The need to protect buildings with a cyber security system can be correlated to the increasing profile and volume of attacks against these assets. It is no longer possible to remain blissfully unaware that buildings without a proper Building Management System (BMS) are valuable targets for cyber threats and cyber-attacks. One of the first high-profile attacks in 2014 was targeted at a large US retailer. A malicious outsider gained access to the Point-of-Sales systems through the Operational Technology (OT) networks. They exfiltrated millions of credit card numbers and access went unnoticed for several months. The initial point of access for this attack was the HVAC remote access system – left wide open by the contractor, without any access control, for the convenience of remote monitoring and service.
Prime Minister Scott Morrison also recently warned that spy agencies have witnessed increased hacking activity targeting a wide range of assets. Foreign state-backed attackers appear to be targeting buildings, public infrastructure and private OT systems.
For proactive customers, interest is usually driven from fear. Customer conversations are now often led with ‘I don’t understand any of this but I don’t want to be in the news either’. The amount of fear mongering across the property industry amongst building owners is increasing. Businesses need to have sensible conversations with a trusted partner to understand why they are purchasing a cyber security solution – rather than just ticking a compliance box. Most corporate compliance policies now require a cyber solution to safeguard against an attack. Fully understanding the threats will help building owners formulate a plan to prevent or minimise the damage caused from a future cyber-attack.
Ransomware is on the increase. A growing number of customers are reporting OT networks that have been infected with malware. This type of malware rarely has a single target in mind and whilst it’s busy encrypting all the files on a computer, it is looking for the next target within the same network. These infections quickly spread to every computer within the network and can sometimes make their way onto unexpected equipment such as a CCTV camera or shopping centre way finder.
This type of malware is becoming more and more common as cybercriminals have realised how effective this method can be to quickly raise funds. They usually spread through phishing emails (“Click here to claim your free honey glazed ham!”) but have also been known to spread through vulnerabilities in operating systems and equipment. Most of the world was affected by the ransomware dubbed ‘WannaCry’ in 2017 with devastating consequences, which increased the need for vulnerability management.
There are three common mistakes building owners are making including no network segmentation, unmaintained hosts within networks and mixed use of the OT network.
The first step – segmenting the network is critical in reducing overall cyber risks and reducing the blast radius in the event something does happen. Depending on how the security and control system is segmented, building owners may mitigate the risk of a ransomware attack from their entire network down to only a small slice of it.
The second step is the maintenance of hosts operating on OT networks. Often, a contractor will supply and install a server or workstation for their building system to run. What is rarely discussed is who is responsible for the ongoing maintenance of this machine? Building owners will assume the contractor, and the contractor will assume the building owner. This results in a grey area with nobody applying updates, ensuring anti-malware protection is installed etc. The previously referenced WannaCry attack could not affect hosts that had the most current Windows updates applied.
Finally, a common mistake is the mixture of use cases for an OT network. Not only should the network be segmented into chunks, but users should not be allowed to perform functions outside of what is necessary to operate the OT in that building. The most common entry points for infections stem from personal email use on the OT networks. Users often don’t have the luxury of email filters that corporates install. Without any anti-malware or software updates installed, a single click on a phishing link can quickly result in a total network takeover.
There are several IT solutions to choose from. Some of the most popular include firewalls, intrusion detection systems and endpoint protection. Commercial building owners need to understand OT does not operate in the same way IT equipment does. Choose cyber security equipment and policies that cause limited disruption to the current network and technologies and work within the OT ecosystem. Understanding how humans interact with the systems is also an important consideration. Facility managers, HVAC system technicians and CCTV installers all need to work together to fully understand the technical requirements of the cyber security system to ensure it is effective.
By Cameron Exley, Cybersecurity & OT Networks Manager at Grosvenor Cyber Solutions