Managing Building Control System Vulnerabilities

By Fred Gordy, Director of Cyber Security & Managing Consultant, Intelligent Buildings, LLC 

The technology that controls the environment in your buildings exposes you to cybersecurity risk. The building control systems that provide lighting, move people, park cars, provide and monitor power, and allow access can lead to massive cybersecurity breaches if not handled correctly. Even though these systems work by connecting to the internet, they cannot be managed the same way as IT systems. It’s more than protecting your data and encrypting networks. Threat actors can leverage vulnerabilities in your building control systems to not only steal information and data, but actually take control of the systems remotely and damage your building and harm occupants.

New threats aimed specifically at building control systems pop up daily—and they aren’t just the casual hacker poking around to see what limits they can push. An Iranian group released a how-to guide for attacking building control systems, and recently, a Chinese threat actor stole important data by hacking into a building automation system. And it’s not just data that’s at risk. In 2021, the Department of Homeland Security (DHS)Secretary Alejandro Mayorkas coined the term killware, which is malware that targets building control systems to cause physical harm or even death. Last year, an Alabama woman filed a wrongful death suit against a hospital after a killware attack shut down the hospital’s monitoring systems, causing an at-risk baby to die when the hospital staff wasn’t alerted to a sudden problem with the baby’s health.

These harmful attacks can be avoided by beginning with the following steps toward building cybersecurity:

  1. Inventory your building systems and devices
  2. Manage your service providers
  3. Review and update your service provider agreements

The first thing you must do is inventory your building systems and devices. A common issue we have seen from our thousands of assessments is that building owners are typically unaware of all the systems and devices installed in their buildings. This is a problem because you can’t protect what you don’t know about. We have found that over 80% of the sites we assessed in the US and abroad had 10 or more unknown (and therefore unprotected) connected devices. For example, we assessed a site that claimed only four connected devices on the HVAC network. We found 32, and at least one had significant cybersecurity vulnerabilities, making it an easy target for threat actors. It took the building staff two weeks to find and remove the device.

After you inventory your systems and devices, you need to know how they are managed and by who. Most often, these systems are controlled by the servicing vendor through remote access. If left unmonitored and unprotected, this remote access is not just a convenient way for the servicing vendor to manage your systems—it’s also a gateway for threat actors to hack your building and cause real havoc and harm. For example, in 2021,a threat actor leveraged a vulnerability in the remote access software TeamViewer to hack into a Florida city’s water supply to poison tens of thousands of people. Fortunately, the water plant’s operator reversed the intruder’s actions before harm could be done. However, the entire attack could have been avoided if the system had been properly protected in the first place.

After taking inventory of your systems and service providers, you need to look at your service agreements because less than 5% of OT system service agreements address even the most basic cybersecurity best practices. Start by mapping out who has access to your systems. You may be surprised by the number. For example, if you have12 building systems, there are likely 12 service companies, each of which has multiple employees, possibly in the hundreds. A common cybersecurity misstep is having a single username and password for a system rather than unique usernames and passwords for each employee. Building owners typically have no insight into the service company’s employees, meaning that an unknown number of people are accessing your system through risky means at any given time—and that’s just one system out of 12! This is why you need to update your service agreements so that your providers are held accountable for managing cybersecurity risks.

Service agreements, at minimum, must include:

  • Security point of contact
  • Incident response roles and responsibilities
  • Vulnerability management with notification timeframe, patch testing, and implementation
  • Defined list of employees that may access the system
  • Notification of when employee(s) no longer needs access
  • Separation agreement that defines what is required if the service provider is no longer providing services (e.g., programming, software tools, accounting of removal of credentials, etc.)

You’re not alone if you haven’t considered any of this for your building. Now is the time to get ahead of the game (and ahead of threat actors)by starting your cybersecurity journey. New threats aimed specifically at building control systems are popping up every day. Take steps today to protect your building from being the next target.

Hot Topics

Related Articles