Cyber security: the weakest link
The ubiquity of IoT devices in the built environment means facility managers must be fully prepared for cyber risk, as MICHELLE DUNNER reports.
US retail giant Target found out the hard way that, in protecting yourself from cyber risks, you’re only as strong as your weakest link.
In 2013 the company paid out US$18.5 million after a massive data breach affected 41 million customers. But how did the hackers get in? According to US security investigative reporter Brian Krebs, it was through an IoT-enabled air-conditioning system installed by a contractor.
While most facility managers are undoubtedly focused on ensuring the reliability and integrity of operational assets in any cyber security protocols, there’s no doubt a holistic approach is required.
Craig Wishart, chief information officer at KPMG, says the connected world has to change the way we view our risk profile.
“IT systems have developed mature frameworks and technologies to address cyber threats,” he says. “Interconnected smart buildings must address and respond to the complexity and convergence of applied technology.”
Wishart says this is true of both physical and virtual smart building ‘architectures’. “Active and passive monitoring, patch management and event alarms must be considered across critical building systems.”
Jim Cook of Malwarebytes, a global cyber security and anti-malware software provider, agrees the complexity of the environment is a challenge for facility managers. “There is a lot of effort going into understanding, from a big data point of view, what the threats are, to build better protections,” he says.
So, what should FMs running building management information systems or using IoT technologies know, at a base level, about cyber security? Cook says facility managers need first and foremost to be aware that the technology in their buildings is of interest to cyber attackers.
“I can think of several key reasons,” he says. “The first is to directly disrupt the built environment – hackers are looking to get into industrial control systems as a jump-off point leading to other attacks within the network. That’s what happened at Target and the way hackers got in there was the air-conditioning system. It’s something that will become a larger concern for building managers because all systems will come under much more scrutiny and there could be issues if the systems provided by contractors can’t be demonstrated to be secure.”
Cook cites the Mirai malware, which infected over 600,000 IoT devices to virtually render the internet inaccessible across the east coast of the US in October 2016, as evidence of the potential inherent vulnerability. “This was a distributed denial of service attack and it was able to spread through small IoT devices – very much a wake-up call for the security approach, given many such devices are built from the ground up without security in mind.”
“Another growing issue this year is cryptocurrency. While there are still massive threats from ransomware, cryptocurrency mining is a much ‘safer’ way for cyber criminals to extract value out of a compromised device.”
A Malwarebytes report in 2017 claimed the company had blocked an average of eight million “drive-by mining attempts” around the world each day. Cyber criminals are infecting websites with crypto-mining code and gaining access to system resources without the victims even being aware.
“An organisation could have 100,000 small devices running in a network and everyone is getting on with what needs to be done but, in the background, these computers could be mining crypto-currency for criminals,” Cook says.
While ransomware attacks garner a lot of media attention, criminals are no longer making significant money out of these, Cook believes. “I’d say ransomware generated perhaps $70,000 last year. Mining cryptocurrency is what we’re seeing much more of – because it doesn’t directly affect users in the network, there is less focus on it as a risk from companies.”
AN IRON-CLAD SOLUTION?
Even with the most tightly controlled and sophisticated security systems in the world, nothing is foolproof. In April this year, a British teenager was jailed for two years after hacking into the phones and systems of senior US CIA (Central Intelligence Agency) and Homeland Security officials.
The BBC reported at the time that the hacker was even able to send the then secretary of Homeland Security a message through his smart TV saying: “I own you.”
Cook says companies need to know no security protocol is 100 percent effective. “What’s critical is the overarching visibility of the system and the speed of dealing with issues. Organisations need to know how and where and what the issues are and how to remediate them.”
THE PAIN POINTS FOR FMS
Facility and building managers have a huge diversity of networks and technologies. “It’s a non-standard environment,” Cook says. “We’re not talking all Windows-based or all Mac. Hardware comes from a variety of companies and the microchips within may also be from different suppliers.
“That’s the main pain point – how do you achieve a security solution that covers everything? There was a real issue last year where Intel had to issue a patch for many of its chips. The issue for facility managers is knowing which devices feature that chip.
“Can they go around to each individual video camera or lift and be able to determine which chip powers it and does it need to be patched?
“The answer for FMs is to segment their networks into manageable chunks. Put IT-based video cameras on a different network from the air-conditioning, entry points or lifts, just to name a few examples. At each of those segregation points there should be some kind of security device that has the ability to detect issues. You can then narrow down the types of traffic across those networks.
