Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Physical Security

// // //
10:00 AM
Megan Samford
Megan Samford
Connect Directly
E-Mail vvv

What Colonial Pipeline Means for Commercial Building Cybersecurity

Banks and hospitals may be common targets, but now commercial real estate must learn to protect itself against stealthy hackers.

Colonial Pipeline, the largest fuel pipeline in the US, recently paid ransomware hackers $4.4 million to regain control of its own pipeline, which has underscored the urgency of companies prioritizing how best to protect their assets. With the threat of cyberattacks looming large, more attention must be paid to the integrity of building management systems (BMS). From 2011 to 2014, the number of cyber incidents involving operations technology (OT) systems saw a 74% jump, with the financial costs running into the hundreds of billions of dollars each year.

Related Content:

Physical Security Has a Lot of Catching Up to Do

Special Report: Building the SOC of the Future

New From The Edge: 7 Skills the Transportation Sector Needs to Fuel Its Security Teams

Technological advances in access control systems that enabled remote operations during the pandemic have also further exposed these systems. BMS must safeguard both access to the company's IT systems and their mission-critical infrastructure, such as power, HVAC, and smart building control systems.

Although it was eight years ago, it's easy to recall the infamous 2013 Target hack that came in through the HVAC system contractor and compromised 40 million financial accounts. The commercial building sector must learn to protect itself against these invisible hackers who patrol the Internet in search of soft targets.

BMS's Unique Ecosystem
Smart buildings are particularly vulnerable to cyberattacks as more Internet of Things devices are deployed and the use of remote management tools increases. While IT systems are typically focused on the core security triad of confidentiality, integrity, and availability of information, the BMS security triad is different. The BMS focus should be on the availability of operational assets, integrity/reliability of the operational process, and confidentiality of operational information. The deployment of a multidisciplinary defense approach across system levels requires a cost-benefit balanced focus on operations, people, and technology.

Managing cyber-risks starts with organizational governance and executive-level commitments. This can include developing a cybersecurity strategy with a defined vision, goals, and objectives, as well as metrics, such as the number of building control system vulnerability assessments completed. In addition, senior leadership needs to ensure that the right technologies are procured and deployed, defenses are deployed in layers, access to the BMS via the IT network is limited as much as possible, and detection intrusion technologies are deployed.

Making BMS Networks More Threat Resistant
Having a multilayered defense system in place that identifies, manages, and reduces the risk of exploitable vulnerabilities at every stage of the life cycle is key. For example, using one vendor's antivirus software for email and a different vendor's software for servers can potentially cast a broader net of malware protection. Constructing a secure BMS defense architecture starts with a risk assessment and designing a cybersecurity specification for your system that includes considering measures such as establishing a firewall, IPS, NAC, permissions, antivirus, updates, user training, and backups.

While building cybersecurity should be tailored to fit the specific organization, several proven and robust cybersecurity frameworks and standards can act as guides. IEC 62443 is being adopted globally and offers a series of standards that are specifically oriented to digital control systems for buildings, giving IT and OT teams a common ground to work from. These standards outline a risk-based approach to developing secure embedded devices and software that are protected throughout the system life cycle, as well as the design and implementation of secure building control systems     .

Protecting Against Social Engineering
The potential weakest links in any BMS are the people who administer and use the systems. Through unintentional actions, like forgetting to revoke ex-employee credentials, or intentional ones, such as leaking confidential information, employees can pose a security risk. Attacks can also come through social engineering tactics. The criminal's imagination is the only limit to social engineering, which makes it the easiest path to gain unauthorized access into a BMS.

Suppose cybercriminals leverage social engineering techniques to gain access to a digital access control system and physical access to otherwise protected areas. The building owner is suddenly at risk for hackers locking occupants in or out, controlling the elevators, forcing the power off, or taking control of other safety systems. Unauthorized network access could also be leveraged to extract operational or financial data.

To prevent this, not only should a control system network be properly segmented from the business operations network, but employees and contractors must be trained to resist such attacks. Awareness training should be reinforced annually, and companies can establish and communicate deterrents for noncompliance with cybersecurity policies. Threat modeling will also help to identify accessible entry points and limit user access rights accordingly through the principle of least privilege. This can be accomplished by establishing a security management system based on IEC 62443-2-1.

Increasingly sophisticated attacks mean constant vigilance and evolving defense strategies are crucial. Companies must have disciplined maintenance of their BMS systems and regularly train their employees to guard against social engineering malfeasance. These investments will benefit the organization long-term by reducing the number of cybersecurity incidents and, thus, preventing loss of revenue and safeguarding their business reputation.

Megan is the vice president and chief product security officer for energy management at Schneider Electric. She is responsible for driving the product security strategy and programs for Schneider Electric's Energy Management business with a focus on industrial control systems ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Visit the Web's Most Authoritative Resource on Physical Security

To get the latest news and analysis on threats, vulnerabilities, and best practices for enterprise physical security, please visit IFSEC Global. IFSEC Global offers expert insight on critical issues and challenges in physical security, and hosts one of the world's most widely-attended conferences for physical security professionals.

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file