The previous issue's column discussed vulnerability disclosures and security researchers, a discussion that focused on physical security industry products. However, as buildings become more automated, their control systems (such as lighting, HVAC, facility access, intrusion detection, electronic signage and landscape irrigation) use the same network infrastructure to enable interoperability of systems - and along with the tremendous operational benefits, come additional security and safety concerns.
Q: Some folks in IT have been reading about security convergence, and are asking me, the facility security manager, about any notifications or disclosure information that I'd like to get from them. Why would I want to know about electronic threats or vulnerabilities to IT systems or networks? How could that information help me in my physical security role? What would I do with it?
A: Responsible disclosure allows systems managers to put temporary counter measures in place until permanent fixes can be applied. But such disclosures also provide inspiration for updating the threat model and response scenarios. So, it is not just incident notification that is needed, but sharing of vulnerability identification in a way that lets threat models and response scenarios be updated appropriately.
Would you schedule a fire drill that put people in a landscaped area for the same time when the lawn and garden sprinklers were set to go off? Of course not. But suppose a disgruntled former employee or contractor took control of building systems, and forced a night-time evacuation into areas where all lighting has been shut off and the grounds had been overwatered. Injuries could occur in addition to lost productivity.
Thus, security and safety managers would want to know about a building control system vulnerability, which could cast a new light on sudden unexplained malfunctions in multiple building systems. If lighting could be affected, an emergency lighting plan review might be called for, to update it based on current building occupancy and usage, as well as recently identified potential threats. This aligns with the concept of continuous improvement, something that is a business strategy for many companies. Sometimes only incremental security or safety improvements are called for when risk models change; it is prudent to update security and safety measures as conditions change over time.
Responsible Disclosure Example
I have had a number of readers ask for an example of what a vulnerability disclosure looks like. These are often also called security advisories, and I based my response to this issue's question around a recent security advisory from Cisco that was released in May 2010 and updated in June. See http://tinyurl.com/example-security-advisory.
This advisory provides an example of the kind of disclosure content that enables system users and those with related security responsibilities to take appropriate action.
In this case, the vulnerabilities found could allow adversaries to easily obtain administrative passwords, thus making it possible for outsiders to take control of a building's most critical control systems. The advisory states, "Successful exploitation of any of these vulnerabilities could result in a malicious user taking complete control over an affected device." The notice also warned that the vulnerabilities are present in the legacy products from the Cisco-acquired company that originally designed the system. The advisory offers several workarounds and common-sense configuration settings.
The bugs were discovered during internal testing. In other words, Cisco could have kept the information to itself but did not - because that would not be the responsible thing to do. Doing the right thing for the customer does not mean doing so just when it bumps revenue dollars up. It means doing it regardless of the short-term impact. In the long term, that strategy is a win-win situation for any well-run and well-intended company.
The details of this particular disclosure reveal another important big-picture fact. The technology helps customers use IT to automate and remotely control tasks that used to require manual procedures. That can provide significant new cost savings for building operators, partly because the product is designed to seamlessly interact with larger power grids. IT, corporate security and safety managers take note: with Smart Grid coming, threat models require updating to include the related new risk scenarios. The Smart Grid actually reduces many risks that are currently unacceptable in our current power infrastructure. Here are three sources of information: the "Smart Grid" topic in Wikipedia, http://galvinpower.org for an introduction to many new smart grid concepts, and the Department of Energy's introduction to the rationale behind the Smart Grid initiative at http://www.oe.energy.gov/DOE_SG_Book_Single_Pages.pdf
One final note: if you don't already have a cross-functional risk committee or risk council, it is a best practice worth considering.
If you have convergence experience you want to share, e-mail your comments to me at ConvergenceQA@go-rbcs.com or call me at 949-831-6788. If you have a question you would like answered, I'd like to see it. We don't need to reveal your name or company name in the column. I look forward to hearing from you!
Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. Mr. Bernard has also provided pivotal strategic and technical advice in the security and building automation industries for more than 23 years. He is founder and publisher of The Security Minute 60-second newsletter (www.TheSecurityMinute.com). For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788. Mr. Bernard is also a member of the Subject Matter Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com).