Cyber security: time to close the back door

Cyber security threats are not a new phenomenon. For as long as we have had information
technology (IT) systems, we have had to protect them from unauthorised access. However,
today we face a new era in cyber-attacks that has emerged as a direct result of the
increased use of the Internet of things (IoT) in our buildings. The COVID 19 challenges we
are currently confronting have further compounded this problem

Cyber security is an ever-evolving challenge, changing year by year to keep pace with the
sophisticated advances in hacking technology. Cyber-attacks themselves are typically motivated
by one of three aims: to access, change or destroy sensitive information; to extort money from the
victim; or to interrupt normal business processes. The perpetrators of these breaches might be an
individual, activists, criminal elements, terrorist organisations, or state-sponsored entities, but they
all share the same three goals

Until recently, hackers have generally targeted networks, programs, the cloud and end-point
devices, such as computers, routers, servers and smart devices. It is the proliferation of smart
devices—especially those outside the normal IT umbrella—that is causing the latest cyber security
dangers. Needless to say the current environment due to COVID 19 is making these types of
attacks even more prolific as evidenced by the numerous media articles pertaining to increased
cyber security issues being experienced globally.


Cyber security has traditionally been considered solely an IT problem by most companies, as their
IT systems have been both the ultimate target to be accessed by hackers, as well as providing the
numerous potential entry points into an organisation’s private digital domain. However, with the
development of smart buildings, this accepted battleground is changing.


Today, in addition to their IT networks, many companies now have Operational Technology (OT)
systems designed to run the physical environment, such as the Building Management System
(BMS) that monitors and manages the lighting, HVAC and other services within a building. As part
of a building’s OT ecosystem, there are also an increasing number of internet connected smart
devices that have the potential to be hacked. These devices operate alongside traditional
technologies such as BMS, HVAC, lighting, fire panels, access control etc., all of which are critical
in maximising the revenue generating capacity of a building and lowering its running costs.

Cause for concern

As an IT issue, cyber security demands a significant part of the overall IT budget. For example, a
large organisation might happily consider spending 30 per cent of its IT budget to keep those
systems safe. By comparison, OT has typically commanded a much smaller budget, which means
that almost without exception, a company’s OT systems are less secure than its IT networks. The
combination of the number of IoT connected devices within a modern OT system and their hitherto
lack of protection means than many companies find themselves at serious risk of having these
systems breached.


This is a huge cause for concern on two levels. Having penetrated a company’s OT system, a
hacker will be effectively free to manipulate heating, cooling, lighting, fire-protection, alarm
systems, lifts and all other services within a building, which could be extremely disruptive to
business. However, the greater worry is that a hacker might not be content to breach the OT
system simply to wreak havoc on the building services, but might instead target the OT
infrastructure in order to gain access via the back door into the IT systems where all the lucrative
information resides.


The recent Realcomm conference in Nashville, Tennessee highlighted this critical challenge to
property owners. The proliferation of IoT presents a momentous opportunity for businesses as they
are endeavouring to make their buildings smarter and provide greater amenity to their occupants
whilst lowering running costs. These investment strategies cannot be implemented without first
adequately protecting their OT systems.


There are two principle philosophies regarding next-gen cyber security to address this risk for OT
ecosystems. These can be best understood by the layperson as the ‘Moat and Drawbridge’ and
the ‘Invisible Cloak’ analogies.

Competing philosophies

Proponents of the ‘Moat and Drawbridge’ school of thought believe that if a business or building
can be surrounded with a metaphorical moat that is deep enough and wide enough, then all cyber
traffic can be directed through a single point of access—the drawbridge—into which all necessary
protective measures can be installed. This philosophy necessitates the removal of all other entry
points into the IT and OT networks, other than the drawbridge itself.

The competing belief—the ‘Invisibility Cloak’ approach—is based on the concept of making a
building digitally invisible to all but those people who need to see it, such as trusted users, clients,
suppliers and business partners. Even though these people will be allowed admission, this access
will be restricted to the parts of the system that they need to see, while the rest of the building will
remain invisible to them.


Which solution is most appropriate ultimately depends on the situation at hand. These
technologies need not be mutually exclusive. They should operate alongside each other thus
accommodating the various commercial realities across different property portfolios. An integrated
approach is critical. By way of example, an existing firewall /router cybersecurity solution should be
able to stay in place whilst an invisibility cloak is placed over the entire OT ecosystem, thus making
the most of the best attributes of each technology. Of course, doing nothing is the worst choice of
all.

Key questions

Facing this challenge of protecting their OT systems, businesses need to ask themselves four key
questions:

  • Firstly, which of these philosophies makes most sense for their business? Does the business have
    anything in place at all alternatively does the business have existing viable drawbridge and moat
    infrastructure that needs to remain, and if so, can an invisibility cloak work alongside this
    infrastructure?
  • Secondly, what are the up-front installation and ongoing administration costs of each option?
  • Thirdly, what loss of strategic flexibility are they prepared to suffer in the name of security?
  • And perhaps most importantly, what is the cost of doing nothing?

Businesses today need to understand that although it is normal practice to spend 30 per cent of an
IT budget on IT security, the same does not necessarily apply for OT security. The solutions
required to deliver adequate cyber security to OT systems must operate within the lower cost
paradigms applicable to the OT space whilst still safely allowing remote access by numerous OT
maintenance vendors. OT solution providers, like Grosvenor have an intimate understanding of
this reality.


Syntric has secured cutting-edge technology and established procedures that guarantee that the
installation, maintenance and administration of its cyber solutions can both complement and

enhance the protection of OT systems at cost levels not previously possible. In this way, property
owners, managers and end-users can embrace all the benefits of smarter buildings without the
cyber security risk

Sign up for the latest news from Syntric