What Colonial Pipeline Means for Commercial Building Cybersecurity

Banks and hospitals may be common targets, but now commercial real estate must learn to protect itself against stealthy hackers.

Megan Samford, Vice President and Chief Product Security Officer for Energy Management at Schneider Electric

July 6, 2021

4 Min Read

Colonial Pipeline, the largest fuel pipeline in the US, recently paid ransomware hackers $4.4 million to regain control of its own pipeline, which has underscored the urgency of companies prioritizing how best to protect their assets. With the threat of cyberattacks looming large, more attention must be paid to the integrity of building management systems (BMS). From 2011 to 2014, the number of cyber incidents involving operations technology (OT) systems saw a 74% jump, with the financial costs running into the hundreds of billions of dollars each year.

Technological advances in access control systems that enabled remote operations during the pandemic have also further exposed these systems. BMS must safeguard both access to the company's IT systems and their mission-critical infrastructure, such as power, HVAC, and smart building control systems.

Although it was eight years ago, it's easy to recall the infamous 2013 Target hack that came in through the HVAC system contractor and compromised 40 million financial accounts. The commercial building sector must learn to protect itself against these invisible hackers who patrol the Internet in search of soft targets.

BMS's Unique Ecosystem
Smart buildings are particularly vulnerable to cyberattacks as more Internet of Things devices are deployed and the use of remote management tools increases. While IT systems are typically focused on the core security triad of confidentiality, integrity, and availability of information, the BMS security triad is different. The BMS focus should be on the availability of operational assets, integrity/reliability of the operational process, and confidentiality of operational information. The deployment of a multidisciplinary defense approach across system levels requires a cost-benefit balanced focus on operations, people, and technology.

Managing cyber-risks starts with organizational governance and executive-level commitments. This can include developing a cybersecurity strategy with a defined vision, goals, and objectives, as well as metrics, such as the number of building control system vulnerability assessments completed. In addition, senior leadership needs to ensure that the right technologies are procured and deployed, defenses are deployed in layers, access to the BMS via the IT network is limited as much as possible, and detection intrusion technologies are deployed.

Making BMS Networks More Threat Resistant
Having a multilayered defense system in place that identifies, manages, and reduces the risk of exploitable vulnerabilities at every stage of the life cycle is key. For example, using one vendor's antivirus software for email and a different vendor's software for servers can potentially cast a broader net of malware protection. Constructing a secure BMS defense architecture starts with a risk assessment and designing a cybersecurity specification for your system that includes considering measures such as establishing a firewall, IPS, NAC, permissions, antivirus, updates, user training, and backups.

While building cybersecurity should be tailored to fit the specific organization, several proven and robust cybersecurity frameworks and standards can act as guides. IEC 62443 is being adopted globally and offers a series of standards that are specifically oriented to digital control systems for buildings, giving IT and OT teams a common ground to work from. These standards outline a risk-based approach to developing secure embedded devices and software that are protected throughout the system life cycle, as well as the design and implementation of secure building control systems .

Protecting Against Social Engineering
The potential weakest links in any BMS are the people who administer and use the systems. Through unintentional actions, like forgetting to revoke ex-employee credentials, or intentional ones, such as leaking confidential information, employees can pose a security risk. Attacks can also come through social engineering tactics. The criminal's imagination is the only limit to social engineering, which makes it the easiest path to gain unauthorized access into a BMS.

Suppose cybercriminals leverage social engineering techniques to gain access to a digital access control system and physical access to otherwise protected areas. The building owner is suddenly at risk for hackers locking occupants in or out, controlling the elevators, forcing the power off, or taking control of other safety systems. Unauthorized network access could also be leveraged to extract operational or financial data.

To prevent this, not only should a control system network be properly segmented from the business operations network, but employees and contractors must be trained to resist such attacks. Awareness training should be reinforced annually, and companies can establish and communicate deterrents for noncompliance with cybersecurity policies. Threat modeling will also help to identify accessible entry points and limit user access rights accordingly through the principle of least privilege. This can be accomplished by establishing a security management system based on IEC 62443-2-1.

Increasingly sophisticated attacks mean constant vigilance and evolving defense strategies are crucial. Companies must have disciplined maintenance of their BMS systems and regularly train their employees to guard against social engineering malfeasance. These investments will benefit the organization long-term by reducing the number of cybersecurity incidents and, thus, preventing loss of revenue and safeguarding their business reputation.

About the Author(s)

Megan Samford

Vice President and Chief Product Security Officer for Energy Management at Schneider Electric

Megan Samford, VP, chief product security officer for energy management at Schneider Electric, is a security executive with focus on industrial control systems security, critical infrastructure protection, and risk analysis. In taking her role at Schneider Electric, Samford became the first female CPSO for a major industry without first being a CISO, a significant milestone for women in industrial control systems security. She is currently the ISA Global Cybersecurity Alliance (ISAGCA) Chairperson. To learn more about how to incorporate ISA/IEC 62443 into your OT cyber strategy, click here.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights