With end-to-end IoT solutions and services,
we are the people powering IoT.

Blog Post

What can the spate of retail data breaches in security teach us about smart buildings?

by Felix Chuang

A lot has been made about the transformational effects that M2M and the Internet-of-Things can bring to security_breachbuilding management, to engender “smarter” buildings. A lot has also been made about the trend of compromised consumer data at several big retailers – PF Chang's, Target, Neiman-Marcus and Michael’s as the most notable examples.

What, exactly, does the former have to do with the latter? More than you’d think.

Indeed, the built environment is one of the most promising growth sectors for M2M, proving its value far beyond interior climate control. A recent survey shows that the majority of building planners intend to integrate operational areas such as lighting, HVAC and security systems into a common connected platform, which would give facility engineers better visibility into everything from lighting management to fire alarms, water sprinklers and surveillance systems and, in turn, allow them to become far more effective at keeping these buildings at peak efficiency. The transformational effects come in the form of optimized energy consumption, safety conditions and workforce productivity at once.

The secret sauce, so to speak, is that M2M sensors get deployed to collect ongoing data about a building’s operating conditions and will send it in real-time to an external analytics system, where processes can then be automated or packaged into actionable advice for the facility manager. This also happens to be right where the data breach considerations come into play.

In all three of the recent high-profile cases, attackers were apparently able to plant malware on point-of-sale (PoS) systems as a means to gather credit card information from unsuspecting shoppers while they made their purchases. Our interest here lies in how the bad guys managed access to these POS devices, short of sneaking in under cover of darkness to corrupt the credit card machines. In the case of Target, the smoking gun was in fact the intelligent, interconnected building management systems in place at the individual store level. Hackers gained login credentials belonging to Target’s HVAC services contractor and used that access to cross over into the company's payment systems.

To us, the big question here is “How and why did the HVAC network controls have reason to interact with the POS network controls in the first place?” With that in mind, the breach appears to be the result of the company not properly segmenting its data networks.

By its nature, M2M is a client-server operation and for most any building management application, there’s a relatively small amount of interconnectivity among other systems that these sensors would need in the stores themselves. Instead, each system within the store would have a point-to-point relationship with the command center, with all necessary security protocols in place including PCI for the payment processing systems along with standard access control, ingress testing, etc. for the other connected systems (I.e., HVAC, fire alarm and surveillance). The HVAC’s sole purpose is to monitor the building’s physical conditions and help managers decide, singularly, when to raise or lower the output.

Given that, would a retail operations analyst ever need to interact with facility analyst? Probably not. So why, then, would the HVAC system ever need to interact with the payment system?

As M2M professionals, we can take away some important lessons from the data breach epidemic. When setting up connected systems for discrete purposes at a building or otherwise, be sure always to establish discrete networking channels that do not allow, as a rule, interconnectivity among systems when there is no need for the systems to interact. KORE M2M experts are well-versed in the proper use of network segmenting and access control, particularly when it comes to sensitive applications.