Artificial intelligence (AI) is dominating recent headlines, but the technology has been associated with some of the most exciting emerging technologies related to building control systems and how they improve operational efficiency and effectiveness. The advent of smart and intelligent buildings takes this even further by optimizing the individual’s personal experience within the built environment. The benefits are apparent, but what about the risks? Does adopting smart technology make building systems more vulnerable to cyber-attacks? Are building automated systems (BAS) improving operations while also creating more gateways to access sensitive information?
Early building control systems were not traditionally built with the security of the system in mind. They were self-contained systems, nearly impervious to external access, and it would take a physical breach to compromise them. That was then. This is now.
Two technology teams (should) converge
More and more, operation technology (OT) systems are connected to other systems, becoming part of the larger information technology (IT) infrastructure. The main reason why they are interconnected and connected to business systems is for functionality and intelligence. It generally starts with a business reason to remotely monitor a system. Maybe you want the ability to see what is happening in a system at home during off hours, so you can decide if it needs immediate response or if it can wait. Or maybe you have a portfolio of different sites and locations, and you want to monitor them from a central location.
In addition to the functional reasons, companies realized that they could use information from these systems to improve operations. As the systems grew more intelligent within the building, and different systems could start talking to each other, we now have this intelligent building platform. You can pull actionable data, build dashboards using information from a variety of systems, and make strategic operational decisions. Adjustments to building systems that make even a small energy efficiency improvement can yield significant savings to a company with a large footprint.
Unfortunately, many people will build a connection between a building or operational control system and, for example, a remote access IT system, but fail to consider the potential security ramifications involved. The oversight is understandable. Historically, building controls were not seen as highly valuable targets largely because the capabilities and interconnected controls were limited. Perhaps a malicious actor would be able to gain access and turn the lights off. Annoying sure, but hardly worth expending resources to stop a practical joker when the resources could be used to fortify more obvious mission-critical systems.
Cyberattacks: When IT and OT lead to Oh No!
As IT and OT systems become increasingly intertwined, it is clear a unified approach to security is needed. But who should take charge? According to an ASIS survey, the biggest obstacle slowing organizations from adapting to combined systems revolves around people issues. Physical security departments are often set in a history of siloed traditions and functions. Personnel are often hesitant to give up or share control of what they consider to be core competencies including people management, intelligence, and investigations. IT professionals can be equally rooted in their routines built around the latest technology, system innovations, and cyber threats. Loss of authority, status, control, or staff is equally feared by both groups.
Where the responsibility for securing OT vs. IT systems lies is in a state of flux. Traditionally OT rested in facilities, not IT. The operations folks do not want to be burdened by IT controls. Similarly, IT folks recognized that these systems are different animals, and they do not want the responsibility of securing systems that sit outside the traditional IT framework and thus do not have various IT protections and protocols built in. This is probably another reason this is such a high risk for an organization. Companies are beginning to understand that both OT and IT systems need to be managed holistically under the umbrella of risk management.
A ”Phish” out-of-water warning about hidden vulnerabilities
You may already be aware of “phishing” attacks in which bad actors send fraudulent emails purporting to be from reputable sources to trick individuals into revealing passwords, credit card numbers, or other personal information. The phrase took on new meaning a few years ago when hackers were able to worm their way into an unnamed Las Vegas casino database through a “smart” thermometer in an internet-connected, high-tech fish aquarium. The security breach gave them access to 10 gigabytes of information from a “high roller” database that they successfully uploaded to the cloud.
The unusual heist highlights the vulnerability of Internet of Things (IoT) devices. According to IOT Analytics, the number of connected IoT gadgets is expected to grow 18% this year to 14.4 billion devices globally. It is a booming forecast despite some slight downward revisions due to supply chain and chip shortage issues. The trend also spotlights the increased vulnerabilities property owners and cybersecurity professionals will face.
The biggest security concerns will continue to be external cyberattacks and traditional issues like data theft, but new threats loom with the expansion of IoT. Denial-of-service attacks against IoT networks (or even “denial-of-sleep” attacks that drain batteries of connected devices by preventing them from powering down) are expected to be on the rise as well as a growing black market selling fake sensors and other forms of data.
For the built environment, a greater emphasis on protecting systems that control and monitor facility operations is needed. The reliability and integrity of those systems are one thing, but these systems have the potential to impact occupant’s health and safety. Everything from major power stations to personal medical devices could be at risk. The almost constant collection of information by IoT devices about our environments and circumstances could also have a serious impact on how business and personal decisions are made. Fortunately, we are starting to see better protection measures, although there is still a long way to go.
Six tips to fortify your facility against cyberattacks?
In many instances, IT is the gatekeeper to what IoT devices are allowed on a company’s network. Bringing IT and OT stakeholders together early in the project design development process – preferably during the Master Planning phases – can help avoid conflicts and eliminate implementation schedule delays. While it is common for organizations to put their intelligent building system and individual IoT components on the company’s enterprise network, it comes with inherent cybersecurity risk. If devices are not thoroughly vetted, tested, and approved by IT, chances are they will not be allowed to connect, potentially leading to missed expectations and lost operational opportunities.
Other IoT security tips include:
- Document your systems thoroughly. Too often a company doesn’t have accurate system information and you can’t manage what you don’t know.
- Schedule routine cybersecurity testing of your systems. The systems themselves are not static and new vulnerabilities are discovered every day, so it is important to ensure you stay current.
- Install manufacturer software and firmware patches and updates to reduce risk exposure.
- Require changing the default username and password for any device connecting to the internet as a mandatory best practice
- IoT devices should have unique passwords for each unit.
- If a device cannot support password, software, or firmware updates, do not connect it to your system.
Finally, being more integrated and interconnected does not necessarily mean your facility is more vulnerable. Having more IoT can make building automation systems (BAS) safer if the integration of devices drives more and better engagement between IT and facility management stakeholders about cybersecurity. Creating and following best practices can lead to better security, improved operations, reduced utility consumption, and increased occupant comfort, delivering on the promise of an intelligent building.
About the author
Coleman Wolf, CPP, CISSP, is the security services studio leader at global engineering and technology firm ESD. He has more than 20 years of experience in security management as a security designer and consultant. Coleman is an ASIS Certified Protection Professional (CPP), a Certified Information Systems Security Professional (CISSP), and an active member of the ASIS Security Architecture and Engineering Council.