By Elias Zeilah
As technology and connectivity continue to grow and integrate into our daily lives, cyber security threats also increase. While most people are aware of the risk to their sensitive personal information, the general public is just now being made aware of attacks on institutions, including infrastructure and facilities. In March 2018, the U.S. intelligence community issued a security memo detailing a series of Russian cyberattacks targeting energy management control systems (EMCS) at U.S. and European nuclear power facilities. These attacks staged malware, conducted phishing, and gained remote access into energy sector networks and small commercial facilities’ networks. This news should give pause to owners and facility managers of other public and commercial buildings, which could be at risk in the future.
A report published in Harvard’s Journal of Strategic Threat Intelligence suggests that most hospitals, for example, do not have a comprehensive understanding of their information technology (IT) infrastructure. This gap in knowledge allows for vulnerabilities to develop as upgrades and updates get delayed, devices become misconfigured, and unused legacy systems remain connected. Furthermore, cyberattacks are becoming more sophisticated, making them harder to detect and mitigate.
A breach of a facility’s building automation system (BAS) or energy control management system (ECMS) can be catastrophic. If an attacker were to successfully breach the system, they could go as far as rendering all mission critical equipment (e.g., power systems, surgery med gas, backup generators, etc.) inoperable for an undetermined length of time. In order to prevent these breaches, it is important to understand the way in which a facility may be vulnerable.
Why are Facilities Vulnerable to Cyberattack?
There are a variety of cyber intrusion points at a facility, the most concerning of which is the BAS, which provides automatic centralized control of a building’s heating, ventilation and air conditioning, lighting and other systems. Similar to the energy management systems targeted by the Russians, BASs have become more intelligent and more connected in recent years. A wide array of networked components are required to effectively manage a facility’s various sub-systems. As the BAS infrastructure becomes more complex, the attack vector and cyber vulnerability associated with that system increases.
Though the majority of cyber threats are related to systems connected to the internet, vulnerabilities also exist on local systems, with no connectivity outside the perimeter of the facility, as demonstrated by the Stuxnet worm. BASs are especially vulnerable as they are a form of supervisory control and data acquisition (SCADA) system and are typically not designed with security as a primary requirement.
While guidance like Unified Facilities Criteria (UFC) 4-010-06 describes the requirements for addressing cyber security of facility-related control systems, this is only applicable when a building is being originally constructed or undergoing renovations. There is nothing that requires ongoing survey of these systems over time. Since BASs are often required to run 24/7 without downtime, they may not receive the appropriate updates needed to address the ever-growing list of security vulnerabilities.
How to Gauge Your Building’s Vulnerability
As cyberattacks increase and evolve, the need for the technologies and security methodologies to prevent them also grows. Because BASs can vary greatly from facility to facility, they need to be examined and addressed individually. Relying on the facility’s IT security alone is not sufficient, as the requirements and slew of devices and protocols present in BAS networks differ from that of IT security implementations. Conducting a comprehensive cyber security risk assessment is a critical first step in gauging your building’s risk factors. In a paper published by the U.S. Department of Energy, it is suggested that an effective cyber security risk assessment can identify “threats and vulnerabilities, impacts that threats may have on the organization, and the likelihood of adverse events occurring.” Only then can informed decisions be made on the security posture of the facility control system.
An experienced facility life cycle solutions provider like NIKA can help facility owners take the first step toward facility “cyber health” by identifying key personnel for the effort, defining objectives and priorities, and giving you a better understanding the status of any at-risk inventory.