As 2020 approaches, many security professionals and facility managers are planning for the year ahead and determining how to implement new technology that’s making waves in the industry today. However, as they look to 2020, they must also consider how much has changed since February 2008.
Jan. 14, 2020, is a date that facility managers should note: the day that Microsoft will end regular security updates for servers operating on Windows Server 2008 and 2008 R2. It also marks a day that, if not prepared for adequately, could leave businesses that have not upgraded or migrated their server systems vulnerable and at increased risk of cyber attacks.
The threats to data and physical assets – such as buildings and their occupants – become even more worrying when you consider the current volume of Windows security updates. Windows patches about 70 vulnerabilities to its system each month, but after Jan. 14, these will be left unchecked. Those monthly exposures will start to compound each month, leading to a potential exponential threat to businesses and their facilities.
When it comes to up-to-date building systems, only about half of the businesses globally are on top of it – according to Amazon Web Services – which is concerning as this January deadline draws nearer. It’s critical for the other 50% of building systems and their respective facility managers to understand the risks associated with outdated Windows software and to assess the urgency of upgrading to a newer system.
If You Let It Go, The Threat Will Grow
At this point, cyber attackers are likely aware of Microsoft’s cutoff date and that no security patches will be issued to servers and systems after Jan. 14. They may also anticipate that some businesses are dragging their feet on making the necessary upgrades, conceivably developing ways to exploit the issue on Jan. 15.
Today, the attackers may already be identifying which organizations are currently running on the soon-to-be unsupported systems and monitoring whether they upgrade. Once businesses are identified, the attackers can then begin designing initial exploits to be distributed to unsecure networks, and can continue the attacks over time.
Cyber attackers typically learn from the failures of others or find existing “cracks” previously created by peers that they can widen. The vulnerabilities of Windows 2008 are expected to intensify, making it easier for unwanted parties to enter the system.
Risk is a Two-Way Street
As a facility manager, upgrading your own building’s system may not be enough to ward off cyber attacks. Failing to upgrade before the Jan. 14 deadline also puts both contractors and customers at risk to external threats to building security. In this case, the weakest link in the overall system can lead to tremendous consequences. Weak links can include an infected USB stick, unsecured laptop connection, old firmware in devices connected to a company’s network and more.
For example, contractors who perform work on customer sites with outdated systems may open themselves to an attack. Once they connect or plug into the system, they may unknowingly pick up a virus and subsequently extend it to other customer sites. The virus could then spread, causing the number of affected businesses to grow exponentially – all as a direct result of one company failing to upgrade to a supported Windows system.
The Threat to Your Building
We see that cyber attacks on outdated systems are constantly on the horizon, but you may wonder: what does the attack look like?
Ransomware attacks are probably the most common threat facing companies. Facilities such as hospitals, schools and government buildings often fall victim to malicious entities who install ransomware, which could provide control of all digitally connected devices.
For instance, a Windows entry point could lead to compromised building controls that allow hackers to unlock doors and cause major security concerns. Compromised video surveillance systems could also allow cyber criminals to see deep into a building’s space.
Delaying Upgrades Will Come at a Cost
Ahead of the approaching deadline, how can businesses ensure that their buildings, occupants and other assets are safe from cyber threats permitted by the Windows service cut-off?
Companies not yet ready to upgrade to a newer environment for whatever reason may commonly air gap their system and physically isolate the network from other unsecured networks – such as the public Internet or an unsecured local area network. Unplugging a building’s systems from the outside insulates it from some threats, but in no way guarantees that vulnerabilities would not be exploited. In other words, upgrading the overall system would still be necessary to ensure a business’ buildings remain secure.
The first step for businesses is to perform an analysis to understand their system and requirements, before upgrading. For instance, they’ll need to understand whether it requires hardware upgrades in addition to software upgrades, possibly due to its age. While the addition of hardware upgrades would lengthen the overall process – upgrading system software from products no longer supported by Windows would only take on average up to a week to complete.
Another option for businesses looking to both secure their buildings, people and assets, while also continuing to transform digitally is to migrate to a cloud or web-hosted virtual environment. This future-proofs organizations and facilities to preempt other end-of support issues, and lessens the burden on companies to manage their own backups and security. The responsibility then falls to hosting providers, allowing companies to focus more narrowly on their core business.
Where to Go from Here
As Microsoft’s cutoff date fast approaches and with many possibly unprepared companies, there is no excuse for a business to operate buildings without upgrading to a supported system before Jan. 14, 2020. Threats will only grow, placing business assets and staff at greater risk.
Think about it this way: if someone has the master key to your building management system and you’re not changing the locks, you’re always looking over your shoulder. The time is now to change those locks.
Greg Turner is Senior Director of Global Technical Services for Honeywell Building Solutions.