Historically, information security (InfoSec) was not a significant concern within building operating systems comprising proprietary protocols and closed infrastructure with limited data. As these systems increasingly shift to open, interoperable architecture that collects and processes information from connected operational technology (OT) devices to support smart-building initiatives, they become at risk for ransomware, which comes with significant remediation costs, and cyber-physical attacks that can halt facility operations, damage property, and put lives at risk.
OT attacks can cause widespread harm particularly when the targets include companies that provide vital services to the public and have a significant impact on the economy, such as health care, utilities, energy, and public safety. Thankfully, project stakeholders are taking note.
More data in more places means more risk
Initially, hackers leveraged building systems as a facilitator to gain deeper access to IT systems and confidential corporate and financial information, says Jason Christman, vice president and chief product security officer at Johnson Controls. Now, hackers are targeting building systems directly. “Today’s building systems encompass more devices," he says. "Each has set points, configurations, and valuable information, like biometrics, in access control systems, air quality readings in HVAC systems, fire suppression settings in life safety systems, and data needed to comply with insurance, codes, and … environmental regulations. These systems are now being targeted for ransomware—there’s more money in going after companies at risk for building operational systems locking up, losing permits or insurance coverage because systems aren’t working, or situations that can impact life safety, such as shutting down surveillance and access control systems.”
In 2020, the amount companies paid to hackers grew by 300% from the previous year, according to Harvard Business Review. In its June 2021 fact sheet, the Cybersecurity and Infrastructure Security Agency (CISA) called for improved InfoSec on OT systems. Early this year, researchers at global cybersecurity firm Mandiant found that 1,300 of the 3,000 data leaks originating from ransomware attacks in 2021 occurred on critical OT infrastructure. Recent attacks on OT include those against the Colonial Pipeline, JBS (the world’s largest meatpacker), and the Washington Metropolitan Police Department.
Observing that the COVID-19 pandemic increased the need for remote network access, Christman says, “The speed at which cloud, 5G, and integration technologies are happening in the built environment, [along with the] increasing number of solutions, has made hackers more aware of vulnerabilities in OT systems. We’re also seeing the deployment of more remote access solutions, and when service techs don’t set these systems up securely, it leaves the door open for ransomware attack.”
Rising awareness leads to innovation
The smart building industry is becoming increasingly aware of the risk—especially following recent evidence published by CISA that Russia’s invasion of Ukraine has led to threats to critical infrastructure by Russia-aligned cybercrime groups.
Education is key to addressing the knowledge gap and shortage of cybersecurity talent needed to safeguard systems and deal with the security challenges that come with IT/OT integration. Critical infrastructure and OT cybersecurity training courses are now among the top offerings at InfoSec education providers and associations, including the International Society of Automation.
Christman also points to the significant increase in startup OT security companies, vendor collaboration, and demand for assessments from building owners and operators. Security assessments are particularly on the rise within brownfield sites looking to integrate multiple legacy systems that may have outdated security functionality, lack of visibility, and older, vulnerable hardware and software. “We’re seeing innovation happening throughout the OT security market through acquisitions, vendors coming together under cyber alliances, and larger real estate asset owners becoming highly proactive in defining OT security policies and scrutinizing their suppliers,” he says. “The construction industry is making security a key component of the procurement process and requiring certifications—and vendors are responding.”
Emerging InfoSec best-practice guidelines, standards, and frameworks for the commercial building industry include the Building Cyber Security (BCS) Risk Framework and the SPIRE Smart Building Program. The federal government is also addressing the issue. Christman believes that President Biden’s cybersecurity order, which requires vendors contracting with the federal government to provide a software bill of material (SBOM) for each product, will make its way into the private sector. “We need to know what the ingredients list looks like for any given software,” he says. “We are seeing these SBOM requirements starting to gain ground among energy, pharmaceutical, and financial entities.”
While significant room for InfoSec improvement remains, smart-building experts understand the value of open, interoperable systems, data flow between converged IT and OT systems, and cloud-based solutions that provide data analytics. “Buildings are becoming living entities, and the data gives us the grand view we need to optimize their functionality and health,” Christman says. “If the technology is deployed with the right security segmentation, monitoring, controls, and response, we can preserve smart-building strategies and reduce the risk.”
