Last September, Gartner included cyber threats to physical processes and assets in its ‘Top nine security and risk trends for 2020’. The global research company explained how “emerging threats, such as ransomware attacks on business processes, potential siegeware attacks on building management systems, GPS spoofing and continuing OT (operational technology)/IoT (Internet of Things) system vulnerabilities, straddle the cyber-physical world”.
Security misconfigurations or, in some cases, a total disregard for security, resulting in opportunistic attacks, are some of the most common security shortcomings today. A further problem is that many businesses have yet to decide who will be the owner of the systems installed – many of which enable remote access. With no clear ‘owner’ and systems installed and maintained in the quickest and cheapest way possible, systems and entire buildings and portfolios are vulnerable to costly ransomware attacks.
Ransomware is carried out by robots constantly scanning the internet to find access to exposed systems. Once in, they will encrypt every file in a computer, locking the user out, and demand bitcoin or cryptocurrency before they grant access again. It has long been an IT security issue, but can also impact building management servers that may control multiple systems like lighting and HVAC.
Picture the wasted stock a large-scale butcher would have to throw out if their refrigeration system was tampered with, or high-rise building occupants stuck in a lift after elevator control systems were locked down. These are extreme examples, but a wake-up call. Organisations must consider what they could be liable for, in the result of an attack. More commonly, the issue revolves around money. Opportunistic robots don’t care what the system is, all they want to do is lock it up and ransom it back to its owner for cryptocurrency.
Not defining clear lines of ownership is one the biggest mistakes an organisation can make when it comes to OT security. Between FMs, OT managers and, sometimes, their BMS contractors, there are often no clear lines of accountability for the system. If all concerned think that somebody else has taken responsibility for it, then nothing will happen and attacks become harder to predict and avoid. There’s no rule for who should own any particular system – as they are all different – as long as somebody does.
To inform your decision on who’s going to own OT security, you need an understanding of what’s required, such as how to build a security policy. This is a fairly technical and advanced procedure and, most of the time, it is unfair to expect FMs or contractors to build this by themselves. Progress is being made in this area, though, as many buildings and real estate investment trusts are building cyber security policies and empowering their FMs to communicate cyber risk with contractors. For this reason, a contractor who provides support that helps FMs understand and meet their security requirements, regardless of their OT security literacy, is key.
Cyber cloaking: the best defence
Without cyber cloaking, you are exposed directly to the internet. The opposite needs to be true. Cyber cloaking will hide you to the point where, based on the Australian Cyber Security Centre’s recommendation of security modelling, nothing should be accessed without some sort of VPN (virtual private network). This prevents bots and unknown people on the internet from being able to detect your equipment during their scans.
Awareness of, and protection from, hazards is growing. The Federal Government is just one official body reporting that it is seeing many more active attack attempts targeting uncloaked assets that are available on the internet.
Unfortunately, there remains reluctance from people who don’t appreciate the threat, who feel they cannot afford protections or who have no desire to understand the problem. But if you’re swimming at the beach and there’s a shark in the water, you don’t want to be the slowest swimmer. Along with the risk, the inconvenience of implementing these systems will become more and more costly over time as more equipment becomes attached to the network and has remote access functionality – especially for some of the connected safety systems used in care facilities, for example. It would be inadvisable to be put in a position where you’re liable. Doing the risk modelling and understanding the risk you’re accepting is an affordable first step to getting the right solution and finding the right partner.
Getting an audit
The best way to spot the gaps in your OT system is with an audit. These are very inexpensive and provide a basic understanding of your network and the assets connected to it. An audit could be especially valuable in systems where an FM has been working on the one asset or portfolio for a long time; perhaps it has been operated on by a range of different contractors over the years, who’ve all followed their own procedures, which may not have always been best practice to today’s standards. The audit can help you understand exactly where your exposure is, giving you the visibility on your systems to help you understand your OT security needs.
A cyber security service can be expensive and complex to set up, but if it’s operating efficiently and protecting everything well, you shouldn’t even notice it’s there. What you don’t need is a third party installing very expensive controls that may not be the right match. There’s a lot of IT security out there that does not work in OT. So, choosing the right partner and solution is important, but should not be daunting.
Finding a match
Many vendors will try to sell fear, but doing so isn’t helpful and it certainly won’t help FMs get the right funding for the right solution. You need to sit with someone, conduct a proper risk model and understand exactly what risks you can accept and what risks you cannot.
The conversation should cover basic questions and answers, such as: ‘If someone gets access to the lighting control system, what control will they have? What is the worst situation you could imagine if someone was to abuse that control?’
Consider such things as part of a very sensible conversation about all the risks involved with your systems and what controls you can place around them that will have minimum impact on your operations.
Show me the money
Finding the right partner shouldn’t be too difficult, but the greater battle is often presenting the idea to your building owner or corporate board to secure funding. As an FM you’re given a budget and are going to allocate it as efficiently as possible, spending what’s needed to keep your tenants happy and protected.
People struggling to get funding may worry about the risk and the main recommendation is always the audit – the affordable first step – which enables you to build a case. You need to be able to go back to your executive team and clearly articulate the risk, as well as the potential consequences. A good partner may be able to assist your understanding of the costs involved in recovering from different scenarios – these are powerful tools in executive conversations.
Cameron Exley is cyber security and OT networks manager at Grosvenor Cyber Solutions, an entity of Grosvenor Engineering Group.