Cyber security threats are not a new phenomenon. Information technology (IT) systems have always needed to be protected from unauthorised access.
However, businesses today face a new era in cyber-attacks that has emerged as a direct result of the increased use of the Internet of things (IoT) in buildings. The COVID 19 challenges currently confronting property owners has further compounded this problem.
Cyber security is an evolving challenge, changing year by year to keep pace with the sophisticated advances in hacking technology. Cyber-attacks themselves are typically motivated by one of three aims: to access, change or destroy sensitive information; to extort money from the victim; or to interrupt normal business processes. The perpetrators of these breaches might be an individual, activists, terrorist organisations or state-sponsored entities, but they all share the same three goals.
Until recently, hackers have generally targeted networks, programs, the cloud and end-point devices, such as computers, routers, servers and smart devices. It is the proliferation of smart devices—especially those outside the normal IT umbrella—that is causing the latest cyber security dangers. The current environment due to COVID 19 is making these types of attacks even more prolific as evidenced by the numerous media articles pertaining to increased cyber security issues being experienced globally.
Cyber security has traditionally been considered solely an IT problem by most companies, as their IT systems have been both the ultimate target to be accessed by hackers, as well as providing the numerous potential entry points into an organisation’s private digital domain. However, with the development of smart buildings, this accepted battleground is changing.
Today, in addition to IT networks, many companies now have Operational Technology (OT) systems designed to run the physical environment, such as Building Management Systems (BMS) that monitors and manages lighting, HVAC and other services within a building. As part of a building’s OT ecosystem, there is also an increasing number of smart devices that have the potential to be hacked. These devices operate alongside traditional technologies such as BMS, HVAC, lighting, fire panels, access control etc., all of which are critical in maximising the revenue generating capacity of a building and lowering its running costs.
Cause for concern
As an IT issue, cyber security demands a significant part of the overall IT budget. For example, a large organisation might happily consider spending 30 per cent of its IT budget to keep those systems safe. By comparison, OT has typically commanded a much smaller budget, which means that almost without exception, a company’s OT systems are less secure than its IT networks. The combination of the number of IoT connected devices within a modern OT system and the lack of protection means than many companies find themselves at serious risk of having these systems breached.
This is a huge cause for concern on two levels. Having penetrated a company’s OT system, a hacker will be effectively free to manipulate heating, cooling, lighting, fire-protection, alarm systems, lifts and all other services within a building, which could be extremely disruptive to business. However, the greater worry is that a hacker might not be content to breach the OT system simply to wreak havoc on the building services, but might instead target the OT infrastructure in order to gain access via the back door into the IT systems where all the lucrative information resides.
The recent Realcomm conference in Nashville, Tennessee highlighted this critical challenge to property owners. The proliferation of IoT presents a momentous opportunity for businesses as they are endeavouring to make buildings smarter and provide greater amenity to occupants whilst lowering running costs. These investment strategies cannot be implemented without first adequately protecting OT systems.
There are two principle philosophies regarding next-gen cyber security to address this risk for OT ecosystems. These can be best understood as the ‘Moat and Drawbridge’ and ‘Invisible Cloak’ analogies.
Proponents of the ‘Moat and Drawbridge’ school of thought believe that if a business or building can be surrounded with a metaphorical moat that is deep enough and wide enough, then all cyber traffic can be directed through a single point of access—the drawbridge—into which all necessary protective measures can be installed. This philosophy necessitates the removal of all other entry points into the IT and OT networks, other than the drawbridge itself.
The competing belief—the ‘Invisibility Cloak’ approach—is based on the concept of making a building digitally invisible to all but those people who need to see it, such as trusted users, clients, suppliers and business partners. Even though these people will be allowed admission, this access will be restricted to the parts of the system that they need to see, while the rest of the building will remain invisible to them.
Which solution is most appropriate ultimately depends on the situation at hand. These technologies don’t need to be mutually exclusive. They should operate alongside each other thus accommodating the various commercial realities across different property portfolios. An integrated approach is critical. By way of example, an existing firewall /router cybersecurity solution should be able to stay in place whilst an invisibility cloak is placed over the entire OT ecosystem, thus making the most of the best attributes of each technology. Of course, doing nothing is the worst choice of all.
Facing this challenge of protecting OT systems, businesses need to ask themselves four key questions:
- Firstly, which of these philosophies makes most sense for their business? Does the business have anything in place at all or alternatively does the business have existing viable drawbridge and moat infrastructure that needs to remain, and if so, can an invisibility cloak work alongside this infrastructure?
- Secondly, what are the up-front installation and ongoing administration costs of each option?
- Thirdly, what loss of strategic flexibility are they prepared to suffer in the name of security?
- And perhaps most importantly, what is the cost of doing nothing?
Businesses today need to understand that although it is normal practice to spend 30 per cent of an IT budget on IT security, the same does not necessarily apply for OT security. The solutions required to deliver adequate cyber security to OT systems must operate within the lower cost paradigms applicable to the OT space whilst still safely allowing remote access by numerous OT maintenance vendors. OT solution providers, like Grosvenor have an intimate understanding of this reality.
Grosvenor has secured cutting-edge technology and established procedures that guarantee the installation, maintenance and administration of its cyber solutions, that can both complement and enhance the protection of OT systems at cost levels not previously possible. Property owners, managers and end-users can embrace all the benefits of smarter buildings without the cyber security risk.
By Nicholas Lianos, Grosvenor Engineering Group – Managing Director
Nicholas is regarded as a passionate and driven entrepreneur with an illustrious career spanning over three decades. In 1999 he founded Grosvenor Engineering Group with partner Peter Souflias, which is now a leading provider of intelligent building services, design and construction solutions. He has established an enviable client base including AMP, Dexus, Bunnings, Westfields and Defence.
Enjoy Sourceable articles? Never miss important updates. Subscribe for FREE to receive daily updates in your inbox each morning.