This past September, Johnson Controls announced in an SEC filing that they were the victim of a coordinated ransomware attack. The ransomware group, known as “Dark Angels”, claims to have stolen 27Tb of data from the leader in smart building and operational technologies.
In the past few months, little information has been released as to the impact on the organization or its customers. However, the incident has left many building owners and operators questioning whether an upstream breach with a trusted technology partner could potentially trickle down to impact their facilities.
The potential customer impact can be huge
For those that recall, a cyber security breach at SolarWinds in 2020 caused a great deal of panic as malicious actors not only targeted the network monitoring and management software provider’s digital infrastructure but also proceeded to deploy malicious code into monitoring and management software. This software was then pushed to customers via standard software supply chain updates unbeknownst to anyone. The impact of a single upstream software supplier impacted thousands of businesses and government organizations around the world, potentially exposing their sensitive data through a backdoor.
At this point, there is no indication that the hacker group who targeted and stole data from Johnson Controls had access to any software or cloud environments that would directly impact technology customers. However, the security breach does show that any organization–no matter how big or sophisticated–can succumb to cybersecurity threats. What’s more, those major targets can trickle down to the customer level in some cases.
This is especially concerning when these companies provide smart building and operation technologies, software, and cloud services that manage and monitor critical building infrastructure, IoT, and physical security systems. Disrupting any of these systems can be devastating to the health, safety, and operations of commercial buildings worldwide.
What smart building owners and operators need to think about
In light of the Johnson Controls ransomware data theft and the SolarWinds malicious code supply chain attack, building owners and operators should assess their existing security protocols and procedures to protect against smart building technology software supply chain hacks. Methods used to protect against this problem include:
- Lock down external communications. Put security policies and firewall rules into place that specifically identify which smart building, OT, and physical security technologies can communicate with both internally and externally.
- Monitor external communications. Implement security tools that can be used to generate alerts when communications frequency, traffic size, or other communications are altered from established baselines.
- Network micro-segmentation. Prevent lateral network movement through micro-segmentation within the network. This eliminates any concern that additional systems, applications, or services will be impacted if an upstream supply chain compromise occurs.
- Encrypt data at rest and in motion. Keep data safe even when theft occurs by encrypting data that’s being stored or transferred across the corporate network or cloud services.
- Secure privileged accounts. Control which user accounts have access to sensitive smart building management and control systems by using identity and access management (IAM) software.
- Implement zero trust architectures. Zero trust is an approach within IT security that requires all access to smart buildings and digital business resources to authenticate and continuously validate who they are before gaining access.
- Use vendor security posture assessment tools. Third-party security tools can help perform software supply chain risk assessments and attack surface monitoring using AI/ML-driven technologies. The analysis provides detailed reports and auto-generated suggestions on how to best eliminate growing technology partner risks.
- Build communications lines with technology vendors. Formalize a “soft security” channel to build lines of communication between building owners and technology partners. The goal is to share risk assessment findings and other security concerns that can be used to preemptively stop potential threats from expanding into smart building systems.
Finally, and perhaps most importantly, building operators should establish detailed procedures that can be executed when an upstream breach has been detected or declared. This includes the severing of external communication data flows thought to be a threat, software rollback procedures, abnormal traffic detection/alerting/remediation, and the physical or logical quarantining of smart technologies that may be compromised.
While cyber security breaches are real threats to organizations of every size, risks can be mitigated by implementing proper security protocols and procedures ahead of time.