No organization can assume that its internet-connected devices won’t be discovered. Just as search engines can help users find, for instance, the nearest five-star restaurant, engines that are sometimes known as “Google for devices,” scour and catalog the internet for connected devices, such as building control systems, Gordy says.
An organization can use one of these sites to track its own devices that are accessible from the internet. However, so can those who might not have the organization’s best interests in mind.
A first step in tackling this risk is knowing what devices a facility has connected to the internet.
“The minute you’ve connected to the internet, you’ve opened the doors to all that lurks,” says Charlie Regan, capability expansion orchestrator with Nerds On Site. “And there's a good deal lurking out there.”
In the past few years, companies have developed OT tools to monitor building system devices, Gordy says. This is a positive shift. While there had been IT tools designed to find vulnerabilities in IT environments, they weren’t always a good fit for building system devices.
The reason? Many IT devices were built to withstand the interrogations of IT monitoring tools. Building system devices, however, typically weren’t designed to withstand aggressive questioning, and could lock up and become unresponsive. Newer OT monitoring tools typically don’t negatively impact building systems, Gordy says.
A virtual private network, or VPN, is another way to mitigate the risk that comes with connecting to the internet. A VPN is an encrypted internet connection between a device and a network. It helps ensure the safe transmission of data and can prevent unauthorized people from intercepting it.
With a VPN, users — whether workers or suppliers — can work remotely with greater security, so long as they’re required to connect to VPN before they connect to the system, Ahrens says. Before the VPN allows them access, they must be an authorized entity.
In the building controls world, the most common attack is through ransomware, Gordy says. In ransomware attacks, malicious software infiltrates a computer or network, often through a file downloaded from an email. The malicious software then limits access to files until a ransom is paid.?Between 2022 to 2023, reported ransomware attacks jumped nearly 73 percent, to 4,611 cases, according to SANS, a cybersecurity training organization.?
Why is ransomware popular?
“It's easy, it's cheap,” Gordy says.
A criminal can churn out hundreds of thousands of emails, and if only a tiny percent are opened and the malicious file downloaded, the cybercriminal can make out quite well, he adds.
Training can reduce the likelihood of a ransomware attack succeeding. Employees should know to check before opening any email attachments.
“Always stop and ask yourself, ‘Is something different?’” Gordy says. For instance, does the email address look legitimate?
Regular software updates also are key. They can keep cybercriminals from exploiting known vulnerabilities.
Many cybersecurity products “are in the business of building a better goalie,” Regan says. That is, they focus on keeping cyber criminals out of a network.
“That is a losing game,” Regan says, given how well-orchestrated, well-funded, and creative many criminals are.
Instead, organizations can take a lesson from many high-end jewelry operations, in which a person must enter and exit through a steel capsule, Regan says. Before criminals can get out, they need to go through the steel cage. That offers an opportunity to catch them before they make off with assets. For facility managers, instead of stopping people walking out with gems, they can prevent data theft.
Regan says his firm starts with the premise that the bad guys are going to get into a business. With that in mind, the goal is to prevent them from getting out and taking data with them. To that end, an edge device is placed at the interface of the internet and a corporate network, monitoring traffic, both coming and going, as outgoing traffic can mean cybercriminals have data they can “use, abuse, or sell,” he says.
“We make sure that your data never goes anywhere that you haven't confirmed as an okay destination,” Regan adds.
In combating cyber risks, vigilance is key.
“It’s such a fast-changing landscape,” Regan says. By continually taking steps to mitigate cybersecurity exposures, facility professionals can reduce the likelihood their organizations become victims.
Karen Kroll is a freelancer based in the Twin Cities of Minnesota.
Facility Managers Share Responsibility for Cybersecurity
Ransomware Is a Significant Risk to Facility Security
