“Our Position with Respect to Cybersecurity is Still Too Weak”

Norbert Pohlmann is a Professor of Computer Science for distributed systems and information security and head of the Institute for Internet Security at the University of Applied Sciences in Gelsenkirchen, Westphalia.

He explains that building automation companies urgently need to upgrade their security technology to the state-of-the-art. Cybercrime is increasing and becoming more and more professional. Attacks against IT systems and complex IT structures, such as occur in buildings, are occurring more and more frequently and represent an ever-greater threat.

IT crime is undergoing increasing industrialization and attaining levels of professionalism never before seen. How does this affect buildings, and, more specifically, how are attacks on building automation systems carried out?

Norbert Pohlmann: It’s an unfortunate truth that any information technology can be attacked. There’s no such thing as 100 percent security. Buildings today have complex IT structures that control heating, lighting, blinds, elevators and other systems. All areas can be affected.

Can you give us an example?

Pohlmann: We hacked into the heating system of a hospital once as a demonstration. This was done to illustrate security vulnerabilities. The hospital operators could then fix these security vulnerabilities, which, to our surprise, took several months. But imagine if we had been real hackers, intent on blackmail, perhaps threatening to completely disable the heating systems? Another conceivable possibility would be to cause panic by suddenly dropping the blinds or shutting electronically controlled doors. In a hospital, these scenarios put lives at risk. However, it’s also conceivable that hackers could gain information about a building and its security infrastructure as a first step, then switch off security cameras in a targeted fashion and rob the building. And there are other threats as well. Malware, for example, can cripple systems, and networked devices like security cameras can be attacked. Thousands of these devices can be linked into botnets to carry out denial-of-service attacks in order to paralyze Webservers, for example.

How real are such risk scenarios?

Pohlmann: Very real, and the threat is increasing every year. The digital transformation has brought with it more and more systems and devices in buildings that are linked to each other via networks and coupled to the Internet. This multiplies the potential points of attack. There’s a saying in IT security – there are only two types of companies: those who know they have been attacked, and those that don’t yet know. Officially, all companies are under attack.

Who are the criminals?

Pohlmann: They cover a broad spectrum. For example, simple script kiddies and junior hackers usually just want to try out hacker tools that are freely available online and score some quick wins. A step above that, there are criminal gangs that carry out attacks to make money. The highest level consists of government-sanctioned and financed hackers, whose hacking serves political agendas. This process is like a war in some respects, but an undeclared war.

You said that there’s no such thing as 100 percent security. Does that mean we should just throw in the towel?

Pohlmann: No, quite the contrary. While it’s true that 100 percent security can’t be achieved, this should serve as an incentive, not a reason to surrender. It’s a matter of using effective IT security solutions to make it as hard as possible for the attackers. This means using conventional tools and methods, like firewalls and encryption as a first step. It also means being as proactive as possible. But since there is always a vulnerability somewhere, the next step is recognizing attacks as quickly as possible, such as with an Intrusion Detection System. Then, when I identify an intruder, I can react and potentially already stop the hackers during the attack. Even if that doesn’t work, the attack can be analyzed to eliminate the vulnerability.

Aside from technical security systems, who can help?

Pohlmann: Larger companies should have a team of employees who form a kind of task force in the event of an attack. They can then make all the necessary decisions quickly. This might include taking systems out of the network or shutting them down to stop an attack. Another important topic is regular employee training. Employees should know about potential risks, because that’s the only way to prevent them.

How do you view the manufacturer’s role in this?

Pohlmann: They bear a large part of the responsibility. Operating systems and office applications – areas where US companies like Microsoft, Apple and Google dominate – are unfortunately designed so that the software is deliberately kept unsecured. Edward Snowden’s disclosures went a long way towards revealing this. German companies working in the building automation sector would do well to develop a competitive edge by using current security technologies, and to emphasize this edge. Cybersecurity features are becoming more and more important in this sector too. A solution may then cost a bit more, but the buyers will appreciate it. Because the bottom line is: They would have to pay more to secure their systems after an attack or to repair damage.

Would regulatory requirements make sense here?

Pohlmann: There are already a few. The most well-known are definitely the regulations on companies that operate critical infrastructure. It would certainly be helpful if other companies that are not part of this sector also aligned their practices with these standards. However, I don’t think that additional regulations from politicians are necessary. It would be nice if the companies from the building automation sector united to create common security standards. They could achieve a lot through this type of cooperation, and they could implement secure and reliable building automation comprehensively.

What would an ideal world look like – one in which IT systems would be much more secure than they are now?

Pohlmann: As a scientist, I can see that the research is at least five years ahead of the current security standards used commercially. Germany has positioned itself quite well in cybersecurity research; we are actually the leaders in Europe. What’s more, we have a well-developed IT security industry. In North Rhine-Westphalia alone, there are more than 400 companies that are active in this sector. This means that companies could be doing significantly better with regard to cybersecurity than they are at present. Compared to what’s possible, their position is too weak. So companies need to adapt their security solutions to the current state-of-the-art more quickly. This would also be economically advantageous, since the potential costs of fixing damages can be substantial.

Mr. Pohlmann, thank you for the conversation.

Norbert Pohlmann is considered an established cybersecurity expert. Since 2003, he has been a Profession of Computer Science for distributed systems and information security and the managing director of the Institute for Internet Security – if(is) – at the University of Applied Sciences in Gelsenkirchen, Westphalia. In addition, Pohlmann is CEO of the IT Security Association Germany (TeleTrust), a board member of the Association of the Internet Industry (eco) and a member of the German Association for Data Protection and Data Security (GDD) and serves on the steering committee of the “Cybersecurity in the Economy” initiative of the Federal Ministry for Economics and Technology.

More on Building Technology

Developing Smart Buildings with WAGO

Digitization and networking bring opportunities, as well as challenges. A smart building must provide occupants and operators with an optimal environment and be able to adapt flexibly to their needs at any time. WAGO provides the best products and solutions to meet these requirements.


Building Technology

Whether you are planning lighting installations and automation in your office building, retrofitting a heating, ventilation and air-conditioning system or involved with room automation, WAGO helps meet your requirements in buildings.