Editor's Letter

July 21, 2014

How Prepared Must You Be for Cyber Attacks on Your Facility?

Like 70 million other people, I was affected by the Target data breach over the holidays. I was reminded this week of the reach and duration of cyber attacks when I discovered that I had failed to update an online account with the new credit card issued to me last March as a precaution.

An HVAC contractor working for Target was the unwitting means of the breach. Initial reports indicated that the company was compromised through the contractor’s access to building systems for monitoring HVAC systems and energy consumption. Although later reports implicated Target’s payment network rather than its building controls, the possibility of a cyber attack via building systems is clear. Many service contractors utilize back doors in software to monitor the condition of equipment.

For years, building automation has been moving away from relatively secure, hardwired systems to networked platforms. Common protocols like BACnet are both open and able to control all building systems. Smart grids and demand response programs also connect buildings to outsiders. Mesh control networks for lighting, the topic of this month’s feature on lighting controls (page 28), could be another back door.
It’s easy to shrug off the possibility of cyber threats. After all, if you don’t have highly sensitive data in your building, why should you be alarmed? Why would an attacker single you out? Who would want to hack into your building controls?
Some hackers do it just for the thrill. Jonathan James, the hacker imprisoned at age 16 for breaking into a Department of Defense network, said in an interview, “I was just looking around, playing around. What was fun for me was a challenge to see what I could pull off.” For someone like him, wouldn’t it be a thrill to disable the air conditioning on a sweltering summer day and turn on the heat?

Collateral damage is also a possibility. The infamous Stuxnet virus used to attack the Iranian nuclear program is an example. But, you say, you don’t have any centrifuges in your facility for making weapons-grade uranium. Probably true. But your building systems may have programmable logic controllers, the same device attacked by Stuxnet. And the Stuxnet virus traveled to other facilities and countries that were not the intended targets – 40% of the systems and computers infected were outside of Iran. Iran reportedly launched retaliatory attacks on some U.S. banks. Could building systems be an avenue for such threats?

Given worldwide networks and interoperability, it is inevitable that FMs and building owners will need to make reasonable attempts to secure their systems. Formally assigning someone the task and routinely asking vendors about security defenses are good starting points.  

Voice your opinion!

To join the conversation, and become an exclusive member of Buildings, create an account today!

Sponsored Recommendations

Building Better Schools

Download this digital resource to better understand the challenges and opportunities in designing and operating educational facilities for safety, sustainability, and performance...

Tips to Keep Facility Management on Track

How do you plan to fill the knowledge gap as seasoned facility managers retire or leave for new opportunities? Learn about the latest strategies including FM tech innovations ...

The Beauty & Benefits of Biophilic Design in the Built Environment

Biophilic design is a hot trend in design, but what is it and how can building professionals incorporate these strategies for the benefits of occupants? This eHandbook offers ...

The Benefits of Migrating from Analog to DMR Two-Way Radios

Are you still using analog two-way radios? Download this white paper and discover the simple and cost-effective migration path to digital DMR radios that deliver improved audio...