|
Lorem ipsum
Leaking passwords, files held hostage: that is what makes us think of hackers. But what if your entire building is under attack? In the Streamz program ‘Hacked’, CIO Stein van Stichel witnesses how real estate company Upgrade Estate is hacked via an innocent printer. “Whoever gets their hands on those building systems controls the physical living environment of our tenants.”
It sounds like a script from a Hollywood movie: hackers turning off the heating or locking the doors of an office building. Yet it is not far-fetched, because Stein Van Stichel, CIO of Upgrade Estate – which provides housing for students, young professionals, and companies – is effectively referring to a well-known example from the US. Twelve years ago, supermarket chain Target was hacked there via their cooling systems. That caused 260 million euros in damage. “That risk exists here too, and at almost every company,” he says alarmingly.
The secure link is often an everyday device. "It doesn't have to be a spectacular system. It could be a printer. Or a slim meter," explains Stein. "Or a climate control system that has been connected to the network for ten years with the default password and has never received an update."
Often, the problems are present right from the construction phase. In a new construction project, ten to fifteen different suppliers often pass through. “They each do their job well, but no one looks at the whole picture from a security perspective,” warns Stein. And that is, of course, a problem now that we are filling our homes and commercial buildings to the brim with technology.
“We want to control heat pumps remotely, monitor energy consumption live, and manage access via an app. For our company, that is not a luxury; it is an operational necessity. But each of those connections is also a potential entry point.”
• Don't buy them: does a device really need to be ‘smart’? A toothbrush with Wi-Fi, a bed with an ‘app’, or your fourth security camera: they increase the risk.
• Distrust your supplier: Don't just believe your supplier if they secure everything. Programming your home automation or solar panel app? Learn how to do it yourself.
• Change basic settings: Always change the password provided by your supplier. Is a technician coming to provide assistance? Change your password afterwards.
• Update everything: Updates are sacred: always perform them. An old device without updates is less secure.
• Segment: Create a separate (Wi-Fi) network for ‘smart devices’ and isolate it from your main network if your router allows it. You can sometimes also isolate specific devices.
IT security remains a thorny issue
“I can tell you this for sure: not a single building in our country is delivered correctly in terms of IT security,” sounds the alarming statement. And Van Stichel knows this firsthand: “I trusted that our suppliers would take basic measures anyway,” he says. But during the filming of ‘Hacked’, problems came to light nonetheless.
The hackers were able to break in via a printer and took control, from the underground parking to the lighting. “That taught us that we either have to take matters into our own hands, or control and enforce it.” I also hope to raise more awareness in the sector and among our partners through this participation.”
“You only truly understand vulnerability when you see it live: checks and plans on paper are worthless if they aren't tested,” says Stein. He compares ‘Hacked’ to a fire drill. “It is a mirror. And looking in the mirror isn't always easy.”
According to Stein, the lesson for the future is not to stop digitizing, but to be more critical. “From our sustainability perspective, we keep the smart gadgets as minimal as possible,” he says. Because most suppliers nowadays are supposedly overloading buildings with sensors and other smart technology. “The lesson? Less is more: minimize gadgets and build in security from day one.