FROM THE EDITOR
IS A PROUD MEMBER OF: nBUILDINGS
Jesse H. Neal Award
Jesse H. Neal Award
2014, 2013, 2012,
2011, 2010, 2009
Best Publication and
Best How-to Article
BUILDINGS SUBSCRIPTION INFORMATION RATES:
United States and its possessions: $120.00 for 1 year.
All foreign countries $150.00 (US funds) (surface
mail) for 1 year. Extra and back issue copies (when
available) are $10.00 each, shipping and handling
included – except on large/bulk shipments. Tear
sheets $1.75 each. All orders must be PREPAID
to: BUILDINGS magazine, 615 Fifth St SE, Cedar
Rapids IA 52401 or PO Box 1888, Cedar Rapids IA
52406-1888. Attn: Subscription Department. 1-800-
553-8878 ext. 5020.
Copyright 2014 Stamats Communications.
For high-quality, customized
reprints, please contact
Stamats Marketing Services:
1-800-553-8878 ext. 5034
The Stamats headquarters
is a LEED Certified Silver
Volume 109 Number 10 BUILDINGS (ISSN 0007-3725) is published monthly by Stamats Communications 615 5th St. SE, PO Box 1888, Cedar Rapids, IA, 52406-1888;
(319) 364-6167. Periodicals Postage Paid at Cedar Rapids, IA, and at additional mailing office. POSTMASTER: Send address changes to: Buildings, PO Box 1888, Cedar Rapids, IA,
52406-1888. Publications mail agreement No. 41666041. Return undeliverable Canadian addresses to: PO Box 875, STN A, Windsor, ON, N9A 6P2.
A Publication of Stamats Buildings Media
VP, Group Publisher Tony Dellamaria
Chief Content Director Chris Olson
Senior Editor Janelle Penny
Senior Editor Jennie Morton
E-Content Editor Pete Campie
Art Director Elisa Geneser
Graphic Designer Evan Brownfield
For subscriptions, visit:
Buildings is a registered trademark owned by
Editorial Advisory Board
Christopher K. Ahoy President/CEO,
Performance Management Consulting
Steven R. Colvin Senior Vice President of
Property Management, Boston Properties LP
Michael Delev General Property Manager, Hines
Steve Fugarazzo Manager, Facilities Engineering,
Rod Stevens Principal Consultant,
Eric A. Woodroof Founder,
Hack or Treat!
Do you like a good Halloween scare? Depending on your answer, you might – or might not – want to google “how to hack into
building systems.” I did and was surprised at the number of hacking events involving building
equipment from familiar suppliers.
According to Federal Facility Cybersecurity, a report released this year by the U.S. Government
Accountability Office (GAO), the threats can involve any building system with an internet connection – including CCTV camera systems, HVAC, access control, fire annunciation and suppression,
elevators, lighting, and power systems. The purpose of such internet connections can be for equipment monitoring or alarms, delivery of software updates, or remote control of building functions,
but owners may have little knowledge of them. Hackers can locate such devices with the help of
software programs designed to identify internet-connected devices. Cyberattacks can come from
insiders, like unhappy employees or contractors, or from criminal outsiders. Public and private
buildings are vulnerable.
Many building control systems have not
been designed with a high degree of cybersecurity in mind. They may have hardcoded
passwords that cannot be changed and
backdoors for use by the manufacturer, vendor or integrator. Once hackers have gotten
a foothold, they can tap software that helps
them to decode administrative passwords.
Even if building systems are not on the
same network as those with sensitive infor-
mation on employees, customers, accounting
and banking, major mischief can still result. For example, a hacker might release an electronic door
lock remotely as part of a coordinated physical attack on a facility.
Hackers and other criminals look for the path of least resistance, and simple practices can deter
them. A report from Schneider Electric encourages good network and password management,
user management (such as auto-expiration account routines and immediate disabling of accounts
for employees leaving or moving to new positions), and software management (immediate use of
security patches when they become available). The GAO report notes that having a strategy is a
starting point to address the risks – but the Department of Homeland Security has not developed
one for federal facilities.
Have you developed one for yours?
Chief Content Director