Colonial Pipeline, the largest oil pipeline in the United States, recently paid for ransomware $ 4.4 million to regain control of its own pipeline, which underscored the urgency for companies to prioritize how best to protect their assets. With the threat of cyber attacks looming, more attention needs to be paid to the integrity of building management systems (BMS). From 2011 to 2014, the number of cyber incidents involving operating technology (OT) systems saw a jump of 74%, with financial costs running into the hundreds of billions of dollars each year.
Technological advancements in access control systems that enabled remote operations during the pandemic have also further exposed these systems. BMS must protect both access to corporate IT systems and their critical infrastructure, such as power, HVAC and intelligent building control systems.
Even though it was eight years ago, it’s easy to remember the infamous 2013 Target hack that happened through the HVAC system contractor and compromised 40 million financial accounts. The commercial building industry must learn to protect itself against these invisible hackers who patrol the Internet in search of flexible targets.
The unique ecosystem of BMS
Smart buildings are particularly vulnerable to cyber attacks as more IoT devices are deployed and the use of remote management tools increases. While IT systems typically focus on the basic security triad of information confidentiality, integrity and availability, the BMS security triad is different. The BMS should focus on the availability of operational assets, the integrity / reliability of the operational process and the confidentiality of operational information. Deploying a multidisciplinary defense approach at all levels of the system requires a balanced focus between costs and benefits on operations, people and technology.
Cyber risk management begins with organizational governance and leadership level commitments. This may include developing a cybersecurity strategy with a defined vision, goals and objectives, as well as metrics, such as the number of building control system vulnerability assessments completed. In addition, senior management should ensure that the right technologies are purchased and deployed, that defenses are deployed in layers, that access to the BMS through the computer network is limited as much as possible, and that detection technologies are intrusion are deployed.
Make BMS networks more resistant to threats
It is essential to have a multi-layered defense system that identifies, manages and reduces the risk of exploitable vulnerabilities at every stage of the lifecycle. For example, using one vendor’s anti-virus software for email and another vendor’s software for servers can potentially create a larger network of malware protection. Building a secure BMS defense architecture begins with a risk assessment and designing a cybersecurity specification for your system that includes consideration of measures such as establishing a firewall, IPS, NAC, permissions, antivirus, updates, user training and backups.
While cybersecurity hardening should be tailored to the specific organization, there are several proven and robust cybersecurity frameworks and standards that can serve as guides. IEC 62443 is adopted globally and offers a series of standards specifically geared towards digital control systems for buildings, providing IT and OT teams with a common ground from which to work. These standards describe a risk-based approach to developing secure embedded devices and software that are protected throughout the system lifecycle, as well as the design and implementation of secure building control systems.
Protect yourself against social engineering
The weakest potential links in any BMS are the people who administer and use the systems. Through unintentional actions, such as forgetting to revoke the credentials of former employees, or intentional, such as leaking confidential information, employees can pose a security risk. Attacks can also come from social engineering tactics. The only limit to social engineering is the criminal’s imagination, making it the easiest path to gain unauthorized access to a BMS.
Suppose cybercriminals take advantage of social engineering techniques to gain access to a digital access control system and physically gain access to otherwise protected areas. The building owner suddenly runs the risk of hackers locking in or taking out occupants, controlling elevators, forcing shutdowns, or taking control of other security systems. Unauthorized network access could also be used to extract operational or financial data.
To avoid this, not only must a control system network be properly segmented from the business operations network, but employees and contractors must be trained to resist such attacks. Awareness training needs to be stepped up every year and companies can establish and communicate deterrents for breaches of cybersecurity policies. Threat modeling will also help identify accessible entry points and limit user access rights accordingly through the principle of least privilege. This can be accomplished by establishing a safety management system based on IEC 62443-2-1.
Increasingly sophisticated attacks require constant vigilance, and evolving defense strategies are crucial. Companies must have disciplined maintenance of their BMS systems and regularly train their employees to guard against social engineering malfeasance. These investments will benefit the organization in the long run by reducing the number of cybersecurity incidents and thereby preventing loss of revenue and preserving the reputation of their business.
Megan is Vice President and Head of Product Safety for Energy Management at Schneider Electric. She is responsible for driving the product safety strategy and programs for Schneider Electric’s energy management business, with a focus on industrial control systems … See full bio