Why are commercial facilities an appealing target for cyberattacks? While most businesses protect employee and financial data, they overlook a simple fact—every building system connected to the internet is at risk of being hacked. It’s a massive opportunity for a bad actor to not only disrupt operations but endanger lives.
While cybersecurity practices may feel daunting, they’re not a lost cause. Every precaution your organization implements fortifies the digital side of your building’s footprint.
“Don’t get overwhelmed—just start. Cybersecurity is a process you have to mature through,” stressed Fred Gordy, director of OT risk assessment with Michael Baker International. “The goal is to be less vulnerable than you were yesterday.”
Weaponizing Commercial Buildings
Did you know that real estate is considered critical infrastructure by both the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency? One reason is that facilities are prime targets for a threat known as killware.
“Rather than a type of virus, killware attacks are meant to cause property damage, human harm and even deaths,” Gordy explained. “It doesn’t take much either. Boilers can be turned into bombs, lights turned off so people fall down stairs and electrical panels shorted to start fires.”
“Most people can’t imagine what could go wrong with a building if it were hacked. But if someone gets control of its operational systems, they can make it a dangerous place,” added Jim McGlone, CTO of Automation Strategy & Performance, Inc. “For example, there was an attempted attack in 2021 of a water treatment plant—the goal was to poison the water by altering chemical levels. Private and public buildings are just as vulnerable to being weaponized.”
How is this possible? First, many building systems are openly exposed on the internet with few security protections. IoT devices are a double-edged sword because everything is connected. By breaking through one point, the rest of the network is accessible.
Second, an interface or direct communication between building and corporate systems is a massive risk. A bad actor may not care about HVAC, but your mechanicals could be an attractive portal if they provide a connection to enterprise data.
The good news is that the principles of physical security—creating layers of barriers—is the same for cybersecurity. These safeguards will thwart someone from penetrating your systems and data. Lock down where building controls interact with your electronic perimeter.
“Because bad guys will troll your digital neighborhood, cybersecurity is no different than physically hardening your building to send the message ‘We’re protected,’” Gordy stressed.
5 Cybersecurity Protocols for FM
There are entire books devoted to cybersecurity best practices. Your IT department should also be a robust partner in this effort. You can implement ISA/IEC 62443, a series of cybersecurity standards for automation and control systems. Follow the basics of changing passwords, be suspicious of links or attachments, perform weekly backups and control remote access.
But nothing will ever be accomplished without an attitude shift first. Cybersecurity begins as a mindset more than anything.
1) Implement Server Protocols
“Treat every computer that runs building controls like a server,” emphasized Gordy. “Don’t use those devices for direct internet access either. They should be locked up as well.”
2) Check What’s Exposed
“You’d be amazing at what’s unprotected. How far does the Wi-Fi extend outside of your building? Do you have unused ethernet jacks that are still active? Who has access to your IT closet?” asked McGlone.
3) Update Your Device Inventory
“Know what you have, how it’s connected and who has access. If you don’t have an accurate network diagram, you can’t keep the boundaries safe,” said Gordy.
4) Isolate Building Systems
“Create a DMZ network to isolate operational technology, which is a type of segmentation that only allows specific traffic with certain permissions,” McGlone recommended.
5) Screen Everyone
“Adopt a zero-trust policy, which means ‘Never trust, always verify,’” says McGlone. “This is critical for any visitors and vendors bringing their own device. Start screening everyone as if your facility were as important as a power plant.”
“Those in it for profit are both the laziest and most persistent people in the world. They’re looking for the path of least resistance,” according to Fred Gordy, director of OT Risk Assessment with Michael Baker International. “If they send out 100,000 ransomware emails with a $10,000 decryption key and 1% are success, the takings are huge.”
How Commercial Buildings Can Be Weaponized
Imagine a 20-story hospital with 1,000 IoT devices on every floor—that’s 20,000 potential points of intrusion. Just turning off the lights or removing positive pressure could be catastrophic.
Sports and Entertainment Venues
What would happen if someone hacked the jumbotron and posted an urgent evacuation message? It would take a few keystrokes to cause a stampede.
The cost of shutting down a factory line is instantaneous. That’s real money lost in seconds, much less hours. More importantly, this doesn’t account for safety issues that occur from a sudden outage.
Industrial Facilities and Laboratories
Gases of all kinds are used and stored within buildings, especially those with scientific testing. The simple act of opening a valve to nitrogen, hydrogen, halon or natural gas could have fatal consequences.
Scenarios provided by Jim McGlone, CTO of Automation Strategy & Performance, Inc.