Can Smart Buildings Outsmart Hackers?
Every facility manager should be able to answer these crucial questions about the cybersecurity of their facility systems.
How vulnerable are your facility systems to cyberattacks? Can bad actors hack into your building automation systems (BAS) and then gain access to sensitive information technology (IT) data? As building system technology continues to emerge and mature, facility managers, operators, and occupants are becoming increasingly reliant on the internet of things (IoT) and related technologies and applications. The continued convergence of IT and operational technology (OT) highlights the need for comprehensive cybersecurity strategies.
Facility executives have an increasingly critical role to play in making sure building systems are secure. A close collaboration with IT experts is crucial to mitigating cyberattacks. Here are some questions you and your IT experts should examine together to determine the cybersecurity of your facilities organization.
How big of a problem is cybercrime?
Cybercrime is the scourge of the information age. It is one of the most prominent (and lucrative) businesses on the dark web, conducted with near impunity. According to Government Technology Magazine, 63 percent of all data breaches in 2020 were financially motivated.
The Federal Bureau of Investigation (FBI) estimates more than 4,000 ransomware attacks occur daily. In 2017, cyberattacks hit every 40 seconds. By 2019, the FBI says that jumped to every 14 seconds. In 2021, the agency predicts a business will fall victim to ransomware every 11 seconds, according to Cybersecurity Ventures.
COVID-19 changed the way the world worked in 2020, introducing new vulnerabilities hackers were quick to exploit. According to Help Net Security, ransomware attacks shot up 150 percent in a year that had many workers logging in from remote locations. As employees sign-on to office systems using mobile phones, tablets, personal computers, IoT devices, and other technology increasingly common in today’s smart buildings, hackers found it easier to circumvent company firewalls and exploit other vulnerabilities.
We have a modest sized company. Do we really need to worry about cyberattacks?
In a word: Yes.
You only need to look as far as the latest news headlines to sense the extent of cyber threat. Colonial Pipeline reportedly paid the equivalent of about $5 million dollars to restore service more quickly following a ransomware attack that led to the stoppage of fuel distribution on the East Coast. While dramatic, these types of sensational attacks may give some organizations a false sense of security. Believing your company is too small to be a target could be a costly mistake. Cybercriminals love to exploit this misconception.
According to statistics compiled by the business insurance company Embroker, close to 40 percent of data breaches occurring so far this year are aimed at small businesses. The Verizon Business 2021 Data Breach Investigations Report (2021 DBIR), says small businesses (fewer than 1,000 employees), experienced 1,037 incidents last year with 263 confirmed data disclosure. According to the report, 80 percent of these breaches were the result of:
- System intrusion
- Miscellaneous errors
- Basic web application attacks
Originating sources for these cyberattacks on small businesses were external (57 percent), internal (44 percent), and multiple (1 percent). Motivation behind the intrusions include:
- Financial (93 percent)
- Espionage (3 percent)
- Fun (2 percent)
- Convenience (1 percent)
- Grudge (1 percent)
- Other (1 percent)
The COVID-19 pandemic further complicates the risks as many businesses adopted new operating procedures. With more employees working from home, many companies continue to find themselves more exposed to cyber threats. Remote work requires better end-to-end security from the cloud to worker laptops.
Cybercriminals are also becoming more sophisticated with phishing attacks. They are learning from previous failed attempts to refine their techniques.
Where is my organization most vulnerable?
In a word: Everywhere.
Today’s intelligent buildings leverage online connectivity to use sensors, software, and other IoT devices to monitor and analyze facility characteristics and data to optimize operations. When BAS and IoT technologies are integrated, facility managers have much greater control monitoring and operating building systems leading to greater energy efficiency, better indoor air quality (IAQ), healthier offices, and more productive and engaged team members operating within safer and more environmentally comfortable workspaces.
There are many areas smart building technology can be applied, depending on specific goals, including:
- Reducing energy and utility usage/consumption
- Monitoring critical equipment
- Meeting sustainability objectives
- Increasing productivity
- Optimizing use of resources
- Improving occupant experience
- Maintaining a healthy workplace environment
- Working toward building certification
No matter the objective, smart building technology should monitor targeted functions, collect and analyze data, and provide actionable intelligence to improve facility operations and ensure occupant comfort and safety.
The benefits of a BAS can have a huge impact on the environment and on a company’s bottom line. It is all about energy conservation and cutting costs. BAS typically combines everything from HVAC to security alarms, lighting controls, audio-visual functions, and more into a single system operating from within a facility. Efficiencies are made possible by employing computer-controlled automation to manage the various functions in the BAS. But can an intelligent building be too smart for its own good?
