Johnson Controls
Johnson Controls integrates cyber and physical security into its OpenBlue suite of connected smart building solutions that leverages data analytics.

Information security for OT gains attention from owners—and hackers

May 26, 2022
As building systems controls become increasingly connected and online, they become more than an entry point for ransomware.

Historically, information security (InfoSec) was not a significant concern within building operating systems comprising proprietary protocols and closed infrastructure with limited data. As these systems increasingly shift to open, interoperable architecture that collects and processes information from connected operational technology (OT) devices to support smart-building initiatives, they become at risk for ransomware, which comes with significant remediation costs, and cyber-physical attacks that can halt facility operations, damage property, and put lives at risk.

OT attacks can cause widespread harm particularly when the targets include companies that provide vital services to the public and have a significant impact on the economy, such as health care, utilities, energy, and public safety. Thankfully, project stakeholders are taking note.

More data in more places means more risk

Initially, hackers leveraged building systems as a facilitator to gain deeper access to IT systems and confidential corporate and financial information, says Jason Christman, vice president and chief product security officer at Johnson Controls. Now, hackers are targeting building systems directly. “Today’s building systems encompass more devices," he says. "Each has set points, configurations, and valuable information, like biometrics, in access control systems, air quality readings in HVAC systems, fire suppression settings in life safety systems, and data needed to comply with insurance, codes, and … environmental regulations. These systems are now being targeted for ransomware—there’s more money in going after companies at risk for building operational systems locking up, losing permits or insurance coverage because systems aren’t working, or situations that can impact life safety, such as shutting down surveillance and access control systems.”

In 2020, the amount companies paid to hackers grew by 300% from the previous year, according to Harvard Business Review. In its June 2021 fact sheet, the Cybersecurity and Infrastructure Security Agency (CISA) called for improved InfoSec on OT systems. Early this year, researchers at global cybersecurity firm Mandiant found that 1,300 of the 3,000 data leaks originating from ransomware attacks in 2021 occurred on critical OT infrastructure. Recent attacks on OT include those against the Colonial Pipeline, JBS (the world’s largest meatpacker), and the Washington Metropolitan Police Department.

Observing that the COVID-19 pandemic increased the need for remote network access, Christman says, “The speed at which cloud, 5G, and integration technologies are happening in the built environment, [along with the] increasing number of solutions, has made hackers more aware of vulnerabilities in OT systems. We’re also seeing the deployment of more remote access solutions, and when service techs don’t set these systems up securely, it leaves the door open for ransomware attack.”

Rising awareness leads to innovation

The smart building industry is becoming increasingly aware of the risk—especially following recent evidence published by CISA that Russia’s invasion of Ukraine has led to threats to critical infrastructure by Russia-aligned cybercrime groups.

Education is key to addressing the knowledge gap and shortage of cybersecurity talent needed to safeguard systems and deal with the security challenges that come with IT/OT integration. Critical infrastructure and OT cybersecurity training courses are now among the top offerings at InfoSec education providers and associations, including the International Society of Automation.

Christman also points to the significant increase in startup OT security companies, vendor collaboration, and demand for assessments from building owners and operators. Security assessments are particularly on the rise within brownfield sites looking to integrate multiple legacy systems that may have outdated security functionality, lack of visibility, and older, vulnerable hardware and software. “We’re seeing innovation happening throughout the OT security market through acquisitions, vendors coming together under cyber alliances, and larger real estate asset owners becoming highly proactive in defining OT security policies and scrutinizing their suppliers,” he says. “The construction industry is making security a key component of the procurement process and requiring certifications—and vendors are responding.”

Emerging InfoSec best-practice guidelines, standards, and frameworks for the commercial building industry include the Building Cyber Security (BCS) Risk Framework and the SPIRE Smart Building Program. The federal government is also addressing the issue. Christman believes that President Biden’s cybersecurity order, which requires vendors contracting with the federal government to provide a software bill of material (SBOM) for each product, will make its way into the private sector. “We need to know what the ingredients list looks like for any given software,” he says. “We are seeing these SBOM requirements starting to gain ground among energy, pharmaceutical, and financial entities.”

While significant room for InfoSec improvement remains, smart-building experts understand the value of open, interoperable systems, data flow between converged IT and OT systems, and cloud-based solutions that provide data analytics. “Buildings are becoming living entities, and the data gives us the grand view we need to optimize their functionality and health,” Christman says. “If the technology is deployed with the right security segmentation, monitoring, controls, and response, we can preserve smart-building strategies and reduce the risk.”

For more news, projects, and profiles in the smart buildings ecosystem, subscribe to the SBT newsletter and follow us on LinkedInTwitter, and Facebook.

About the Author

Betsy Conroy

Betsy Conroy has spent the past three decades writing quality technical content and leveraging that content to launch impactful integrated marketing campaigns. She started her career as a technical and promotional writer for medical, security, and environmental corporations. In early 2000, she became an independent freelance writer, editor, and content consultant, focusing primarily on B2B manufacturers and associations in the electrical, networking, and telecommunications industries. Betsy frequently publishes content in a variety of industry publications on behalf of her clients and is also a contributing writer to Smart Buildings Technology Magazine. She was previously a monthly contributing writer to Cabling Installation & Maintenance Magazine and chief editor of BICSI News Magazine for five years where she was instrumental in bringing the publication from a newsletter status to that of a preeminent trade magazine and helping to launch BICSI’s premier publication, ICT Today.

Voice your opinion!

To join the conversation, and become an exclusive member of Buildings, create an account today!

Sponsored Recommendations

Building Better Schools

Download this digital resource to better understand the challenges and opportunities in designing and operating educational facilities for safety, sustainability, and performance...

Tips to Keep Facility Management on Track

How do you plan to fill the knowledge gap as seasoned facility managers retire or leave for new opportunities? Learn about the latest strategies including FM tech innovations ...

The Beauty & Benefits of Biophilic Design in the Built Environment

Biophilic design is a hot trend in design, but what is it and how can building professionals incorporate these strategies for the benefits of occupants? This eHandbook offers ...

The Benefits of Migrating from Analog to DMR Two-Way Radios

Are you still using analog two-way radios? Download this white paper and discover the simple and cost-effective migration path to digital DMR radios that deliver improved audio...