Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Physical Security

// // //
10:00 AM
Megan Samford
Megan Samford
Connect Directly
E-Mail vvv

What Colonial Pipeline Means for Commercial Building Cybersecurity

Banks and hospitals may be common targets, but now commercial real estate must learn to protect itself against stealthy hackers.

Colonial Pipeline, the largest fuel pipeline in the US, recently paid ransomware hackers $4.4 million to regain control of its own pipeline, which has underscored the urgency of companies prioritizing how best to protect their assets. With the threat of cyberattacks looming large, more attention must be paid to the integrity of building management systems (BMS). From 2011 to 2014, the number of cyber incidents involving operations technology (OT) systems saw a 74% jump, with the financial costs running into the hundreds of billions of dollars each year.

Related Content:

Physical Security Has a Lot of Catching Up to Do

Special Report: Building the SOC of the Future

New From The Edge: 7 Skills the Transportation Sector Needs to Fuel Its Security Teams

Technological advances in access control systems that enabled remote operations during the pandemic have also further exposed these systems. BMS must safeguard both access to the company's IT systems and their mission-critical infrastructure, such as power, HVAC, and smart building control systems.

Although it was eight years ago, it's easy to recall the infamous 2013 Target hack that came in through the HVAC system contractor and compromised 40 million financial accounts. The commercial building sector must learn to protect itself against these invisible hackers who patrol the Internet in search of soft targets.

BMS's Unique Ecosystem
Smart buildings are particularly vulnerable to cyberattacks as more Internet of Things devices are deployed and the use of remote management tools increases. While IT systems are typically focused on the core security triad of confidentiality, integrity, and availability of information, the BMS security triad is different. The BMS focus should be on the availability of operational assets, integrity/reliability of the operational process, and confidentiality of operational information. The deployment of a multidisciplinary defense approach across system levels requires a cost-benefit balanced focus on operations, people, and technology.

Managing cyber-risks starts with organizational governance and executive-level commitments. This can include developing a cybersecurity strategy with a defined vision, goals, and objectives, as well as metrics, such as the number of building control system vulnerability assessments completed. In addition, senior leadership needs to ensure that the right technologies are procured and deployed, defenses are deployed in layers, access to the BMS via the IT network is limited as much as possible, and detection intrusion technologies are deployed.

Making BMS Networks More Threat Resistant
Having a multilayered defense system in place that identifies, manages, and reduces the risk of exploitable vulnerabilities at every stage of the life cycle is key. For example, using one vendor's antivirus software for email and a different vendor's software for servers can potentially cast a broader net of malware protection. Constructing a secure BMS defense architecture starts with a risk assessment and designing a cybersecurity specification for your system that includes considering measures such as establishing a firewall, IPS, NAC, permissions, antivirus, updates, user training, and backups.

While building cybersecurity should be tailored to fit the specific organization, several proven and robust cybersecurity frameworks and standards can act as guides. IEC 62443 is being adopted globally and offers a series of standards that are specifically oriented to digital control systems for buildings, giving IT and OT teams a common ground to work from. These standards outline a risk-based approach to developing secure embedded devices and software that are protected throughout the system life cycle, as well as the design and implementation of secure building control systems     .

Protecting Against Social Engineering
The potential weakest links in any BMS are the people who administer and use the systems. Through unintentional actions, like forgetting to revoke ex-employee credentials, or intentional ones, such as leaking confidential information, employees can pose a security risk. Attacks can also come through social engineering tactics. The criminal's imagination is the only limit to social engineering, which makes it the easiest path to gain unauthorized access into a BMS.

Suppose cybercriminals leverage social engineering techniques to gain access to a digital access control system and physical access to otherwise protected areas. The building owner is suddenly at risk for hackers locking occupants in or out, controlling the elevators, forcing the power off, or taking control of other safety systems. Unauthorized network access could also be leveraged to extract operational or financial data.

To prevent this, not only should a control system network be properly segmented from the business operations network, but employees and contractors must be trained to resist such attacks. Awareness training should be reinforced annually, and companies can establish and communicate deterrents for noncompliance with cybersecurity policies. Threat modeling will also help to identify accessible entry points and limit user access rights accordingly through the principle of least privilege. This can be accomplished by establishing a security management system based on IEC 62443-2-1.

Increasingly sophisticated attacks mean constant vigilance and evolving defense strategies are crucial. Companies must have disciplined maintenance of their BMS systems and regularly train their employees to guard against social engineering malfeasance. These investments will benefit the organization long-term by reducing the number of cybersecurity incidents and, thus, preventing loss of revenue and safeguarding their business reputation.

Megan is the vice president and chief product security officer for energy management at Schneider Electric. She is responsible for driving the product security strategy and programs for Schneider Electric's Energy Management business with a focus on industrial control systems ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Visit the Web's Most Authoritative Resource on Physical Security

To get the latest news and analysis on threats, vulnerabilities, and best practices for enterprise physical security, please visit IFSEC Global. IFSEC Global offers expert insight on critical issues and challenges in physical security, and hosts one of the world's most widely-attended conferences for physical security professionals.

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Incorporating a Prevention Mindset into Threat Detection and Response
Threat detection and response systems, by definition, are reactive because they have to wait for damage to be done before finding the attack. With a prevention-mindset, security teams can proactively anticipate the attacker's next move, rather than reacting to specific threats or trying to detect the latest techniques in real-time. The report covers areas enterprises should focus on: What positive response looks like. Improving security hygiene. Combining preventive actions with red team efforts.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-05-27
The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption ...
PUBLISHED: 2022-05-27
The software may be vulnerable to both Un-Auth XML interaction and unauthenticated device enrollment.
PUBLISHED: 2022-05-27
The Master operator may be able to embed script tag in HTML with alert pop-up display cookie.
PUBLISHED: 2022-05-27
Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.
PUBLISHED: 2022-05-27
Multiple vulnerabilities in the web-based management interface of Cisco Common Services Platform Collector (CSPC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. These vulnerabilities are due to insufficient va...