Building control systems with embedded communications technology—as well as those enabled via an Internet Protocol (IP) address—provide critical services that allow a building to meet the functional and operational needs of building occupants. Unfortunately, they also can be easy targets for hackers and people with malicious intent. Attackers can exploit these systems to gain unauthorized access to facilities, use as an entry point to traditional information technology (IT) systems and data, cause physical destruction of building equipment, and expose an organization to significant financial obligations to contain and eradicate malware or recover from a cyber-event. Cyber attacks, such as the Target and Home Depot data hacks, have directed increased attention to the network connectivity of facility/building operations and maintenance vendors, an organization’s business IT systems and facility/building control systems.
Facility/building control systems, such as building automation systems, energy-management systems, physical security access control systems and fire alarm systems, now are considered potential hacking points into an organization. Such control systems often are referred to as operational technologies (OT) and use a combination of traditional IT protocols—transmission control protocol or user datagram protocol—and control systems with unique protocols (such as Modbus, BACnet, LonTalk and DNP 3) to communicate with sensors, devices and actuators.
IT is about data; OT is about controlling machines (see “Explanation of IT and OT”, below, for more detail). Increasingly, OT is becoming more IP-based. The Internet of Everything, smart grids, smart cities, smart buildings and smart cars are redefining the boundary between IT and OT. As IT and OT systems converge, so do the risks and vulnerabilities of hacking OT systems as a point of entry. Once a hacker enters a system, it’s just a matter of pivoting up the network and taking control of other system assets.
The Gaithersburg, Md.-based National Institute of Standards and Technology Special Publications (SPs) are a primary source for IT cyber standards and guides. Government and industry have used NIST SP 800-37—“Guide for Applying the Risk Management Framework to Federal Information Systems” and NIST SP 800-53—“Security and Privacy Controls for Federal Information Systems and Organizations” publications, as well as the SANS Institute’s top 20 critical security controls and standards from the International Organization for Standardization, Geneva, as IT best practices for a number of years.
Control System Cyber Exploits Increasing in Number and Complexity
On the OT side, the Research Triangle Park, N.C.-based International Society of Automation ISA 99 and NIST SP 800-82, Revision 2,“Industrial Control Systems Security Guide” provide the standards and guides for industrial control systems (ICS). (The NIST definition of ICS includes a wide range of control systems; an emerging term to categorize these converged systems is cyber-physical systems.) Traditionally, neither ICS nor OT received the same level of cyber scrutiny as IT systems. However, malware, such as Stuxnet, Duqu or Flame, now are specifically designed to infect OT components and devices at the firmware or project-file level. They inject false commands to spoof an operator’s human machine interface console, establish a command and control channel to exfiltrate data (technical specifications, floor plans, drawings, etc.), create Botnets, or physically destroy the equipment and other IT systems.
Earlier this year, Cylance, an Irvine, Calif.-based cyber-threat-detection and -security company, released the Operation Cleaver report, which details the work of a group of international hackers, primarily from Iran, who are attacking multiple companies from diverse industries in 16 different countries. The tactics, techniques and procedures they are using in what is considered to be an ongoing campaign include:
- Targeting and compromising transportation networks and systems.
- Fully compromising active directory domains, along with entire switches, routers and internal networking infrastructure.
- Fully compromising virtual private network (VPN) credentials, meaning an entire remote-access infrastructure and supply chain are under control under permanently compromised credentials.
- Achieving complete access to airport gates and their security control systems.
- Gaining access to PayPal and Go Daddy credentials to make fraudulent purchases and allow unfettered access to a victim’s domains.
Defending Building Control Systems
Within the Washington, D.C.-based U.S. Department of Homeland Security, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) maintains a list of vulnerabilities and alerts for control systems and publishes the Cyber Security Evaluation Tool (CSET), which is free of charge to any organization. CSET contains standards, guides, references, networking diagram tools and compliance evaluations, and can generate system security plans and other key documents.
In addition, the Washington-based National Institute of Building Sciences’ Whole Building Design Guide now hosts a new Cybersecurity Resource Page. This resource, primarily for use by the buildings community, includes cybersecurity information, as well as links to other control systems, workshops and training. All facility/building owners, property managers and engineering and security staff are highly encouraged to understand the basic principles of NIST SP 800-82 R2, know how to use the DHS CSET tool, understand how tools (such as Shodan, Kali Linux and SamuraiSTFU) work for penetration testing, and prepare to adopt new acquisition and procurement processes into their organizations. Whereas the IT community has had almost two decades to learn and implement cybersecurity, the OT community will require an accelerated learning curve and will need to work closely with senior management, IT and other stakeholders to properly cybersecure their assets.
Every building owner should have a building cybersecurity strategy with the following key documents to cover IT and OT assets:
- System security plan (SSP)
- Plan of action and milestones (POAM)
- Information technology and concept of operations plan (ITCP)
- Incident communications procedures (ICP)
- Security auditing plan (SAP)