In 2015, USA Networks aired one of the most realistic depictions of building hacking ever to be featured in a TV or movie. The lead character, Elliot, posing as a tech billionaire, walks into a highly secured data facility in upstate New York and obtains a tour. Afterward, he manages to sneak into a sensitive area where he attaches a Raspberry Pi board to the facility’s HVAC system, ultimately overheating the building to compromise the magnetic tape backup systems stored there.
While obviously still in the realm of fiction, the episode did highlight the potential damage an adversary could cause to any networked facility that is a strategic target. Earlier this year, McAfee demonstrated in real time the feasibility of a similar attack on a networked data center.
In general, as buildings become more infused with IT and networking technology, security professionals and building managers are becoming aware of the risk of smart building security. Mirel Sehic, global director of cybersecurity for Honeywell Building Solutions, points to a CEB (now a part of Gartner) study indicating nearly one in five organizations with IoT networks have already suffered an attack.
Financial services institutions and other organizations that are potentially valuable targets from a hacker’s perspective, in particular, should prioritize smart building security. Sehic recommends organizations of all stripes develop a broad view of their assets that includes buildings. Honeywell recently worked with a large financial services institution on such an initiative, which spanned multiple buildings and thousands of employees. “The team performed vulnerability testing, deploying advanced strategies for cybersecurity and creating a methodology for data management to help prevent leakage of valuable digital information,” Sehic said.
[IoT World is North America’s largest IoT event where strategists, technologists and implementers connect, putting IoT, AI, 5G and edge into action across industry verticals. Book your ticket now.]
Andrew Howard, chief executive officer of Kudelski Security, pointed out that fragmentation within the vendors serving buildings — elevator, lighting, HVAC and so forth — would likely limit the scope of damage an attacker could do when targeting a networked structure. In addition, a famed Target credit card breach involving an HVAC vendor has had an eye-opening effect on many cybersecurity professionals, Howard said.
Conversely, Sehic pointed out that segmentation is often not a deliberate priority in a new building’s pre-build specification documents. Furthermore, it is rare for a building to have a dedicated cybersecurity team from either an IT or OT persuasion, he said.
As attacks against buildings increase, however, building managers are likely to create teams with responsibilities that include building cybersecurity. “We expect to see more preventative measures in the coming year, such as training focused on addressing potential cybersecurity threats and on conducting cybersecurity assessments to identify gaps in the building’s OT environment,” Sehic said.
Already, many organizations are beginning to prioritize OT cybersecurity. “More attention and more budget are being dedicated to furthering basic cyber hygiene upkeep and building OT cybersecurity incident readiness – and we expect that to continue in 2020,” Sehic explained.
That expectation doesn’t mean Sehic is confident typical OT security measures are sufficient. “Cybersecurity assessments must be carried out across a building’s OT infrastructure to identify gaps,” he said.
In general, there is a pronounced shortage of cybersecurity professionals with a forté in operational technology. The lack of workers in that domain could help drive interest in a managed service provider model, Sehic said. “[W]e are a firm believer in and practice a managed service provider model.”