Enemies at the CyberGate

By Dennis Boone

All buildings—commercial as well as residential—are getting smarter. But you’re making a stupid move if you don’t know how smart the technology is as your company melds ever more closely into the Internet of Things.

From HVAC systems to electronic access to controlled lighting, the points where your operations interface with the rest of the world create enormous risk.

That risk goes well beyond threats that someone might shut off your air conditioning on a hot day. And the goal is rarely to mess with your automation systems themselves—that’s more the domain of the practical joker—but to infect any corporate network with uploads of ransomware, worms and spyware.

“The biggest thing is to understand about the whole cybersecurity initiative is that it’s all about risk awareness and risk mitigation,” says Marc Petock of Lee’s Summit-based Lynxspring, which specializes in building-control systems. What many building owners fail to grasp, he said, is that those operational systems are also entry points for some bad players to get what they’re really after: your data, your customer information, your financial records and more. 

While most of the focus is on front-end IT security, operational systems are often overlooked, Petock says, with disastrous consequences.

Remember the Target stores’ data breach? That was eight years ago, Petock notes, and while it’s still referenced in IT circles for the damage done, very little is mentioned about how it occurred: Thieves gained access through the HVAC system.

Target was one of those mega-disasters that resonates with the public because of its sheer scale. But in that sense, it was also an exception. Small and mid-size companies, it turns out, are actually more attractive targets. Without the robust budgets for internal IT security teams and systems, those smaller targets are easier to infiltrate. Off-the-shelf solutions are rarely one-size-fits-all. 

A consulting-firm report published in 2019 showed that among roughly 40,000 “smart” buildings, nearly two in five had been targeted by a cyberattack—and the majority of those attacks were made on computers controlling the building automation systems. Compounding the challenge for building owners, the sources of those attacks was multi-variant: 26 percent came from the Web, and 10 percent each from removable media and phishing links. Only 1.5 percent originated from shared folders on corporate networks.

So the key, say security experts, is awareness. 

“When you think about cybersecurity on a building level, owners have a number of questions to ask,” Petock said. “Are we secure, is our system secure? How do we know we weren’t compromised today, a week ago, or a year and a half ago? How would we even know if we had been? What would we do about it if we were hit with ransomware, as has happened with hospitals? Are we prepared to face that threat? Do we have a cybersecurity statement we follow? What about companies in our supply chain—are they following good cyber policies?”

Business executives have plenty on their minds running their companies, so adding to the challenge with a worklist like that, by definition, requires either the staffing dedicated to providing those answers, or third-party assistance.

Experts in system security say one of the chief dangers of this era is that senior leadership in many organizations have only a conceptual grasp of IT needs—they don’t have a deep understanding of the risks, the challenges or the required solutions and are often signing off on decisions they truly don’t really understand.

To counter that, security professionals say it’s vital for company leaders to ensure that:

• Program “patches” are installed as soon as they are made available to you.

• They are up to speed on emerging threats, and have ensured their firewalls are adjusted accordingly.

• Anti-virus software is not just updated, but installed on every device that accesses their network.

• Staff is routinely reminded of risks. Most of us don’t want to hear for the millionth time that opening an attachment from an unknown sender is risky, but the one employee who hasn’t heard that message can cost you tens of thousands—and even devalue your brand.

Those question should also be top of mind for anyone taking the keys to a large distribution facility or office building; virtually every structure of more than 100,000 square feet in the U.S. these days comes with the latest building-automation systems available. 

Fortunately for owners, many contractors have baked cybersecurity infrastructure into the cake of building design and construction, but in the end, the experts say, it’s all a question of responsibility. Who has it? 

“It’s what I call a shared responsibility,” Petock says. “It starts with the building owner and operator asking his facility management team, his contractor and their service providers, “are we secure? If not, I want to ensure we are.” They have to ask for it. But it’s also the contractor system integrator’s responsibility to bring that up and have that discussion with the building owner, and make it part of their plans and their deliverables. And the manufacturers of the equipment and systems or devices themselves, they should be and need to be ensuring good cyberdesign in their equipment as they are developing it and bring it to market.”

In the end, he says, “While it’s not one person’s responsibility, if the buck has to stop in one place, that would be the building owner.”