Today’s building system technologies bring many benefits in terms of improved energy efficiency, sustainability, and improved occupant experience. But these systems also introduce new vulnerabilities that can be attractive to malicious actors seeking to launch cyberattacks. So do the benefits of an intelligent building outweigh the risks, and how should potential vulnerabilities be addressed?
As we continue to move into an evolving, post-pandemic workplace we see greater demand for better day-to-day management of operations through building automation systems (BAS), air quality monitoring, elevators, building access control, video surveillance and more that can now be monitored and controlled remotely.
The age of the intelligent building is upon us, and as intelligent building platforms continue to grow and evolve, so will the frequency and nature of the cyberattacks we can expect to see targeting these systems.
Exposing hidden vulnerabilities
Early building control systems tended to be self-contained systems isolated from external access. They were not typically built with strong security in mind as it would take some type of physical contact to compromise them. A workstation login and password often were all that was really needed. With modern buildings increasingly being connected with the outside world, exposure to those systems has grown exponentially, leading to an increased danger of cyberattacks.
While external access to a company’s more sensitive data may be difficult to attain, how about hacking into a web-connected thermostat or lobby monitor? These and other less obvious targets may not always be recognized. Why should you care if someone outside can flip your building’s lights on and off? Because the compromise of those devices may not be the ultimate goal of an attacker.
The fact that those devices are easy to connect to and likely have vulnerabilities that are easy to exploit make them valuable initial steps for an attacker to gain further access to a network to reach other targets. If a hacker finds that normal entry points to a network are well-secured, they will look to alternate entry points, and with operational technology (OT) systems increasingly connected to networks, bad actors are finding those paths with much easier access.
The attacker’s goals may be theft of valuable information, but it could also be some sort of disruption of systems or operations. With information technology systems this disruption may be in the form of deleted or modified data or denial-of-service, or it could be ransomware in which data is encrypted until the victim pays a ransom to the attacker.
With OT systems, the nature of these disruptions can be significantly more severe. Imagine the potential damage resulting from loss of critical OT systems in a hospital, or power at a casino or cooling at a data center. And for many systems, availability and integrity is important to the health and safety of personnel, adding further potential risks.
Protecting your assets
While different systems have different requirements, the following are some basic security recommendations to better protect your building and operations:
- Perform cybersecurity testing of your systems on a routine basis. The systems themselves are not static and new vulnerabilities are discovered every day, so it is important to stay current.
- Document your systems thoroughly. Too often a company doesn’t have accurate system information. You can’t manage what you don’t know.
- Segregate systems on separate networks wherever possible.
- Actively manage system accounts including unique and strong passwords for each component and controlling system account assignment and privileges.
- Create a program to manage software and firmware patches and updates to reduce risk exposure.
Cybersecurity as a journey, not a destination
As information technology IT and OT systems become increasingly intertwined, it is clear a unified approach to security is needed. But the frequent question asked is “who should manage cybersecurity for these systems?”
In many instances, IT is the gatekeeper to all devices allowed on a company’s network. Bringing IT and OT stakeholders together early in the project design development process – preferably during initial Master Planning phases – can help avoid conflicts and eliminate implementation schedule delays.
While it is common for organizations to put their intelligent building system and individual OT system components on the company’s enterprise network, that comes with inherent cybersecurity risk. If devices are not thoroughly vetted, tested and approved by IT, chances are they will not be allowed to connect, potentially leading to missed expectations and lost operational opportunities.
It is important to view cybersecurity as an ongoing cycle that begins with awareness and progresses to assessment, evaluation and decision-making, followed by design and implementation before the process cycles back to awareness again. A great first step to launching this cycle is to engage with a qualified third-party expert to help guide you along the way and conduct independent assessments. There are also two specific steps every company should take now:
Get your IT and OT teams together now
- Obtain support from top down to address organizational risks
- Work jointly to identify gaps in security measures
- Develop a unified cybersecurity policy and mitigation strategies
Know your security posture
- Document your systems (“You can’t manage what you don’t know”)
- Assess vulnerabilities and risks for your systems and existing protective security measures
- Conduct regular checkups to reassess posture and assess corrective measures
In the end, being more integrated and interconnected does not inherently mean your facility is more vulnerable, but it does make the security considerations more complex. In fact, the additional systems can make building automation systems (BAS) safer if they provide more detailed intelligence that allow operations personnel to respond to a cyberattack more accurately and efficiently.
If the integration of these devices and systems drives more and better engagement between stakeholders, we can expect to see overall better security, improved operations, reduced utility consumption, and increased occupant comfort, delivering on the promise of the intelligent building.
Coleman Wolf, CPP, CISSP, is the security services studio leader at global engineering and technology firm ESD. He has more than 20 years of experience in security management as a security designer and consultant. Coleman is an ASIS Certified Protection Professional, a Certified Information Systems Security Professional and an active member of the ASIS Security Architecture and Engineering Council. He holds a Master of Science in Computer Information Systems from Northwestern University in Evanston, Illinois, and a Bachelor of Science in Electrical Engineering from the University of Michigan, Ann Arbor.