“Let’s just say your organization supports a government bill or a political position or something else that is contrary to [a hacker’s] view of the universe,” Tyson explains. “They might deface your website. They might lock it up with some ransomware to cost you money, or they may just make it so that you can’t use it with a denial of service attack. We see all of these.”
Unfortunately, Surfaro says these types of organized exploits for political or social purposes—also known as “hactivism”—are rising exponentially. “It’s well-measured in exponents, increasing to the point where many of my associates that are in the ASIS Applied Sciences Council who are cyber architects believe that major exploits will get to the point where they will be every week, whereas we’re seeing it every month now.”
Among the reasons Kelton believes the frequency of such invasions are increasing is because of the lack of cybersecurity professionals to fill open positions. “With a 0 percent unemployment rate, it’s compounding the risks that everyone faces across the board,” he says.
Areas of Vulnerability
In terms of identifying weaknesses in the commercial building sector, the bad news is almost any form of connected device can be hijacked and misused by hackers. “When you look at the buildings themselves, they are automating a lot of different areas: the HVAC, the lighting, communication systems, parking, energy management, water management, landscaping,” Kelton observes. “The more you automate, obviously, you’re going to face risks in that certain area, in this case cybersecurity risks.”
For example, Tyson points to last year’s Mirai botnet—a piece of malware that turns networked devices running Linux into remotely controlled “bots” to launch large-scale network attacks—which infected millions of IoT-connected CCTV cameras, DVRs and routers worldwide, as well as successfully shut down much of the internet on the East Coast of the U.S. and portions of Europe.
According to Surfaro, HVAC, power and lighting systems are the most desirable tar- gets but the most common point of entry is internet connectivity. He says hackers use connected devices, such as surveillance cameras and network video recorders that are often installed and operated with default passwords and no protection—an oversight that essentially turns them into distributed denial of service attack (DDoS) servers, which flood an organization’s network with hundreds of HTTP requests per second, rendering it useless. Once hackers control part of the network, Surfaro says they can seek out vulnerabilities in the lighting or HVAC systems to gain control of the building’s electromechanical equipment.
While mobile devices have made life easier for facility managers in terms of providing remote access to their BAS, they also leave the door wide open for hackers if not protected properly.
“So many facility managers love their mobile devices, but what happens is the vulnerability to their HVAC system or their power system may be through a mobile device, and they haven’t taken care to establish multifactor authentication, which now you’re seeing even at the lowest level, even with social media,” Surfaro points out. “Incredibly, these building automation systems are lagging behind what is a norm for our financial systems and our current social media systems.”
Common Pitfalls
“In general terms, I think people don’t take it seriously enough,” Tyson says. As noted earlier, overconfidence is putting organizations at greater risk for cyberattacks and, according to Tyson, 98 to 99 percent of all breaches are preventable because solutions are available. However, in spite of the risks and available protections on the market, the building industry is slow to upgrade systems and establish proper security protocols.
According to Tyson, some physical access control systems sold new on the market today are still running on databases designed in the 1990s. “I’ve seen access control systems in commercial buildings that literally were 25- and 30-year-old designs that are still being used. They have almost no security on them whatsoever,” he says, adding that in other cases, facility professionals simply fail to properly maintain existing systems that are in place, making them susceptible to attacks.
Echoing Tyson’s observations, Kelton agrees that obsolescence is a huge problem in the commercial buildings market because people don’t consider the risk serious enough to invest in security.
“Many buildings just aren’t allocating sufficient funding because they don’t see it as a risk,” he says. “It’s not a television set that you put up and you don’t ever have to worry about; it’s more like a computer system that needs to be constantly and professionally managed.”
Another common mistake building owners and facility executives tend to make with cybersecurity is neglecting to establish separate networks for building controls and end-users. “There has to be some segmentation so people can’t just get wherever they want,” Tyson urges. “If you do get breached, there’s got to be a moat in front of the castle so [hackers] don’t just come marching right in once the drawbridge comes down.”