The Kaseya ransomware attack this summer paralyzed over 1,500 organizations globally and set off a race among criminals looking to exploit similar vulnerabilities. As companies urgently look to plug cybersecurity holes within their organizations, the importance of paying attention to the integrity of building management systems (BMS) can’t be understated. The increased use of IoT within BMS and the interconnectedness of systems within a company, along with remote operations becoming the norm during the pandemic, has made buildings especially vulnerable to cyberattacks.
From 2011 to 2014, the number of cyber incidents involving OT systems saw a 74% jump, with these cyberattacks costing hundreds of billions of dollars each year. The commercial building sector must find ways to safeguard both its access to the company’s IT systems as well as its mission-critical infrastructure. For example, the infamous 2013 hack on international retailer Target came in through the HVAC system contractor and compromised 40 million credit and debit card accounts. How can the commercial building sector protect itself against these hackers scouring the internet in search of soft targets?
Understanding the Distinctive BMS Ecosystem
Smart buildings are particularly vulnerable to cyberattacks because, as more IoT devices are deployed, the IT and OT systems converge, which requires different security focuses. While the IT core security triad is confidentiality, integrity, and availability of information, the BMS security triad is about the availability of operational assets, integrity/reliability of the operational process, and confidentiality of operational information. The deployment of such a multi-disciplinary defense approach across system levels requires a cost-benefit balanced focus on operations, people, and technology.
Managing cyber risks effectively starts with organizational governance and executive-level awareness and commitments. Senior leadership needs to ensure that the right technologies are procured and deployed, defenses are deployed in layers, access to the BMS via the IT network is limited as much as possible, and detection intrusion technologies are deployed. The operations team needs to create and implement the activities necessary to sustain the security position of operations on a day-to-day basis. For example, this can include developing a cybersecurity strategy with a defined vision, goals, and objectives, as well as metrics, like the number of building control system vulnerability assessments completed, to track effectiveness and impact. Meanwhile, HR should communicate about cybersecurity issues with employees and make sure they have cybersecurity training, along with establishing and assigning security policies, procedures, and responsibilities across an organization.
Guarding against social engineering
The potential weakest links in any BMS are the people who administer and use the systems. Through unintentional actions, like lax password management, or intentional ones, such as leaking confidential information, employees can cause a security risk. Attacks can also come through social engineering, which refers to a hacker using deception and manipulation to coerce a person with internal access to networks or databases to follow their instructions under false pretenses. The criminal’s imagination is the only limit to social engineering, which makes it the easiest path they use to gain unauthorized access into a BMS.
If a cybercriminal leverages social engineering techniques to gain access to a digital access control system and physical access to otherwise protected areas, the building owner is at risk of hackers controlling the elevators, forcing the power off, or taking control of other safety systems. Unauthorized network access could also be leveraged to extract business operational or financial data as a method of impacting business continuity and brand reputation.
To prevent this, a control system network must be properly segmented from the business operations network. Threat modeling will help to identify accessible entry points and limit user access rights accordingly through the principle of least privilege. This can be accomplished by establishing a security management system based on IEC 62443-2-1. Organizations, contractors, and business partners must also be specially trained to resist such attacks. Awareness training should be reinforced annually, and companies should also establish and communicate deterrents for non-compliance.
Increasing Threat Resistance
Constructing a secure BMS defense architecture starts with a risk assessment and designing a cybersecurity specification for your system that includes considering measures such as establishing a firewall, IPS, NAC, permissions, antivirus, updates, user training, and having backups. Identifying, managing, and reducing the risk of exploitable vulnerabilities at every stage of the system, network, and sub-component lifecycle is key. If one layer of defense turns out to be inadequate, another layer must be in place to prevent a full breach. For example, using one vendor’s antivirus software for email and another’s for servers can potentially cast a broader net of protection against viruses.
While building cybersecurity should be tailored to fit the specific organization, several proven and robust cybersecurity frameworks and standards can act as guides. IEC 62443 offers a series of standards that are specifically oriented to digital control systems for buildings, giving IT and OT teams a common ground to work from. The IEC 62443 standard has been approved by many countries and is being adopted by organizations around the world. These standards outline a risk-based approach to developing secure embedded devices and software, the design and implementation of secure building control systems, and the ongoing protection of secure devices and systems throughout the system life cycle.
Cybersecurity threats are an unfortunate reality that will only continue to increase. As attacks become more sophisticated, constant vigilance and evolving defense strategies are critical. Investing in a defense architecture to secure and protect the exchange of data and analytics between critical buildings systems is no longer optional. Companies must have disciplined maintenance of their BMS systems and regularly train their employees to guard against social engineering malfeasance. There must be ongoing and a team effort between senior leadership, operations, HR, and the IT and OT teams in order to properly safeguard BMS against the risk of cybersecurity incidents.
About the Author:
Megan Samford is the Chief Product Security Officer for Energy Management at Schneider Electric. She is responsible for driving the product security strategy and programs for Schneider Electric’s Energy Management business with a focus on industrial control systems security, critical infrastructure protection, and risk analysis. Megan brings a unique perspective to the security community, based on her diverse private and public security background, with an interest in utilizing proven concepts from traditional critical infrastructure protection and emergency management foundations and applying those to cyber, in particular for industrial control systems incident response.
