When individual vulnerabilities are exposed in a coordinated manner, the effects can lead to corporate network data breaches, destruction of cyber-physical systems, or physical harm to people. Imagine the following facility hack scenarios and the potential repercussions:
• A cloud-hosted elevator control and monitoring system used for a high-rise building is hacked. The hackers push a malicious firmware update down to the on-premise elevator controller. The malware copies itself from controllers down to PLC’s across the network. Once the malware finds the fail-safe PLC, it releases its payload, removing the fail-safe programming that prevents elevators from dropping down elevator shafts. The next ride is deadly.
• The 2013 Target hack was accomplished using credentials of an HVAC contractor. In this case, the hackers installed malware into the point of sale systems of Target, which allowed them to siphon off about 40 million debit and credit card accounts between Nov. 27 (the night before Black Friday) and Dec 15. It is estimated that the breach cost Target $290 million. What security measures were in place to separate and segment the IT/OT networks? Why would an HVAC contractor have access to point of sale system?
Cybersecurity is not something that should be taken lightly, especially in the context of cyber-physical systems. Implementing cybersecurity strategies and having a dedicated cybersecurity expert should be a priority for all facilities. For small to medium size facilities, managed cybersecurity operation centers and cybersecurity insurance, or cybersecurity as a Service (CaaS) type offerings should be considered to gain expertise without dedicating staff. Enterprises must have a dedicated staff team to review network designs, evaluate technologies being considered for implementation, and identify risks. The following tips can help facility managers get a handle on cybersecurity best practices:
• Cybersecurity is never “one size fits all” – every project has unique characteristics.
• Air gaps won't stop industrial control system cyberattacks (e.g. malware such as Stuxnet's Children, Duqu, and Conficker)
• MFA (multi factor authentication) basis remote access (host, system, or network) is recommended.
• SSL (v1/2/3) has been deprecated by the Internet Engineering Task Force; TLS 1.2 or higher should be used.
• 802.1x and SNMPv3 are recommended for any IoT devices and building systems.
• The NIST 800-series, including the NIST Risk Management Framework and NIST Cybersecurity Framework, should be leveraged as implementation guidelines.
• Deep Packet Inspection (DPI) is required to protect industrial control systems using OT/IoT. The next-gen firewall for industrial control systems should not only support "signature-based DPI" but also "protocol-specific DPI," such as a Modbus or BACnet DPI firewall.
Internet of Things-style solutions will be installed in both new and existing facilities at a high rate over the coming decade. While promising new revenue streams, enhanced efficiencies, operational cost savings, or improved user experience, incorporation of these systems can create cybersecurity vulnerabilities at multiple levels of the technology stack. As computing power shifts outwards towards these internet-connected edge devices, cybercriminals now have additional firepower to use for creating data breaches, causing distributed denial of service attacks, hacking cyber-physical systems, or any number of information system attacks. This is especially true since many IoT devices and protocols have inherent cybersecurity vulnerabilities, or are being installed in OT networks not originally designed to be secure against this type of traffic. Therefore, facility managers must be diligent about understanding the systems and devices being placed on their network, coordinating with their IT counterparts, and creating a plan for continuous evaluation of these systems throughout their development lifecycle. The Building IoT will force IT/OT teams to evolve into Information and Operational Technologies (IOT) teams to ensure all devices on facility networks will comply with corporate IT policies, cannot tamper with cyber-physical systems, and do not endanger facility occupants.
Isaac Chen is a vice president at WSP, one of the world’s leading engineering and professional services firms, with over 25 years of experience in software development and electrical and telecommunication engineering.
Cory Mosiman is smart building specialist at WSP USA, researching building technologies and platforms ranging from traditional mechanical/lighting/electrical systems, to integration platforms and Building Internet of Things solutions.
The authors can be reached at usinfo@wsp.com.
Smart Buildings: Efficient and Resilient. But Secure?
Cybersecurity: Understanding Smart Building Vulnerabilities
How Hackers Exploit Cybersecurity Vulnerabilities
