As operational technology becomes more connected, the threat landscape is also evolving. Facility Management caught up with Honeywell’s global head of cybersecurity, Mirel Sehic, to find out what FMs should be doing to prepare for cyber attacks.
Operational technology (OT) traditionally consisted of siloed control systems. Before the rapid digitalisation experienced over the last five or so years, security cameras, lighting or air- conditioning only ever ‘talked’ to each other to a minor degree. Now, these assets pass data via cloud technology and edge devices, allowing for monitoring by analytics platforms and improving operational efficiency.
But in this process of digitalisation, something was missed. Everyone “forgot” about cybersecurity, says Mirel Sehic.
“The products themselves that sit in the OT environment may be secure. For example, when you buy an iPhone from Apple, the hardware is secure [and] the software is secure,” he tells Facility Management.
“…but they live in this environment with other operational technology devices and if no one is looking at it from a cyber hygiene perspective, and connecting them laterally, horizontally and vertically, we are setting ourselves up for a world of pain.”
As more threats started to arise, Honeywell Building Technologies set up a dedicated practice for cybersecurity, of which Sehic is now the global head.
“Cybersecurity is never standing still so we’ve evolved as threats evolve,” he says.
What are the main points of vulnerability within OT?
With more connectivity, the threat footprint increases, but where exactly should FMs direct their concern?
“What we like to say when you look at an OT system [is]: think about it in terms of layers, different zones and different areas of connectivity to those zones,” explains Sehic.
If bad actors exploit one exposed zone, they can move to other areas “quite simply”. An example Sehic sees all too often is security cameras that aren’t updated. There’s the risk that cameras could be targeted and turned off, and without the right cyber hygiene, there’s also another, greater risk.
“A threat could come in and say, ‘Hey look, I’ve got an exploitable camera! I can then log into that camera, move laterally to other parts of the OT and do more damage,” he says.
As the threat landscape becomes more sophisticated, that damage is likely to increase.
“Adversarial artificial intelligence (AI) – meaning AI that can target systems without human input – is something that is coming, is something that we’ve seen [and] is something that is impacting industry that’s only going to get stronger,” says Sehic.
“If I had someone that could, say, in a day, target 10 facilities – could see what doors are open – with AI you times that by 100,000.”
What do bad actors actually want?
What the people or AI executing these cyber attacks are most interested in infiltrating depends on what they have to gain and also on the type of facility.
For example, ransomware is malware that is often used to lock up files and deny the owner access until they pay a ransom. Sehic has seen ransomware used against hospitals, leading to monetary and life- threatening consequences as patients can’t be served.
But protecting confidential data from breaches has slowly become a critical part of what Sehic’s team does.
“The more dangerous ones are where there’s data exfiltration of high-value targets where we can’t really see that they’ve been in there or we cannot really see what they’ve exfiltrated unless we have the right level of cybersecurity hygiene,” says Sehic.
The IT/OT divide
Who is responsible for the cyber maturity of their OT environment anyway?
If you had asked FMs two years ago, you would probably have heard a resounding “no, it’s the IT team”, says Sehic. But if you asked the same question of the IT team, they would have said it’s up to the facilities team.
“There’s this big divide and I wouldn’t say it’s finger pointing, it’s just a lack of understanding of who is actually responsible for operational technology cybersecurity,” says Sehic.
“Fast forward those two years, what we’ve started to see is these chief information security officer (CISO) roles appear in a lot of these medium to large corporations that are responsible for end- to-end cybersecurity: OT and IT.”
But, as the industry adage usually goes, cybersecurity is still everyone’s responsibility. You may have top-notch cybersecurity solutions in your facility, but if untrained personnel click on something they shouldn’t click on, a new threat can circumvent your system and compromise it.
“I think it’s everyone’s responsibility, but it needs to be led from somewhere. What we’re seeing in industries is that it’s being led from the CISO team and flows down.”
The FM’s essential cybersecurity measures
The first thing FMs need to do to play their part in protecting their OT is to understand their assets.
“It sounds very simple,” says Sehic. “You think, ‘I walk into my building and I know I have 80 or 100 of these things and they’re all talking to each other in this way.’ [But] I would say 90 percent of the people we speak with don’t understand that basic mapping. And that’s not for lack of trying, it’s just that systems have changed over time and people have changed in different roles. So the first thing is getting a bearing for your assets and how they communicate.”
From there, FMs can build a roadmap to where they need to be on their cyber maturity journey.
“Not everyone wants to get to, let’s call it, level five. Some may want to stop at level three because that’s the risk they’re willing to accept,” he says.
Sehic’s biggest advice is not to get too wrapped up in what could be a threat down the line. “Plan for what you have in front of you today.
“Sometimes it can become very overwhelming, the topic of cybersecurity threat prevention, and then if you add the regulation and governance side of it, people can get very overwhelmed,” he says.
“So it’s just about making that initial start of understanding what I have today, planning for what I have today, my budgeting cycle, my remediation cycle and my support cycle, and then as these other threats come along you’ll be in a better position to make the next step to prevent those as well.”