Do you like a good Halloween scare?
Depending on your answer, you might – or might not – want to Google “how to hack into building systems.” I did and was surprised at the number of hacking events involving building equipment from familiar suppliers.
According to Federal Facility Cybersecurity, a report released this year by the U.S. Government Accountability Office (GAO), the threats can involve any building system with an internet connection – including CCTV camera systems, HVAC, access control, fire annunciation and suppression, elevators, lighting, and power systems. The purpose of such internet connections can be for equipment monitoring or alarms, delivery of software updates, or remote control of building functions, but owners may have little knowledge of them. Hackers can locate such devices with the help of software programs designed to identify internet-connected devices. Cyberattacks can come from insiders, like unhappy employees or contractors, or from criminal outsiders. Public and private buildings are vulnerable.
Many building control systems have not been designed with a high degree of cybersecurity in mind. They may have hardcoded passwords that cannot be changed and backdoors for use by the manufacturer, vendor or integrator. Once hackers have gotten a foothold, they can tap software that helps them to decode administrative passwords.
Even if building systems are not on the same network as those with sensitive information on employees, customers, accounting and banking, major mischief can still result. For example, a hacker might release an electronic door lock remotely as part of a coordinated physical attack on a facility.
Hackers and other criminals look for the path of least resistance, and simple practices can deter them. A report from Schneider Electric encourages good network and password management, user management (such as auto-expiration account routines and immediate disabling of accounts for employees leaving or moving to new positions), and software management (immediate use of security patches when they become available). The GAO report notes that having a strategy is a starting point to address the risks – but the Department of Homeland Security has not developed one for federal facilities.
Have you developed one for yours?
