Like 70 million other people, I was affected by the Target data breach over the holidays. I was reminded this week of the reach and duration of cyber attacks when I discovered that I had failed to update an online account with the new credit card issued to me last March as a precaution.
An HVAC contractor working for Target was the unwitting means of the breach. Initial reports indicated that the company was compromised through the contractor’s access to building systems for monitoring HVAC systems and energy consumption. Although later reports implicated Target’s payment network rather than its building controls, the possibility of a cyber attack via building systems is clear. Many service contractors utilize back doors in software to monitor the condition of equipment.
For years, building automation has been moving away from relatively secure, hardwired systems to networked platforms. Common protocols like BACnet are both open and able to control all building systems. Smart grids and demand response programs also connect buildings to outsiders. Mesh control networks for lighting, the topic of this month’s feature on lighting controls (page 28), could be another back door.
It’s easy to shrug off the possibility of cyber threats. After all, if you don’t have highly sensitive data in your building, why should you be alarmed? Why would an attacker single you out? Who would want to hack into your building controls?
Some hackers do it just for the thrill. Jonathan James, the hacker imprisoned at age 16 for breaking into a Department of Defense network, said in an interview, “I was just looking around, playing around. What was fun for me was a challenge to see what I could pull off.” For someone like him, wouldn’t it be a thrill to disable the air conditioning on a sweltering summer day and turn on the heat?
Collateral damage is also a possibility. The infamous Stuxnet virus used to attack the Iranian nuclear program is an example. But, you say, you don’t have any centrifuges in your facility for making weapons-grade uranium. Probably true. But your building systems may have programmable logic controllers, the same device attacked by Stuxnet. And the Stuxnet virus traveled to other facilities and countries that were not the intended targets – 40% of the systems and computers infected were outside of Iran. Iran reportedly launched retaliatory attacks on some U.S. banks. Could building systems be an avenue for such threats?
Given worldwide networks and interoperability, it is inevitable that FMs and building owners will need to make reasonable attempts to secure their systems. Formally assigning someone the task and routinely asking vendors about security defenses are good starting points.