Recent advances in BAS technology have seen increasing use of cloud computing to tap the more powerful data acquisition and analytics available in smart building systems. While this makes management of utilities like energy and water as well as operations and maintenance easier and more cost effective, it can also potentially open your organization to additional external cyber threats – if your organization is not prepared for such threats.
What are the seven P’s of establishing cybersecurity?
To repurpose a popular bit of alliterative advice, “Previous Proper Planning Prevents Pitifully Poor Protection.” In other words, the best time to protect your organization from cyberattacks is when your smart building is being designed or retrofitted.
All too often a common approach to intelligent building design is to start by installing a bunch of smart systems for the sake of having them, and then figure out what you can do with them. The issue with this approach is that it often fails to address existing problems (if you are considering renovations to an existing facility) or the goals of the various stakeholders involved. Rather than successful and productive outcomes, this approach produces results which fall into the category of “technology for technology's sake.” Worse yet, it could be creating places for bad actors to hide malicious software.
For example, a video monitor in a building lobby innocuously being used for signage could be compromised by a hacker, especially if the factory default password was never changed when the equipment is initially installed. Cybercriminals would then be able to load bots or other malware onto the device and control it from a distance. This toehold offers a platform to look for higher value systems.
Sensitive data is not necessarily the target. If a hacker gets control of a building’s fire suppression system, for example, they can trigger an evacuation. Aside from the havoc and disruption to daily operations, such an attack also exposes the failure of the building owner and facility engineer to follow the proper protocols to keep systems as safe as possible.
What’s the best way to collaborate with IT?
In many instances, IT is the gatekeeper to what IoT devices are allowed on a company’s network. Bringing IT and OT stakeholders together early in the project design development process – preferably during the Master Planning phases - can help avoid conflicts and eliminate implementation schedule delays. While it is common for organizations to put their intelligent building system and individual IoT components on the company’s enterprise network, it comes with inherent cybersecurity risk. If devices are not thoroughly vetted, tested, and approved by IT, chances are they will not be allowed to connect, potentially leading to missed expectations and lost operational opportunities.
Some businesses opt to create an independent, dedicated network for their building technology components separate from the enterprise network. This approach typically requires an additional expense and design effort. However, with early engagement between IT and OT stakeholders during the initial design development phase, companies can minimize budget impacts to near net neutral and ensure the original implementation schedule is maintained.
Every organization will have a different solution set due to varying goals, initiatives, market position and risk profile. There’s no one size fits all. For this reason, it’s critical to engage a specialized team to assist project stakeholders in navigating the IT/OT landscape, the correct blend of technologies and applications that will meet any number of specific project requirements. The earlier in the process a consultant is engaged, the more protected your systems will be.
Can a smart building outsmart a cybercriminal?
Engaging a certified third-party cybersecurity expert to do a complete risk assessment is an important step to protecting your systems. However, no level of protection is a guarantee of safety. Just as a high-tech security system and dozens of locks on doors and windows will not prevent a determined burglar from breaking in, it may slow them down. Likewise, cybersecurity measures may not stop a motivated hacker, but they could make you unattractive as a target.
There are four Center for Internet Security (CIS) Controls every organization should consider implementing regardless of size or budget:
- Secure Configuration of Enterprise Assets and Software: (CIS Control 4) Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications).
- Account Management: (CIS Control 5) Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.
- Access Control: (CIS Control 6) Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.
- Security Awareness and Skills Training: (CIS Control 14) Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.
Finally, being more integrated and interconnected does not necessarily mean your facility is more vulnerable. Having more IoT can actually make BAS safer if the integration of devices drives more and better engagement between IT and facility management stakeholders about cybersecurity. Creating and following best practices can lead to better security, improved operations, reduced utility consumption, and increased occupant comfort, delivering on the promise of the intelligent building.
Bryan Bennett is practice leader, cybersecurity for Environmental Systems Design. Bennett has been facilitating IT and security strategies for more than 25 years. As a strategic leader, partner and facilitator, he is focused on creating safe, secure, and trustworthy data center environments through connecting people in building systems with information technology and operational technology.
Steve Brown, CAP, is operations director, automation for Environmental Systems Design. Brown focuses on delivering maximum results through the application of available technologies. His industry expertise provides clients with exceptional building systems designs and operational performance.