Cybersecurity of operational technology (OT) systems has gained precedence in the last few years. Building automation systems are also OT systems and vendors have installed these systems without considering cybersecurity as a major design concern. As a result, legacy systems in older buildings have cybersecurity flaws that can be exploited.
People, processes, and technology, known as the PPT triad, is used by most experts when dealing with cybersecurity. When it comes to OT systems, building owners and property managers need to develop a security framework or policy for OT systems. It can be independent or an extension of the wider security framework of the organization that covers topics specific to OT systems. Developing the policy follows a need for compliance with the policy. Securing technology is a task shared by the system manufacturer and integrator. The building owner/facility management has the responsibility to initiate cybersecurity at the onset by specifying the security controls. These security controls need to be verified at the conclusion of any installation as the building is transitioned to steady-state operation. Perhaps the most important aspect of the PPT triad is People.
Most of the system intrusions and breaches of sensitive information in organizations occur through the error, oversight or ineptitude of people. 4 out of 5 cybersecurity incidents such as data breaches are due to human or process error. Cyber attackers or threat agents use social engineering to target people and their behavioral tendencies with attacks such as phishing, ransomware, baiting, and others. This issue is exacerbated in OT systems as the systems used are not accustomed to having the basic cybersecurity controls. Facility managers, building operators and contractors using these systems are not aware of rudimentary security practices and lack IT expertise. This combination provides attackers and threat agents easy pickings.
During a review of a group of buildings of a major property management firm, the facility manager told the story of how the technicians of a major building automation system (BAS) integrator used the same password for all of their BASs in an entire city for months on end! Their reasoning might be considered ‘practical’. The technicians would work on different sites and did not want to keep remember different passwords for different sites when doing service or maintenance. However, this lack of process or lack of adherence to it potentially exposed dozens of buildings with high profile clients whose operations could have been compromised. The BAS manufacturer has since rectified this issue. However, imagine the damage that could have been done if this particular password was exposed.
Another firm suffered multiple cybersecurity attacks from foreign actors. In one instance, they logged in to the BAS and changed parameters of their chiller plant. The system was easily accessible due to a public IP address and simple/default password used by one of the users. In another case, the cause of the attack was the same, but the outcome was worse. The main backup server was accessed, and all backups of the BAS and security systems were erased.
There are too many similar cases to list here where the common theme is that the behavior and practices of people can be exploited for cybersecurity attacks. However, people in these positions cannot be held completely responsible. In many instances, they have not been provided any form of cybersecurity awareness training. Facility management organizations do not have adequate training programs in place to train their staff nor do they have a cybersecurity policy for securing OT systems. These organizations need to understand that attackers will target their systems through their staff. It is the sole responsibility of the senior management of the organization to develop their cybersecurity policy with respect to OT systems and train their staff. It is the responsibility of both senior management and their staff to ensure adherence to the policy developed.
This is also true for OT system vendors and service/maintenance providers. Providing robust cybersecurity for the systems that they manufacture should be a top priority. In addition, training their technical staff also needs to be a top priority. Vendors also have the responsibility of educating their customer on security features on their systems and what best practices they should use to reduce the risk of cybersecurity attacks.
In the short term, these firms need to make the necessary investment to train staff on basic practices such as restricted network and user access to OT systems, password management and network monitoring that will reduce the chances of cybersecurity threats. In the long term for both property managers and vendors/contractors, a comprehensive cybersecurity policy needs to be developed along with a process that ensures adherence to this policy.
