Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Physical Security

// // //
10:00 AM
Megan Samford
Megan Samford
Connect Directly
E-Mail vvv

What Colonial Pipeline Means for Commercial Building Cybersecurity

Banks and hospitals may be common targets, but now commercial real estate must learn to protect itself against stealthy hackers.

Colonial Pipeline, the largest fuel pipeline in the US, recently paid ransomware hackers $4.4 million to regain control of its own pipeline, which has underscored the urgency of companies prioritizing how best to protect their assets. With the threat of cyberattacks looming large, more attention must be paid to the integrity of building management systems (BMS). From 2011 to 2014, the number of cyber incidents involving operations technology (OT) systems saw a 74% jump, with the financial costs running into the hundreds of billions of dollars each year.

Related Content:

Physical Security Has a Lot of Catching Up to Do

Special Report: Building the SOC of the Future

New From The Edge: 7 Skills the Transportation Sector Needs to Fuel Its Security Teams

Technological advances in access control systems that enabled remote operations during the pandemic have also further exposed these systems. BMS must safeguard both access to the company's IT systems and their mission-critical infrastructure, such as power, HVAC, and smart building control systems.

Although it was eight years ago, it's easy to recall the infamous 2013 Target hack that came in through the HVAC system contractor and compromised 40 million financial accounts. The commercial building sector must learn to protect itself against these invisible hackers who patrol the Internet in search of soft targets.

BMS's Unique Ecosystem
Smart buildings are particularly vulnerable to cyberattacks as more Internet of Things devices are deployed and the use of remote management tools increases. While IT systems are typically focused on the core security triad of confidentiality, integrity, and availability of information, the BMS security triad is different. The BMS focus should be on the availability of operational assets, integrity/reliability of the operational process, and confidentiality of operational information. The deployment of a multidisciplinary defense approach across system levels requires a cost-benefit balanced focus on operations, people, and technology.

Managing cyber-risks starts with organizational governance and executive-level commitments. This can include developing a cybersecurity strategy with a defined vision, goals, and objectives, as well as metrics, such as the number of building control system vulnerability assessments completed. In addition, senior leadership needs to ensure that the right technologies are procured and deployed, defenses are deployed in layers, access to the BMS via the IT network is limited as much as possible, and detection intrusion technologies are deployed.

Making BMS Networks More Threat Resistant
Having a multilayered defense system in place that identifies, manages, and reduces the risk of exploitable vulnerabilities at every stage of the life cycle is key. For example, using one vendor's antivirus software for email and a different vendor's software for servers can potentially cast a broader net of malware protection. Constructing a secure BMS defense architecture starts with a risk assessment and designing a cybersecurity specification for your system that includes considering measures such as establishing a firewall, IPS, NAC, permissions, antivirus, updates, user training, and backups.

While building cybersecurity should be tailored to fit the specific organization, several proven and robust cybersecurity frameworks and standards can act as guides. IEC 62443 is being adopted globally and offers a series of standards that are specifically oriented to digital control systems for buildings, giving IT and OT teams a common ground to work from. These standards outline a risk-based approach to developing secure embedded devices and software that are protected throughout the system life cycle, as well as the design and implementation of secure building control systems     .

Protecting Against Social Engineering
The potential weakest links in any BMS are the people who administer and use the systems. Through unintentional actions, like forgetting to revoke ex-employee credentials, or intentional ones, such as leaking confidential information, employees can pose a security risk. Attacks can also come through social engineering tactics. The criminal's imagination is the only limit to social engineering, which makes it the easiest path to gain unauthorized access into a BMS.

Suppose cybercriminals leverage social engineering techniques to gain access to a digital access control system and physical access to otherwise protected areas. The building owner is suddenly at risk for hackers locking occupants in or out, controlling the elevators, forcing the power off, or taking control of other safety systems. Unauthorized network access could also be leveraged to extract operational or financial data.

To prevent this, not only should a control system network be properly segmented from the business operations network, but employees and contractors must be trained to resist such attacks. Awareness training should be reinforced annually, and companies can establish and communicate deterrents for noncompliance with cybersecurity policies. Threat modeling will also help to identify accessible entry points and limit user access rights accordingly through the principle of least privilege. This can be accomplished by establishing a security management system based on IEC 62443-2-1.

Increasingly sophisticated attacks mean constant vigilance and evolving defense strategies are crucial. Companies must have disciplined maintenance of their BMS systems and regularly train their employees to guard against social engineering malfeasance. These investments will benefit the organization long-term by reducing the number of cybersecurity incidents and, thus, preventing loss of revenue and safeguarding their business reputation.

Megan is the vice president and chief product security officer for energy management at Schneider Electric. She is responsible for driving the product security strategy and programs for Schneider Electric's Energy Management business with a focus on industrial control systems ... View Full Bio
Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Visit the Web's Most Authoritative Resource on Physical Security

To get the latest news and analysis on threats, vulnerabilities, and best practices for enterprise physical security, please visit IFSEC Global. IFSEC Global offers expert insight on critical issues and challenges in physical security, and hosts one of the world's most widely-attended conferences for physical security professionals.

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-10-03
pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a file name.
PUBLISHED: 2022-10-03
phpipam v1.5.0 was discovered to contain a header injection vulnerability via the component /admin/subnets/ripe-query.php.
PUBLISHED: 2022-10-03
Under certain conditions, an attacker could create an unintended sphere of control through a vulnerability present in file delete operation in Autodesk desktop app (ADA). An attacker could leverage this vulnerability to escalate privileges and execute arbitrary code.
PUBLISHED: 2022-10-03
An issue was discovered in Veritas NetBackup through 8.2 and related Veritas products. An attacker with local access can send a crafted packet to pbx_exchange during registration and cause a NULL pointer exception, effectively crashing the pbx_exchange process.
PUBLISHED: 2022-10-03
An issue was discovered in Veritas NetBackup through and related Veritas products. The NetBackup Primary server is vulnerable to an XML External Entity (XXE) Injection attack through the DiscoveryService service.