As technology was evolving exponentially in the 21st century, cybercrime also exploded.
“At the same time as we were seeing all this progress in building automation, we also were seeing the emergence of computer viruses and malware,” points out Alan Bronikowski, engineering fellow and team leader of core platforms at Johnson Controls. “It became important to harden more levels of the BAS.”
Jim Young, CEO/founder of Realcomm, warns that cyberattacks on a BAS could come from a wide range of sources. “They could come from a disgruntled employee who turns off all the lights or a nation-state that turns off the air conditioning in a major New York high-rise,” Young explains. “They could do physical damage to major pieces of HVAC or other equipment.” Young helped to form the Real Estate Cyber Consortium, which shares leadership and insight on best practices, policies, and procedures across real estate owners, operators, and solution providers.
Unfortunately, cyberattacks can come from virtually anywhere. For instance, Young points to the Seehotel Jaegerwirt in Austria. In 2017, hackers got into the four-star hotel’s electronic key system. The hotel could not create new keys until it paid the hackers’ ransom in Bitcoin to get its system back up and running.
Chris Kwong, chief technical officer at Delta Controls, also notes that hackers might use distributed denial of service (DDoS) malware “to choke the network bandwidth, leaving the system non-responsive.”
Robert Hemmerdinger, chief sales and marketing officer at Delta Controls, points out that hackers can use search engines like Shodan to scan for unprotected devices (webcams, routers, servers, etc.) on the Internet. “Shodan shows how many building owners are at risk,” he says. “And I am sure most of these building owners do not know that they are in danger and how dangerous unprotected devices can be.”
NIST framework offers cybersecurity guidance
The U.S. National Institute for Standards and Technology (NIST) cybersecurity framework offers computer security guidance on how U.S. organizations can assess and improve prevention, detection, and response to cyberattacks. The framework offers a range of cybersecurity outcomes and ways to assess and manage them.
NIST published Version 1.0 in 2014. The framework was originally designed for operators of critical infrastructure, such as the military. Currently, the cybersecurity framework is being used by numerous businesses and organizations, along with the federal government, to manage their cyber risks.
Version 1.1 became available in early 2018 and is compatible with the earlier version. The 2018 version features guidance on performing self-assessments, more details on supply chain risk management, and advice on how to interact with supply chain stakeholders.
“NIST’s cybersecurity framework, in particular, is focused on critical infrastructure cybersecurity and consists of standards, guidelines, and best practices to manage cybersecurity-related risks,” explains Kevin T. Smith, chief technology officer of Tridium.
“It’s a much more holistic view of cybersecurity, not only dealing with secure network traffic, but also how to manage risks,” observes Chris Kwong, chief technical officer at Delta Controls.
Cybersecurity Must Be a Priority for Building Owners
Understanding Common Cybersecurity Weaknesses in Buildings
As Cybercrime Increases, More Resources Arrive to Fight It