“Essentially, the tighter you can write the set of rules in terms of how things operate, the more likely you’ll pick up problems.”
THE HUMAN FACTOR
Global insurance broking and advisory firm Willis Towers Watson last year analysed reported claims over a five-year period and found the human element remains an overwhelming cause of cyber risk issues – with 58 percent of claims directly attributable to employee negligence or malfeasance.
KPMG’s Wishart says issues arise from poor situational awareness, compounded by complacency, insufficient training and compliance to training, poor risk assessment and deviation from process.
“Hackers exploit weaknesses in systems – people, process and technology,” he says. “Weaknesses in systems expose organisations to threats – from data breaches to system vulnerabilities, impacts on brand and value, insurance costs and, potentially, to human life.
“Consider the risk of building having its elevators or escalators hacked. It’s critical for building management to have business continuity plans related to cyber threats and operationalise effective monitoring across all interconnected building systems – in addition to embedding appropriate people policies.
“Preventing and mitigating risk starts with a business level strategy and measurable action plans.”
Cook agrees that people are often the weakest link. “We’ve seen plenty of examples of companies disclosing things that they shouldn’t. Around half of them are people being silly and mistakenly emailing contact details out. It’s negligence rather than malicious – people who don’t think before they do something.
“The important thing from an IT-perspective is that the IT environment is there to support people – not the other way around. The security policy needs to be a combination of technology and education – providing the information and context for humans on why they shouldn’t click on a particular link, for example.”
“Facility managers should work with their IT people to ensure there is a threat and vulnerability management program in place, and to ask the right questions about the efficacy of that solution.
“How mature is it? Is it being monitored in real-time? Are there scheduled scans? Is there a rapid detection vulnerability model? And, just as importantly, what happens when something is detected? Malwarebytes has a technology that immediately cleans affected areas, but whether it’s a consultant-based or technology-based approach, facility managers need to know how to deal with the vulnerabilities inside their systems.”
Donald Macdonald from FM consultancy Macdonald Lucas says that given technology innovation is a relatively recent phenomenon in the built environment, IT and security management is not a core business for many FM service providers.
“There is data that the FM provider becomes privy to, but that’s not necessarily on the client’s radar from a security point of view,” he says. “And it’s something everyone needs to get their head around.
“An issue for some providers is that, when their contracts were scoped, many of these situations perhaps were never heard of. It’s important to then ensure the right checks and balances are put in place, but the FM provider themself may lack that direct expertise and require a third-party provider.” Macdonald says there have been major issues in the US around data integrity. “I know it has become more cost-effective to host data offshore because US legislation is so onerous. Perhaps what we need to look at is making data more secure, so that it doesn’t need to be shipped around globally.
“But we need to address the challenges of this connected world. I have to say you don’t know what you don’t know and you can’t address risks you’re not aware of. We should all be aware, though, that the more interconnected assets you have, you introduce all sorts of pathways into the organisation that may be abused.”
So, has there been enough examination of the potential threats? Jim Cook says a lot of this is occurring because of environmental influences. “Regulatory standards are becoming global and will affect the built environment,” he says.
“The threat landscape and visibility at board level is quite significant. It’s a top-down imperative that anyone who manages the organisation’s facilities must be responsible for the security of the operation. We field a lot of questions in Australia about what can be done better in that regard.
“And there have been a lot of reported cases of cyber incidents in the US impacting industry control systems, including business and access systems. These can lead to financial losses as well as safety risks. The reputational damage also could be severe.
“Overall, the Australian industry is taking cyber threats very seriously. While smaller businesses perhaps have not been so prepared and their leaders are focused on just running their business, the new data breach legislation has changed that. If your turnover is $3 million or more, you could face potential criminal charges in the event of a breach.
“For businesses of all sizes, it’s about getting the right support. More businesses are outsourcing what is non-core and there are a lot of companies that will manage their IT and their IT security. We all can’t be experts in everything.
“And it’s not just the facilities a company owns that may be at risk. Companies need to look at the contractors providing services to them. You may have confidence in your own security measures, but what about the people you have contracts with?”
WHAT ABOUT OLDER BUILDINGS?
Are older buildings with less recent technology more at risk? Cook says it depends on how old the technology might be. “If I think back to industrial environments where systems are not run on an IP network, it’s still not impossible for cyber attacks to occur.
“If you have a completely segregated network, the risk is lowered by many buildings with a combination of parallel systems that do have interconnection points and these systems can be easily forgotten.”
This article also appears in the June/July issue of Facility Management magazine.
Lead image: 123RF’s scyther5 © 123RF.com