4/21/2023
An organization’s building may seem like an unlikely victim of a cyberattack, but they’ve recently become somewhat of an easy target. As internet-connectivity has grown in commercial and institutional facilities, so too has the threat of a costly cyber threat.
“What better way to get into a building than through its building control system? I know and everybody else knows that little to no thought has been given to security and these networks are not monitored,” says Fred Gordy, director of cybersecurity at Intelligent Buildings.
Historically, the facilities management industry has been a very anti-IT environment. When Gordy began his cybersecurity journey almost 20 years ago, network security was almost completely absent — and unfortunately not much has changed since then.
According to assessments of the commercial real estate space conducted by Building Cyber Security, of which Gordy is a founding member, 80 percent of organizations have no network security at all. About 10 percent are working on it, 5 percent are slightly more mature, and then there is the top 5 percent, which Gordy considers the most mature in the space but still not as mature as they need to be.
But it’s not that there isn’t a desire to implement security measures. The reason for slow adoption is due to the complexity of the problem. Facility managers know they need to do something, but the cybersecurity mountain is daunting. So, what can managers do to get started and minimize the threat of a cyberattack on their facilities? The answers include more employee training, better technology awareness, and open collaboration with IT.
Before implementing any security measures, it’s important to know why cyberattacks have become increasingly prevalent in facilities.
According to Gordy, hackers are motivated by three things: curiosity, money, and power.
When it comes to the curiosity factor, hackers have heard about building controls and that they are easy to access. Some just want to see if they can get in.
Those that are financially motivated use building controls as a pivot point. They know that once they access the control system, they likely will be able to access the corporate network.
Nation state attacks are especially dangerous. These hackers are out to do whatever it takes to disrupt and demoralize another nation.
Banks, retailers, and hospitals are among those industries that have been heavily targeted, but Steve Smith, director of Physical IT Network at Arvest Bank Operations, cautions that it can happen to anyone.
“Any place where someone can figure out a way to steal something of value, you’re a target,” he says.
Hackers are trying to “hit as many ports in a storm as they can, trying to find that one person who makes a mistake,” he adds.
For example, a small HVAC contractor could be targeted for their customer list. If a hacker gets ahold of a list with bank account information, phone numbers, or email addresses, they can sell that information on the open market.
“There is no size restriction that says that’s too small for a cyber thief to want to attack. There’s value in information, and they will take whatever they can get, wherever they can get it,” Smith says.
And unfortunately, commercial and institutional facilities are leaving a lot of doors open.
“Facilities systems are becoming a good vehicle for people to get inside your network and do malicious acts,” says Smith, noting that as Internet of Things and internet connectivity has exploded in the facilities world so has the level of threat.
“Monitoring is an increasingly online, cloud platform type thing where you’re connecting lots of devices to the outside world. People will use those devices to carve a path to your internal networks, where they can find ways to steal,” says Smith, adding that “there is a lot of opportunity out there for your staff — probably very innocently — to click on the wrong thing and inadvertently cause a huge problem.”
Mistakes can happen and it has become harder and harder to spot a possible cyber threat. That is why employee training is one of the best ways an organization can prevent a cybersecurity attack.
At Arvest Bank, Smith says they focus on email and device awareness to make sure their employees know what the risks look like and can easily identify and flag anything problematic.
Some of the things he trains his employees to look for in an email include:
“If your staff is well trained and they’re aware and they know how to look for these things, you’re reducing your exposure greatly,” Smith says. “The people who are perpetrating these attacks are getting really good. … You’re going to have to inspect this stuff, and you really need to pay attention. The training and development of your staff is going to go a long way toward potentially preventing this from being an issue.”
Training should not only be part of your employee onboarding process but be ongoing throughout the year.
Positive reinforcement can also be helpful. Smith recommends sending practice emails from internal sources and encouraging employees to flag and report them. Letting employees know management care is vital to developing a culture that makes it clear how important network safety is for customers and business.
Training can also look like a fire drill, where a dedicated team practices various cyberattack scenarios. This ensures everyone knows how to react, who to call, and who should be involved.
Gordy adds that overall encouraging employee awareness of possible threats is key.
“Don’t treat off things as happenstance,” he says. If something doesn’t feel right, chances are it’s not.
“Paying attention to your emails, making sure you’re only clicking on links that are valid, reliable and came from sources you trust. Those are gigantic in keeping people out of your systems,” Smith says.
Sometimes it feels like technology is what got facilities in this mess to begin with, but when used correctly its value is immeasurable.
Every organization should start with three simple steps when it comes to technology, Gordy says. Most importantly, facility managers must make sure none of their systems are exposed to the web.
Secondly, managers should make sure they have control of remote access.
“If your vendor is controlling your remote access, you need to take that back. You need to control your remote access, so you can monitor who is coming in and out of your building. Just because they are the vendor doesn’t mean they can come in whenever,” Gordy says.
He also suggests implementing a guide to access control and teaching your staff what it is, why it’s important, and what happens if you don’t follow it.
Lastly, facility managers should regularly be taking inventory of all devices and ensuring they are up to date.
“Just those three things are not huge things to do, and you are going to take yourself off that radar,” says Gordy.
In a data center environment, Smith recommends keeping systems separate. That means not connecting the facility management system to the entire network, so even if there is a cyberattack, the hacker will not be able to access internal business data.
Another option he suggests is segmenting the network, making it as hard as possible for an attacker to get through the system. With this method, do not use standardized ports, but rather a random component here and there, which makes it harder for a potential hacker to sort their way through the network.
The partnership between facility managers and the IT department is more important now than ever before.
“The best thing you can do as a facility manager is to partner with your security division when you’re in the planning stages of a building or rolling out new systems,” Smith says.
Asking network security departments tough questions up front can ensure problems don’t arise down the road. Give them time to think through what scenarios could possibly happen and make suggestions on the ways problems could be avoided. While this process can be difficult, IT cannot protect systems if they don’t understand what the end goal should look like.
“Getting IT involved is a great thing, but you have to get IT involved from a collaborative effort,” says Gordy, adding that problems arise when IT does not understand what to protect.
Smith agrees, noting that the relationship between facility manager and IT should be a real partnership.
“Have real business conversations about what you plan to do, how you plan to do it, and what you can do to make it more secure. They will have suggestions, but they need to understand what you do,” Smith says. “Teamwork and collaboration are essential, or you will not be successful. If you can’t get along with your network folks and they can’t get along with you and neither of you understand what the other’s purpose is, you’re going to have a problem.”
An open line of communication between the facility manager and the IT department is even more important if there is a potential problem. Being able to openly have that conversation with IT can stop a hacker waiting in the background from acting and not being caught, Smith says.
“Transparency, honesty, and an open communication line is very important in making sure you’re secure,” he adds. “It’s always a lot better to know that you’ve prevented somebody from gaining access than to have a conversation that someone got in.”
Amy Wunderlin is a freelance writer based in Fort Atkinson, Wisconsin.