Recent high-profile ransomware and cyberattacks expose vulnerabilities in commercial buildings that are far too widespread. In fact, the same headline-making exposures of late can be faced by any company that uses operational technology (OT) and information technology (IT).
OT systems like pipelines and water systems are the same technology that are in all commercial buildings. Audits of systems in the United States and Canada — including commercial real estate, health care facilities, government buildings, retail facilities, schools, banks, public venues and military bases — show in almost every case that the organizations have virtually the same vulnerabilities and bad practices.
Smart leaders across the nation and around the world should be thinking: “Maybe it could happen here.” The question becomes how to prevent similar attacks and how to position your organization to meet upcoming cybersecurity mandates with wide-ranging implications. Those of us in the cybersecurity business are aware of many such incidents, including some stories from my experience:
- A Los Angeles-area office building with several high-profile tenants that received a bomb threat sent to an internal printer connected to a parking control system on a public-facing network accessible to anyone on the internet, forcing the evacuation of the building for two days.
- In Canada, an office building management system (BMS) was shut down and central plant equipment was damaged due to the deployment of ransomware and a virus. The BMS contractor provided and maintained the BMS computer with no restrictions on personal activities. An operator clicked the email link that deployed the ransomware and virus.
What’s scarier is the relatively low level of sophistication needed to execute a catastrophic cyberattack. Many times, businesses trust IT departments with the complete security of their systems, but there’s a gap between IT and OT that is often overlooked. For many, OT exposures are a gateway to IT compromises. What’s more, there is an area of cybersecurity that IT companies and departments have been unable to tame — the vulnerability, fragmentation, and inconsistency from building systems and contractors.
Some notable attacks have occurred because vendors were targeted and then unknowingly shared malicious code with clients ranging from Fortune 500 companies to high-level government agencies. Can you be sure that the vendors you work with aren’t just as susceptible to phishing or other attacks? Even if your own systems have securities in place, third-party exposures can impact your organization.
In my experience, 98% of organizations have no building system configuration setup requirements for operators, creating opportunities for exposure. Additionally, 85% of organizations have inadequate or no building system backup procedures, should an attack occur.
The bottom line is it takes both IT and OT to prevent or work through a problem. Processes like a fully vetted incident response plan, proactive vendor risk management and realistic (and regular) assessments are vital.
I’ve seen what can happen when these bare minimum attributes are not in place. Hacking is a business and your data is the commodity. As a cybersecurity expert, I am all too familiar with the dark web tactics. These individuals are more sophisticated than many assume; we’re dealing with organized, talented businesses not antisocial teenagers in a darkened basement.
The dark web is a high-tech, innovative space full of expert hackers gaining access to data on an hourly basis. In my experience and research in that realm, I am confident in saying there are thousands of attacks daily that go unreported. If the compromised data does not involve sensitive personal information of users or customers, it tends to be swept under the rug, but the recent newsworthy attacks became newsworthy because of their impact on OT systems.
The OT systems in facilities may include HVAC, elevators, lighting controls, metering, fire safety, access control, and other technologies, all subject to hacking, misconfiguration, phishing, and ransomware. Whether you work with an intelligent building, smart building systems, or whatever you want to call it, OT system cybersecurity matters.
These incidents — and the relatively low level of skill needed to carry out the attacks — should have all company leaders moving to assess vulnerabilities of their buildings’ OT systems and therefore their IT systems. One thing is clear: Cyberattacks will continue and businesses of all sizes need to take action to assess vulnerabilities.
Fred Gordy is Director of Cyber Security at Intelligent Buildings, a company focused on Smart Building advisory, assessment, and managed services at scale for both new projects and existing portfolios.