The 2021 Global Security Exchange (GSX) show is underway in Orlando, Florida, and what’s immediately clear is that the status quo is out the window. New threats are constantly emerging, and facility executives and security staff would be wise to step up their defensive strategies to reduce their risks.
The annual event is billed as a forum where attendees can hear directly from experts addressing the biggest challenges in security, including return-to-workplace, global leadership, workplace violence, cybersecurity, business continuity, crisis management and more. So far, it’s delivered on all fronts, albeit to a smaller in-person crowd. But a hybrid, digital “all-access” experience has made it possible for security and facilities professionals to stay connected to a robust offering of online programming.
Hacking Building Automation Systems—Why and How
“In the past, hackers looked strictly at data systems, the IT systems, corporate networks, things like that,” said Coleman Wolf, CPP, senior security consultant at ESD Global, Inc. Today, however, many bad actors are targeting buildings automation systems for a number of reasons, including profit, of course, or denial of service (DoS) or even espionage, but also, simply for the excitement of taking on a new technical challenge, Wolf explained in his presentation, “Hacking Building Controls For Fun And Profit: Security Risks To Cyber-Physical Systems.”
“It’s more interesting when you can see the real-world impact” of hacking into a building’s lighting or video surveillance systems, he said. And they’re getting better at it.
“Ransomware attackers are getting pretty savvy about what they can do. Their reach, goals and targets have evolved,” Wolf noted.
For victims, the negative impacts to the organization are varied, and losses may include:
- Health and safety
- Image, reputation and trust
The reason so many building automation systems are being hacked, Wolf said, is because often there is no physical or logical separation of IT and industrial control system (ICS) networks, unprotected Internet access or default passwords on products. Further, he pointed out that building systems built 30 years ago, while robust, weren’t designed with security in mind.
Wolf made a number of recommendations to help facility professionals improve the security of their building automation systems, such as utilizing the following:
- Dedicated stand-alone BCS network versus converged network
- BCS security strategies
- IT security best practices
- ITSC Top 6 recommendations:
- Document physical security system configuration
- Follow a planned maintenance procedure
- Use standards-based technology
- Maintain and measure vendor supply chain
- Treat data within physical security infrastructure as sensitive enterprise data
- Follow the vendor's best practices
- Industry resources and reference material
Wolf noted that facility managers often believe they know their building systems, but oftentimes, they don’t realize there are communication links to the outside world, introduced by a contractor or vendor, for example. He urged attendees to conduct a thorough risk analysis to ensure they mitigate their systems’ vulnerabilities.
Vaccine Security for Healthcare Facilities and Schools
A new security threat that has plagued operators of healthcare facilities, schools and universities emerged with the introduction of the COVID-19 vaccine. In a candid panel discussion titled, “Should You Be Afraid? Experts Discuss Experiences, Concerns and the Future of COVID-19 Vaccine Security,” experts shared their experiences with the security, storage and distribution of the coronavirus vaccine, and how they worked together with their communities to update their resiliency plans to more effectively deal with this new risk.
“With the development of the COVID-19 vaccine and the plan for the government to distribute those vaccines to healthcare organizations across the country, we knew that we would have some significant challenges in terms of the security of the vaccine against the climate of the political situation, as well as fear people had regarding the vaccine as misinformation was being spread to the public,” said Keith McGlen, CPP, vice president of security services at UCHealth.
He said his team had concerns about how to maintain the security both of the vaccine and staff members when it was delivered to their facility, as they anticipated potential protests due to the controversy surrounding the vaccine’s manufacture and efficacy. They also shared concerns about individuals attempting to destroy the vaccine from both internal and external actors.
As a result, UCHealth participated in a healthcare steering committee to develop a best practices guide for implementing a robust security plan for healthcare security leaders and stakeholders across the country to mitigate the known threats toward the vaccine.
William Marcisz, CPP, executive director of security at Advent Health, had a similar experience, saying “we were concerned that hospitals would become a target for disruption by folks who were trying to undermine the credibility of the vaccine.” And many of them still are, McGlen said, noting that many hospitals have received cease-and-desist orders from individuals, claiming that they are committing “crimes against humanity” by administering the COVID-19 vaccine.
Among the security measures Advent Health took as a result of these threats included:
- Hidden vaccine locations within the facility
- Screening pharmacy supply movements
- Increased security presence
- Pharmacy using enhanced security processes
At Froedtert Hospital in Milwaukee, Wisconsin, director of security Michael Ramstack recalled an incident that occurred where three plainclothes individuals entered the facility and asked the lobby staff to the whereabouts of the vaccine. When directed to the area in the facility where it was being administered, a security professional began questioning them. Their responses were vague, and they claimed to be part of the military but left the property abruptly in an unmarked vehicle with out-of-state plates, which put the security staff on alert.
It was determined later that the group was, in fact, with the National Guard, but a failure in communication, paired with the individuals’ somewhat odd behavior led Ramstack’s team to notify local law enforcement and campus partners, communicate with military officials, elevate security and educate staff, as well as to alert other health systems in the area to the incident.
In the education sector, the challenge for the residential K-12 Milton Hershey School in Hershey, Pennsylvania, was somewhat unique, said Rick Gilbert, senior director of campus safety. As a safe place for underprivileged students, Gilbert said keeping the school open was a top priority, but soon learned their resiliency plans were out of date.
“One of the things that happened really quickly was, we all had pandemic plans—all of our schools have them—we quickly found those pandemic plans were great for the first 72 hours, a week to two weeks,” Gilbert recalled. “It wasn’t really designed for a worldwide pandemic, and we found out those plans really were no longer essential. We had to quickly update them and update them on the fly.”
Among the key takeaways from Gilbert’s experience was participating in a critical incidence team made up of public and private first responding agencies from the local community that shared plans and resources openly to better evaluate and mitigate their security and resiliency plans.
“What we found is, we needed to operate together in our community to be able to stay consistent and to stay alive, basically, and maintain those operations. When we’re able to work together, we found that we’re able to exchange resources and plans, and this really came through during this pandemic,” he said.
There are many challenges ahead facing facility managers and security staff, but by sharing best practices as we’ve seen here at GSX, it’s clear we’re better and safer when we work together.