Interview 28 August 2020
“Our Position with Respect to Cybersecurity is Still Too Weak”

Norbert Pohlmann is a Professor of Computer Science for distributed systems and information security and head of the Institute for Internet Security at the University of Applied Sciences in Gelsenkirchen, Westphalia.

He explains that building automation companies urgently need to upgrade their security technology to the state-of-the-art. Cybercrime is increasing and becoming more and more professional. Attacks against IT systems and complex IT structures, such as occur in buildings, are occurring more and more frequently and represent an ever-greater threat.

IT crime is undergoing increasing industrialization and attaining levels of professionalism never before seen. How does this affect buildings, and, more specifically, how are attacks on building automation systems carried out?

Norbert Pohlmann: It’s an unfortunate truth that any information technology can be attacked. There’s no such thing as 100 percent security. Buildings today have complex IT structures that control heating, lighting, blinds, elevators and other systems. All areas can be affected.

Can you give us an example?

Pohlmann: We hacked into the heating system of a hospital once as a demonstration. This was done to illustrate security vulnerabilities. The hospital operators could then fix these security vulnerabilities, which, to our surprise, took several months. But imagine if we had been real hackers, intent on blackmail, perhaps threatening to completely disable the heating systems? Another conceivable possibility would be to cause panic by suddenly dropping the blinds or shutting electronically controlled doors. In a hospital, these scenarios put lives at risk. However, it’s also conceivable that hackers could gain information about a building and its security infrastructure as a first step, then switch off security cameras in a targeted fashion and rob the building. And there are other threats as well. Malware, for example, can cripple systems, and networked devices like security cameras can be attacked. Thousands of these devices can be linked into botnets to carry out denial-of-service attacks in order to paralyze Webservers, for example.

How real are such risk scenarios?

Pohlmann: Very real, and the threat is increasing every year. The digital transformation has brought with it more and more systems and devices in buildings that are linked to each other via networks and coupled to the Internet. This multiplies the potential points of attack. There’s a saying in IT security – there are only two types of companies: those who know they have been attacked, and those that don’t yet know. Officially, all companies are under attack.

Who are the criminals?

Pohlmann: They cover a broad spectrum. For example, simple script kiddies and junior hackers usually just want to try out hacker tools that are freely available online and score some quick wins. A step above that, there are criminal gangs that carry out attacks to make money. The highest level consists of government-sanctioned and financed hackers, whose hacking serves political agendas. This process is like a war in some respects, but an undeclared war.

You said that there’s no such thing as 100 percent security. Does that mean we should just throw in the towel?

Pohlmann: No, quite the contrary. While it’s true that 100 percent security can’t be achieved, this should serve as an incentive, not a reason to surrender. It’s a matter of using effective IT security solutions to make it as hard as possible for the attackers. This means using conventional tools and methods, like firewalls and encryption as a first step. It also means being as proactive as possible. But since there is always a vulnerability somewhere, the next step is recognizing attacks as quickly as possible, such as with an Intrusion Detection System. Then, when I identify an intruder, I can react and potentially already stop the hackers during the attack. Even if that doesn’t work, the attack can be analyzed to eliminate the vulnerability.