Building automation and control systems have gotten more and more complex with sensors and remote monitoring built into nearly everything. This connectivity helps make the jobs of facility managers and maintenance staff easier and more efficient, but they also present a new line of vulnerability for those not prepared for cyber threats.
Something as simple as the toilet paper being low can now be monitored with electronic sensors that remotely send alerts to staff to let them know it’s almost time to change the roll. The cost savings of changing the toilet paper roll at just the right time can be immense, but if that sensor is connected to an unsecure network, the potential for even costlier disruptions can be greater.
Hackers no longer need to target IT networks alone. An unsecured HVAC controller, lighting system or IoT device can provide a backdoor into critical infrastructure. As technology is increasingly integrated into buildings, the people who maintain and care for them need to understand the associated risks of smart tech. This is no longer just an IT problem.
“Most people are aware, but I'm not sure we've gotten to the stage where they really accept that this is knowledge they need to have,” says Maureen Roskoski, vice president and corporate sustainability officer, FEA. “The problem is that everybody pushes it off to IT, and there's just so much that the facility managers can do.”
For Fred Gordy, senior vice president of secure connected solutions, KMC Controls, this means getting back to the basics and asking three questions: what do you have, how is it connected and who has access?
“You have to get back to the fundamentals,” says Gordy. “It doesn't matter where you are in your journey. You have to know those three things.”
Skipping the cybersecurity fundamentals not only opens the facility but also the entire organization up to several different kinds of risks—the least scary being that the building becomes unusable, says Gordy.
Operational disruptions where systems are shut off or staff are locked out can result in a building being out of work for days at a time. The costs of shutting down operations can be high, but in extreme situations they can be deadly.
Gordy references a case in Alabama where a hospital was locked out of their systems, losing visibility to their fetal monitoring equipment. A woman in labor at the time had to deliver a baby without being monitored and the child was born not breathing and suffered fatal brain damage.
While this is an extreme consequence, vulnerable facility networks pose safety risks of all severity levels.
“Hackers can control building systems—spy through video surveillance cameras, manipulate the HVAC system, override emergency systems, halt elevators, create dangerous levels of environmental conditions—and use ransomware to force facility management company to pay to regain control of the building,” says Michael Gips, managing director, Security Risk Management.
The most common risk, though, is access to confidential information and data. One of the first big data leaks that is often cited was at Target, where hackers were able to get into the retailer’s customer data through their HVAC system.
“Once they get in, then it's more vulnerable to people, data, company data, and whatever they can get into,” says Roskoski.
While the systems in place are certainty more complex, getting facility managers up to speed on protecting them against cyber threats doesn’t have to be. Gordy again reiterates the basics, starting simply by shutting the doors on access to the outside world. From there, more secure designs can be layered.
“If you start shutting those doors that let me in from the internet…if you shut those doors and you take over control of access, that's huge, and that's a low cost,” he says. “That's the way building control systems are right now. They're just sitting out there for anybody to come get them. We have to put them outside the fence, or we have to put a fence around them.”
Other basic steps include ensuring all firmware and software are up to date and being aware of phishing or deceptive emails can make a real difference. Setting up multi-factor authentication on password protected systems is another easy security measure that even the largest organizations neglect.
Take one of the most famous museums in the world, Paris’ Louvre Musuem, which recently fell victim to shotty cybersecurity, joining the ranks of high-profile cyber-attacks that likely could have been prevented with two multi-factor authentication. Inadequate password protection was among several weaknesses thieves exploited to pull off a jewelry heist at the museum in October. A 2014 audit on the museum further fueled rumors that the password to the museum’s video surveillance system was “Louvre.”
Another good practice Roskoski recommends is implanting a concept known as IT of least privilege.
“It means you only give people or devices the minimum access they need,” she explains. “If all a sensor is supposed to do is read temperature, that’s all it does. You don’t give it any other access…it should not be able to change temperature.”
Gips recommends building automation networks that are separate from the corporate IT or tenant guest networks, so that even if a network is breached, that intruder cannot gain access to internal data like financials or customer information.
He also suggests using a VPN or secure gateway between the network and the open internet, establishing a process for regular staff training on cyber risks and best practices, and conducting real-time monitoring of the building network and devices that look for anomalies or suspicious behavior.
Once proper protocols have been put in place, it is even more important to continuously monitor your network to ensure you are following Gordy’s three fundamentals of who, what and where.
Gips agrees that while connectivity is everywhere in the built environment, companies have not done a great job of inventorying or monitoring these devices—and they are definitely not keeping up on regulations around them.
“A lot of building system protocols weren’t built with today’s cyber technology in mind,” he adds. “As the attack surface grows, so do cyber incursions…what’s more, the EU has new legislation (EU Cyber Resilience Act) such that, by 2026 or 2027, connected devices that do not meet security standards won’t be able to be used or sold.”
In the US, the NIST Cybersecurity Framework 2.0 is a voluntary (for private businesses) set of principles that apply to building systems.
“Though there is no penalty for ignoring them if you don’t do business with the federal government, doing so can lead to contract-compliance issues, increased costs of cyber incidents, and potential legal liability,” says Gips.
Understanding access with continuous monitoring is also critical even if you think you’re already doing everything right.
“You can have the most secure network, but if you allow, say, a system integrator to come in and put a remote access solution in there, they just punched a hole through your security,” says Gordy. “You have to take stock of how many third-party vendors have access to your stuff, unfettered, 24/7, with no control.”
Roskoski also recommends implanting protocols around resignations that ensure when people leave the company or change roles they are disconnected from all systems.
“We're not talking about hard things here, and we're not talking about rocket science,” adds Roskoski. “You don't have to become an expert in it. It's just basic awareness and recognition that your systems are a vulnerability to the organization, so we're going to take these steps to make sure we don't allow hackers to do anything that would make it vulnerable.”
Amy Wunderlin is a freelance writer based in Fort Atkinson, Wis.
