Building management with a tablet computer: In modern office buildings, HVAC, lights, doors, and more can be controlled via the Internet. That brings gains in efficiency, but it holds risks, as well. (© Fraunhofer FKIE)

BONN, Germany — A growing number of household and building operations can be managed via the Internet. Today’s smart homes and smart buildings promise convenient, efficient building management. But often these systems are not secure. Scientists are working on a software product that defends against hacker attacks before they reach the building.

Botnet, a term from the world of computers, is gradually tiptoeing its way into the world of building automation. You have to anticipate this kind of attack scenario, according to Dr. Steffen Wendzel of the Fraunhofer Institute for Communications, Information Processing and Ergonomics FKIE in Bonn, Germany. This researcher from the Cyber Defense department is an expert in hacker methods and, working jointly with Viviane Zwanger and Dr. Michael Meier, meticulously examines them.

Attackers infiltrate multiple computers — bots (from the word robots) — without their owners’ knowledge, weave the computers together into nets, and misuse them for computer attacks. The researchers studied potential attacks by botnets on smart homes and buildings using Internet-linked building systems. The finding: The threat is absolutely real. Internet-controlled HVAC, lighting systems, and other linked products could all be used for these kinds of attacks.

“Our experiments in the laboratory revealed that the typical building is not adequately protected against Internet-based attacks. Their network components could be highjacked for use in botnets,” Wendzel said. In the process, the hackers do not have to seek out computers as in the past; instead, they look for the components in building automation that link the buildings with the Internet. These are small boxes installed in the building that look and work like routers for home computers. “However, they are configured quite simply, can only be upgraded with some difficulty, and are loaded with security gaps,” explained Wendzel.

To ensure that HVAC, lighting, and other systems can be controlled via the Internet, it is necessary to install sensors that measure such things as temperature, humidity, or occupancy and are incorporated into networks. “Keeping them up to the latest standards is expensive,” Wendzel said. At FKIE, the team has developed security software that can easily switch between Internet and building IT. The technology filters out potential attacks from communications protocols even before they reach the four walls of the actual brick-and-mortar home or office building — no matter what technologies are being used within the building. With this approach, the components do not have to be replaced.

The researchers additionally examined the conventional communications standards of building automation, and building upon these, they have developed rules for data traffic. If arriving data do not adhere to these rules, then the communications flow is modified. “The software operates like a firewall with normalization components,” said Wendzel. All the results that are sent on their way to the systems are tested for plausibility by an “analyzer”. If the alarm goes off, then the incident is immediately dispatched to the “normalizer.” This either blocks the incident in its entirety or modifies it accordingly.

The basic research has been concluded successfully. “In the next stage, we want to make the technology production-ready with an industrial firm. In no later than two years, there should be a product on the market,” stated Wendzel.

For more information, visit www.fkie.fraunhofer.de/en.html.

Publication date: 10/6/2014

Want more HVAC industry news and information? Join The NEWS on Facebook, Twitter, and LinkedIn today!