Ahead of the game
18 May 2017
Mike Gillespie discusses the increase in technology-powered smart buildings and the concomitant rise in cyber threats to their security.
THE BUILDINGS we use, work and live in are becoming increasingly smart, with technology that enables them to be run from virtually anywhere in the world. But is our capability to run and manage them commensurate with the technology they use, or is massively increased risk the price we have to pay for better functionality?
As we become more dependent on automated and semi-automated management systems, human interaction decreases and so do the opportunities for intervention in the event of a security threat, or incursion. We are trusting systems, but when it comes to security of smart buildings and how we approach it we still need to ask ourselves: what could possibly go wrong?
We use and see the term ‘smart’ a lot these days and not only in relation to security, but perhaps the concept is worth exploring first. Some buildings are born smart; they are designed and built with integrated systems, are web-enabled and feature automated or semi-automated processes that reduce the need for time-consuming and therefore costly human interaction and management. Some of these buildings are in public use, many are privately owned. They are often commercial buildings that need the cost savings ‘smart’ offers, but smart homes are increasing in popularity too, as are smart-home packages, which are essentially bolt-on systems, similar to an upgraded commercial system but on a smaller, domestic scale.
Other buildings have become, or are becoming smart; new, remote and automated systems are integrated into existing facilities and while some changes may be made operationally, the approach to management often remains traditional. Then there is a last group of buildings that has smartness thrust upon it. The buildings in this group have had little thought applied to how automated or remote systems will impact their security, beyond the immediate physical implications. Future-proofed they aren’t, but that isn’t the only concern. Among other issues, buildings that were not designed to be web-enabled yet are operating with Internet Protocol (IP) systems pose a risk, but if they are also outside IT security protocols or oversight, then the security risk is significant.
Handling that and the other risks arising from some of these ‘smart’ systems requires focus and collaboration. In effect, we are taking technology that is smart and placing it in a low-IQ environment then hoping for the best; we are using traditional or outdated management and security methodologies on systems that have more than outgrown these approaches.
Over the last few years, web-enabled systems in buildings have grown in both number and range. Managers of multiple sites use the likes of environmental control systems, automated parking management and door-entry systems to great effect, and this is likely to continue.
Traditional systems may have enjoyed a kind of security by obscurity, as they were not networked and so were hidden from hackers, or interference, and they were often run by the security team alone. But this has changed. IT security is increasingly being dealt with by facilities management teams, as well as physical-security teams, as cyberspace has become a key feature in many modern building and physical-security systems, alongside the ‘traditional’ corporate systems, such as email. Part of the problem with some systems is that they were not built securely in the first place.
The components themselves may be hackable, vulnerable at the point of manufacture and supply. If we look at components like Programmable Logic Controllers (PLCs) these sit in many systems and control a variety of different physical attributes. They are designed to perform a single program, at high speed and repeatedly. Yet the now famous virus Stuxnet was designed to attack these very components. But if all the PLCs in use at the time (2010) have now been secured, we have nothing to worry about.
Other issues around firmware, or the platform on which the systems are built, can cause vulnerability. If the system uses a platform that is now obsolete ─ Windows XP, for example ─ it will no longer be receiving security patching for vulnerabilities, and, as time goes on, will become more and more risky to continue to operate. Of course, until something goes wrong, businesses generally choose not to invest in new systems purely for their security. Forward planning or future-proofing should include lifespan management of systems that may pass into this critically vulnerable phase.
Part of the problem is that IT security teams often have no oversight of physical, or building management systems at all. This means they are not part of patch or change management and configuration regimes, and their lifecycle is definitely not being managed in a way that rules out obsolete platforms. Let’s face it, gaps that exist due to this kind of failing can, and at some point will, be exploited.
At a recent global cyber-security seminar, researchers showcased some ransomware (a particular family of malware that extorts a ransom from a user by encrypting their files or system until payment is made, or sometimes not even then) that had been specifically designed to attack PLCs (remember them?)
If researchers are able to do this you can guarantee that criminals can, too. At this point, we are looking at the possibility of physical systems being held to ransom from cyberspace. In fact, this has already happened. In Washington DC, four days before President Trump’s inauguration, Washington DC Police lost 75 per cent of their surveillance camera DVRs to a double ransomware attack. This meant they had four days to rebuild these systems from scratch. Quite a challenge in a highly-charged situation.
It should come as no surprise, then, that many physical-security and facilities management professionals are now being expected to introduce cyber threat into threat assessments. However, the language around cyber security can be baffling and exclusionary. Combined with a lack of collaboration, this causes difficulty and contributes to the perception of avoidance we often hear in the statement: “I don’t do cyber”.
Hopefully, it will now be clear that everyone does cyber, so the question is, simply, how well? But even though IT security may have a few years’ additional experience in how to handle itself, don’t imagine it has all the answers. Indeed, headlines will bear me out when I say things go wrong on a fairly regular basis and the most recent example would be the worldwide ransomware attack, which badly affected the NHS. The reasons why are frequently the same: basic security measures are not taken, as with the cyber attack that stole customer data from TalkTalk for example; or people are poorly trained and expected not to make mistakes; or the breach may occur in a culture in which not enough importance is placed on customer data..
So, although we are certain we need IT and cyber-security professionals involved in securing our physical entities, we also know that we have a long way to go to create the organisational cyber resilience we need.
Add facilities management into the mix and we have another language and operational culture that need to blend with physical security and cyber security to help run and secure our smart buildings. All of these disciplines need to understand risk and be able to communicate not only with each other but also with their boardrooms, to ensure they have the support and strategic input required to bring the whole organisational security culture together and manage the smart environment. How else can it be communicated effectively to the users, who have a major part to play in security? And how else can we hope to help protect supply-chain partners in our business ecosystems who may be connected to us through maintenance portals and other systems?
So, smart-building managers and security professionals, the challenge, or at least the parts we know about the challenge, are emerging for us to consider and meet. We need our businesses and our systems and buildings to be able to compete and thrive in agile environments. We need to embrace technology and the efficiencies and comforts it brings, but at the same time we need to be equal to the security challenge, ready to collaborate and well informed about changes in the threat landscape. We all do security now, and we all do cyber now. If we talk to each other, share knowledge, experience and expertise, we will be able to improve security and resilience for all in our cyber ecosystem.
Mike Gillespie is managing director and cofounder of Advent IM Ltd. For more information, visit www.advent-im.co.uk