Protecting Buildings from Cyber Attacks – 6 Steps You Can Take Today

Protecting Smart Buildings from Cyber Attacks

Buildings with internet-connected OT (operational technology) devices and networks (BACnet) are susceptible to cyber attacks. This can lead to operational disruption or open a gateway to attack the IT network resulting in data theft or ransomware. This video highlights 6 things that building operators and systems integrators can do to improve cybersecurity for buildings. A key recommendation is for device-level security that utilizes a zero trust framework to authenticate device-to-device communication.

This webinar was presented at the former CABA Intelligent Building Council, now ASHB Smart Building Council,  meeting on Nov. 10, 2022. See the full webinar.

Webinar Summary

This webinar addresses the intersection of smart building cybersecurity and operational technology (OT), emphasizing the critical security challenges inherent in protecting buildings from various cyber threats. The goal is to equip facility managers and IT professionals with actionable strategies that can be implemented with minimal cost, particularly for those managing aging infrastructure. Cybersecurity is defined broadly as unauthorized access or control over systems, which can result in operational disruptions, data breaches, or data collection without consent. The talk highlights the differences in cybersecurity measures between IT and OT networks, emphasizing the unique vulnerabilities of operational technology, which often lacks the same level of attention and robust security controls as traditional IT systems. Key challenges discussed include legacy infrastructure, lack of device security at the physical edge, siloed management across departments, and the proliferation of proprietary protocols that complicate security efforts. Six impactful recommendations are presented for enhancing building cybersecurity without necessarily incurring significant expenses. These include creating a comprehensive building inventory, being proactive in monitoring advisories, conducting thorough risk assessments, securing building management systems (BMS), ensuring regular system backups, and employing device-level security measures such as zero trust protocols. The presentation concludes with a discussion about the potential return on investment from implementing these security measures, given the increasing importance of cybersecurity compliance in commercial real estate and potential impacts on insurance costs.

Highlights

  • Cybersecurity Defined: Unauthorized access and control over systems can severely disrupt operations, data integrity, and privacy.
  • Importance of OT Security: Operational technology networks are uniquely vulnerable and often lack robust security measures compared to traditional IT networks.
  • Legacy Infrastructure Issues: Many buildings operate with outdated systems that were not designed with modern cyber threats in mind.
  • Need for Building Inventory: Keeping an accurate inventory of systems, networks, and devices is essential for effective cybersecurity management.
  • Regular Risk Assessments: Conducting risk assessments tailored to the building’s specific operational risks enhances security planning.
  • Device-Level Security: Implementing zero trust protocols at the device level is crucial to safeguarding operational technology from breaches.
  • Certification and Standards: There is a growing need for standardized cybersecurity certifications to ensure that building systems are secure by design.

Key Insights

  • Understanding Cyber Threats: Cyber threats can manifest as unauthorized access leading to operational disruption, access to sensitive systems for data theft, or even systematic data collection without apparent operational impact. These threats stress the importance of a comprehensive security approach that addresses not just immediate operational concerns but also long-term implications for data privacy and security.
  • Complex Management Structures: One major hurdle in building cybersecurity is the lack of synergy between facilities management and IT departments. Each typically views their responsibilities through different lenses, with facilities focused on operational uptime and IT focused on data security. This disconnect can lead to vulnerabilities if both departments do not work collaboratively towards a common cyber defense strategy.
  • Evolving Nature of IT and OT Interconnectivity: The changing landscape where operational technologies are increasingly integrated with IT networks complicates the cybersecurity picture. The sophistication of attack surfaces increases as these formerly isolated systems become interlinked—thereby requiring comprehensive strategies that span both IT and OT environments.
  • Challenging Legacy Systems: Legacy infrastructure can often pose substantial risk, as many buildings employ outdated technology that lacks the capacity for modern security measures. These vulnerabilities should be addressed through detailed inventories and proactive updates, which can significantly lessen exposure to cyber threats.
  • The Importance of Proactive Monitoring: Keeping abreast of advisories from authoritative cyber agencies and manufacturers can prevent potential vulnerabilities from being exploited. This proactive approach helps facilities to defend against known threats before they impact operations or data integrity.
  • Assessment of Operational Risks: Conducting risk assessments tailored to each building’s individual context is emphasized as critical. The risks vary with the nature of what each facility manages (e.g., hospitals vs. warehouses) and should be assessed accordingly to determine the right defensive measures.
  • Path Toward Zero Trust Implementation: The presentation underscores the concept of zero trust in cybersecurity practices within OT environments. By verifying every device and connection within the network, facilities can create a robust security architecture that significantly mitigates unauthorized access risks.

Conclusion

The talk serves as a significant call-to-action for facilities managers and IT professionals alike, urging them to confront the increasingly complex landscape of cybersecurity with intelligence, cooperation, and a proactive strategy tailored to the unique challenges of operational technology. The investments in cybersecurity not only aim to enhance the safety of building operations but also promise potential financial benefits through insurance cost reductions and increased asset value.

 

See more videos from Veridify | Contact Us | Request a Demo

See the slides below to learn more about cybersecurity for building controls and smart buildings:


Keywords: Smart Building, Cyber Attack, Building Automation, Zero Trust, BACnet

Related posts:

Smart Buildings and Connected DevicesThe Importance of Protecting Smart Building Technology from Cyber Threats Webinar - Operational Technology (OT), Connected Buildings, Critical InfrastructureMitigating Cyber Risks in Operational Technology, Buildings, and Critical Infrastructure Scaling at the EdgeScaling at the Edge – Making Industrial IoT and Smart Buildings Cyber Safe