals scored. Moreover, while those who attended quarterly sessions only improved by 35%, weekly attendees had a 96% improvement rate — meaning they were 2.74 times less likely to fall for social engineering attacks. 

IT professionals should conduct simulations when integrating a new tool or identifying an emerging threat. Outside of those scenarios, they should also consider periodically simulating cyberattacks as an essential aspect of their roles. Making it a standard job duty ensures results stay relevant and incident response plans remain appropriate. 

Ways to Simulate Smart Building Cyberattacks  

While many simulation technologies exist, IT professionals should primarily consider leveraging artificial intelligence (AI), red teaming, cyber ranges or purple teaming to imitate real-world smart building cyberattacks in risk-free environments.  

Red Team Exercises 

Red teaming reflects real-world conditions and leverages experienced white-hat hackers, effectively simulating bad actors’ tactics during a realistic attack on systems, networks or infrastructure. Utilizing third parties like these is beneficial since IT teams often overlook security weaknesses because of their proximity to them.  

Deep Reinforcement Learning 

IT professionals can leverage deep reinforcement learning, where they reward an algorithm for exhibiting desired behaviors to rapidly improve its accuracy and efficacy. Whether they use it to craft synthetic data sets or simulate environments, the algorithm evolves with each cyberattack scenario to better respond to changing cyberthreats or building needs. 

Notably, selecting the appropriate AI is critical, as its unique strengths and weaknesses affect its usefulness on a case-by-case basis. While research indicates actor-critic algorithms (a combination of value- and policy-based methods) outperform others in accuracy and efficiency, a deep Q-network model initially learns at an accelerated pace. 

Cyber Ranges 

A cyber range includes a range learning management system (RLMS), an orchestration layer, underlying infrastructure, virtualization and target infrastructure. Companies can tailor its characteristics to meet building-specific needs, making it an effective tool for simulating cyberattacks.  

Purple Team Exercises 

While red team exercises alone are adequate, purple teaming enhances logging, accelerates testing and ensures professionals don’t overlook security weaknesses. When red and blue teams share knowledge and feedback, they align their tactics and procedures. This approach is particularly useful for IT professionals who want direct involvement in the simulation.  

Tips for Conducting Cyberattack Simulations 

Smart building owners and operators who are considering cyberattack simulations should review these considerations to ensure their results are accurate and relevant enough to act on.  

1. Inventory All Assets 

IT teams must inventory all physical, digital and information assets to determine what their simulation should cover. While a comprehensive session is the most accurate, it’s also the most time-consuming and costly. Categorization enables risk assessments, allowing professionals to prioritize specific systems, networks, data or devices. 

2. Identify Indicators of Compromise 

Indicators of compromise can help IT professionals determine which cyberthreats are relevant. While they can technically inform themselves using industry data, building-specific insights are only available through internal identification and analysis. This approach helps them identify which cyberattacks to simulate.  

3. Consider Physical Security 

Building operators shouldn’t only consider cybersecurity during simulations, as physical threats may pose significant risks. For  example, you can consider a scenario where attackers remotely brick an IoT surveillance system and door alarms to allow others — likely a malicious insider — to physically infiltrate a secured area. As unlikely as it may seem, it has a non-zero chance of occurring.  

4. Consider the Human Factor 

IT teams should factor the human element into their simulations to maximize accuracy. Considering research shows human error is responsible for 95% of cybersecurity incidents, excluding it would likely skew results, making them much less realistic — or even worthless. Currently, AI is an ideal tool for emulating employees’ behavior in simulated environments. 

Simulations Improve Incident Response and Recovery  

IT professionals could spend their entire workweek patching, implementing new security tools and monitoring logs. However, unless they know what threats to look for, what a realistic cyberattack would look like and which assets are the most vulnerable, their efforts might amount to nothing. Simulations strengthen their incident response and recovery by offering unique insights into these factors, safeguarding smart buildings against bad actors.