Back in 2013, US retailer Target became engulfed in a crisis after cyber criminals gained access to its point of sale (POS) system and stole credit/debit card information of around 40 million accounts.
Instead of targeting the company’s POS system directly, the criminals stole login credentials used by its heating, ventilation and air-conditioning vendor by connecting to its web applications. Once in, they gained access to its active directory and ultimately, its POS system.
This is not the only example of criminals using building management systems to either cause damage or to break into other parts of company networks.
Last year, a crime syndicate hacked and scrambled around 15,000 electronic medical records at the specialist cardiology unit located at Melbourne’s Cabrini Hospital. It is believed that the entry point may have been an unprotected computer that was used to support medical equipment.
These incidents highlight the growing concern among building and asset owners about cyber security risks arising from their assets.
According to Nicholas Lianos, Managing Director of Grosvenor Engineering Group, operational building systems in the past were not connected to the internet and did not face risks from hackers.
Nowadays, these systems are increasingly connected as billions of new devices are being installed every year and companies seek to enable remote access for purposes such as maintenance. Whilst this delivers benefits, it can open up opportunities for cyber hackers.
This matters. Hackers who break into a hospital operating system could shut down MRI machines. Those accessing tunnel deluge systems designed to operate in a fire could flood a tunnel full of vehicles and occupants. In multi-storey buildings, bad actors could trap people inside elevators. Depending on the level of sophistication of the building, hackers who break into the building operating system may also then be able to access other IT systems.
Furthermore, Lianos says there is a lack of resources allocated to cyber security in operating systems – a phenomenon he attributes to the historical lack of risk which these systems presented.
With information technology (IT) systems, he says many organisations allocate up to 30 percent of their budget to cyber security. With building operating systems, cyber security rarely has any budget allocation.
For hackers, this can make building management systems an attractive point of entry.
“As with most things in the modern world there is now greater internet connectivity being experienced,” Lianos says.
“The built environment is no different. Buildings today are experiencing higher levels of connectivity for what is commonly referred to as their Operational Technology (OT) which includes such things as lighting, HVAC, fire and access control systems, media screens etc. The purpose is to allow for such outcomes as better use of energy, improved occupant amenity and comfort along with remote accessibility by those contractors and technicians that keep the building operating.
“The problem however with increased internet connectivity is that there is a much greater surface area for a bad actor, such as a hacker, to attack and gain entry to the building. Once “inside” such an actor could create havoc from the minor, say switching off all of the lights, to more sinister exploits such as manipulating fire systems, lifts, access control or HVAC settings.
“Depending on the degree of sophistication in the building a hacker could even traverse from the OT side and get into the Information Technology (IT) – corporate networks accessing critical business and customer data.”
Lianos’ comments come as Grosvenor has teamed up with Seattle based cyber security firm Tempered Networks (Tempered.io) to launch a new cyber security offering in Australia known as Grosvenor Cyber Solutions.
Under this arrangement, Grosvenor will market, distribute and implement Tempered.io’s Airwall technology. Offered as a managed service, this uses proprietary technology along with a secure networking protocol known as the Host Identity Protocol to apply a cloaking technology and make people, transactions and assets invisible in cyber space.
This, Lianos says, will help overcome limitations of traditional cyber security technologies which rely on firewalls to protect IP addresses but still leave the IP address itself visible.
Asked about cyber security more generally, Lianos says organisations need to develop a cyber security strategy for their business.
To ensure that both specific IT and broader building operation matters are addressed, both IT personnel and operational technology personnel such as facility managers should be involved in this strategy.
The solution chosen should also be cost effective, have a proven track record and be easy to deploy.
These last points are important, Lianos says as many who use and deploy operating technology often have non-IT backgrounds whilst many organisations are yet to budget any meaningful amounts for cyber protection of operating technology.
In the case of Airwall, Lianos says the technology has been used extensively in the US and has been deployed in Australia by several top ASX100 organisations.
Throughout Australia, building management systems are being increasingly connected to the internet.
As this happens, cyber security will need to be carefully managed.