By Cameron Exley, Head of Technology and Commercialisation at Syntric
Cameron Exley talks about OT security threats and explains how simple things
like conducting sensible conversations and confirming ownership should be
the first steps to preventing attacks.
Last September, Gartner included cyber threats to physical processes and assets in
its ‘Top nine security and risk trends for 2020’. The global research company
explained how “emerging threats, such as ransomware attacks on business
processes, potential siegeware attacks on building management systems, GPS
spoofing and continuing OT (Operational Technology)/IoT (Internet of Things)
system vulnerabilities, straddle the cyber-physical world”.
Security misconfigurations or, in some cases, a total disregard for security, resulting
in opportunistic attacks, are some of the most common security shortcomings today.
A further problem is that many businesses have yet to decide who will be the owner
of the systems installed – many of which enable remote access. With no clear
‘owner’ and systems installed and maintained in the quickest and cheapest way
possible, systems and entire buildings and portfolios are vulnerable to costly
ransomware attacks
Ransomware
Ransomware is carried out by robots constantly scanning the internet to find access
to exposed systems. Once in, they will encrypt every file in a computer, locking the
user out and demand bitcoin or cryptocurrency before they grant access again. It has
long been an IT security issue, but can also impact building management servers
that may control multiple systems like lighting and HVAC.
Picture the wasted stock a large-scale butcher would have to throw out if their
refrigeration system was tampered with, or high-rise building occupants stuck in a lift
after elevator control systems were locked down. These are extreme examples, but
a wake-up call. Organisations must consider what they could be liable for, in the
result of an attack. More commonly, the issue revolves around money. Opportunistic
robots don’t care what the system is, all they want to do is lock it up and ransom it
back to its owner for cryptocurrency.
Who’s responsible?
Not defining clear lines of ownership is one the biggest mistakes an organisation can
make when it comes to OT security. Between FMs, OT managers and, sometimes,
their BMS contractors, there are often no clear lines of accountability for the system.
If all concerned think that somebody else has taken responsibility for it, then nothing
will happen and attacks become harder to predict and avoid. There’s no rule for who
should own any particular system – as they are all different – as long as somebody
does
To inform your decision on who’s going to own OT security, you need an
understanding of what’s required, such as how to build a security policy. This is a
fairly technical and advanced procedure and, most of the time, it is unfair to expect
FMs or contractors to build this by themselves. Progress is being made in this area,
though, as many buildings and real estate investment trusts are building
cybersecurity policies and empowering their FMs to communicate cyber risk with
contractors. For this reason, a contractor who provides support that helps FMs
understand and meet their security requirements, regardless of their OT security
literacy, is key.
Cyber cloaking: the best defence
Without cyber cloaking, you are exposed directly to the internet. The opposite needs
to be true. Cyber cloaking will hide you to the point where, based on the Australian
Cyber Security Centre’s recommendation of security modelling, nothing should be
accessed without some sort of VPN (virtual private network). This prevents bots and
unknown people on the internet from being able to detect your equipment during
their scans
Awareness of, and protection from, hazards is growing. The Federal Government is
just one official body reporting that it is seeing many more active attack attempts
targeting uncloaked assets that are available on the internet.
Unfortunately, there remains reluctance from people who don’t appreciate the threat,
who feel they cannot afford protections or who have no desire to understand the
problem. But if you’re swimming at the beach and there’s a shark in the water, you
don’t want to be the slowest swimmer. Along with the risk, the inconvenience of
implementing these systems will become more and more costly over time as more
equipment becomes attached to the network and has remote access functionality –
especially for some of the connected safety systems used in care facilities, for
example. It would be inadvisable to be put in a position where you’re liable. Doing
the risk modelling and understanding the risk you’re accepting is an affordable first
step to getting the right solution and finding the right partner.
Getting an audit
The best way to spot the gaps in your OT system is with an audit. These are very
inexpensive and provide a basic understanding of your network and the assets
connected to it. An audit could be especially valuable in systems where an FM has
been working on the one asset or portfolio for a long time; perhaps it has been
operated on by a range of different contractors over the years, who’ve all followed
their own procedures, which may not have always been best practice to today’s
standards. The audit can help you understand exactly where your exposure is, giving
you the visibility on your systems to help you understand your OT security needs.
A cyber security service can be expensive and complex to set up, but if it’s operating
efficiently and protecting everything well, you shouldn’t even notice it’s there. What
you don’t need is a third-party installing very expensive controls that may not be the
right match. There’s a lot of IT security out there that does not work in OT. So,
choosing the right partner and solution is important, but should not be daunting.
Finding a match
Many vendors will try to sell fear, but doing so isn’t helpful and it certainly won’t help
FMs get the right funding for the right solution. You need to sit with someone,
conduct a proper risk model and understand exactly what risks you can accept and
what risks you cannot.
The conversation should cover basic questions and answers, such as: ‘If someone
gets access to the lighting control system, what control will they have? What is the
worst situation you could imagine if someone was to abuse that control?’
Consider such things as part of a very sensible conversation about all the risks
involved with your systems and what controls you can place around them that will
have minimum impact on your operations.
Show me the money
Finding the right partner shouldn’t be too difficult, but the greater battle is often
presenting the idea to your building owner or corporate board to secure funding. As
an FM you’re given a budget and are going to allocate it as efficiently as possible,
spending what’s needed to keep your tenants happy and protected.
People struggling to get funding may worry about the risk and an audit is
recommended – the affordable first step – which enables you to build a case. You
need to be able to go back to your executive team and clearly articulate the risk, as
well as the potential consequences. A good partner may be able to assist you
understanding the costs involved in recovering from different scenarios – which are
powerful tools in executive conversations.
