Some of the most exciting emerging technologies related to building control systems improve operational efficiency and effectiveness using artificial intelligence. The advent of smart and intelligent buildings takes this even further to optimize people’s experience within the built environment. Many great benefits from these technologies are possible, but there are also a lot of potential cybersecurity risks.
Early building control systems were not traditionally built with security of the system in mind. They were self-contained systems, nearly impervious to external access, and it would take a physical breach to compromise them. That was then. This is now.
The convergence of operational and information technology
More and more, operation technology (OT) systems are connected to each other and to other systems, becoming part of the larger information technology (IT) infrastructure. The main reason why they are interconnected and connected to business systems is for functionality and intelligence. It generally starts with a business reason to remotely monitor a system. Maybe you want the ability to see what is happening in a system at home during off hours, so you can decide if it needs immediate response or if it can wait. Or maybe you have a portfolio of different sites and locations, and you want to monitor them from a central location.
In addition to the functional reasons, companies realized that they could use information from these systems to improve operations. As the systems grew more intelligent within the building, and different systems could start talking to each other, we now have this intelligent building platform. You can pull actionable data, build dashboards using information from a variety of systems, and make strategic operational decisions. Adjustments to building systems that make even a small energy efficiency improvement can yield significant savings to a company with a large footprint.
Unfortunately, many people will build a connection between a building or operational control system and, for example, a remote access IT system, but fail to consider the potential security ramifications involved. The oversight is understandable. Historically, building controls were not seen as highly valuable targets largely because the capabilities and interconnected controls were limited. Perhaps a malicious actor would be able to gain access and turn the lights off. Annoying sure, but hardly worth expending resources to stop a practical joker when the resources could be used to fortify more obvious mission critical systems.
Cyberattacks: When IT and OT lead to Oh No!
As IT and OT systems become increasingly intertwined, it is clear a unified approach to security is needed. But who should take charge? According to an ASIS survey, the biggest obstacle slowing organizations to adapt to combined systems revolve around people issues. Physical security departments are often set in a history of siloed traditions and functions. Personnel are often hesitant to give up or share control of what they consider to be core competencies including people management, intelligence, and investigations. IT professionals can be equally rooted in their own routines built around the latest technology, system innovations, and cyberthreats. Loss of authority, status, control, or staff are equally feared by both groups.
Where the responsibility for securing OT vs. IT systems lies is in a state of flux. Traditionally OT rested in facilities, not IT. The operations folks do not want to be burdened by IT controls. Similarly, IT folks recognized that these systems are different animals, and they do not want the responsibility of securing systems that sit outside the traditional IT framework and thus do not have various IT protections and protocols built in. This is probably another reason this is such a high risk for an organization. Companies are beginning to understand that both OT and IT systems need to be managed holistically under the umbrella of risk management.
When “Phishing” becomes “Fishing” and other surprising vulnerabilities
You may already be aware of “phishing” attacks in which bad actors send fraudulent emails purporting to be from reputable sources to trick individuals into revealing passwords, credit card numbers, or other personal information. The phrase took on new meaning a few years ago when hackers were able to worm their way into an unnamed Las Vegas casino database through a “smart” thermometer in an internet connected, high-tech fish aquarium. The security breach gave them access to 10 gigabytes of information from a “high roller” database that they successfully uploaded to the cloud.
The unusual heist highlights the vulnerability of Internet of Things (IoT) devices. According to IOT Analytics, the number of connected IoT gadgets is expected to grow 18 percent this year to 14.4 billion devices globally. It is a booming forecast despite some slight downward revisions due to supply chain and chip shortage issues. The trend also spotlights the increased vulnerabilities property owners and cybersecurity professionals will face.
The biggest security concerns will continue to be external cyberattacks and traditional issues like data theft, but new threats loom with the expansion of IoT. Denial-of-Service attacks against IoT networks (or even “denial-of-sleep” attacks that drain batteries of connected devices by preventing them from powering down) are expected to be on the rise as well as a growing black market selling fake sensor and other forms of data.
For the built environment, a greater emphasis on protecting systems that control and monitor facility operations is needed. Reliability and integrity of those systems is one thing, but these systems have the potential to impact occupant’s health and safety. Everything from major power stations to personal medical devices could be at risk. The almost constant collection of information by IoT devices about our individual environments and circumstances could also have a serious impact on how business and personal decisions are made. Fortunately, we are starting to see better protection measures, although there is still a long way to go.
What is the best way to protect facilities from cyberattacks?
In many instances, IT is the gatekeeper to what IoT devices are allowed on a company’s network. Bringing IT and OT stakeholders together early in the project design development process – preferably during the Master Planning phases - can help avoid conflicts and eliminate implementation schedule delays. While it is common for organizations to put their intelligent building system and individual IoT components on the company’s enterprise network, it comes with inherent cybersecurity risk. If devices are not thoroughly vetted, tested, and approved by IT, chances are they will not be allowed to connect, potentially leading to missed expectations and lost operational opportunities.
Other IoT security tips include:
- Document your systems thoroughly. Too often a company doesn’t have accurate system information and you can’t manage what you don’t know.
- Perform cybersecurity testing of your systems on a routine basis. The systems themselves are not static and new vulnerabilities are discovered every day, so it is important to ensure you stay current.
- Follow a regular routine of software and firmware patches and updates to reduce risk exposure
- Follow a mandatory best practice of always changing the default username and password for any device connecting to the internet
- IoT devices should have unique passwords for each unit
- If a device cannot support password, software, or firmware updates, do not connect it to your system
Finally, being more integrated and interconnected does not necessarily mean your facility is more vulnerable. Having more IoT can actually make building automation systems (BAS) safer if the integration of devices drives more and better engagement between IT and facility management stakeholders about cybersecurity. Creating and following best practices can lead to better security, improved operations, reduced utility consumption, and increased occupant comfort, delivering on the promise of the intelligent building.
About the author:
Coleman Wolf, CPP, CISSP, Security Services Studio Leader with ESD, has over 20 years of experience in security management as a security designer and consultant. Coleman is an ASIS Certified Protection Professional (CPP), a Certified Information Systems Security Professional (CISSP), and is an active member of the ASIS Security Architecture and Engineering Council. He holds a Master of Science in Computer Information Systems from Northwestern University in Evanston, Illinois, and a Bachelor of Science in Electrical Engineering from the University of Michigan, Ann Arbor.