Page 34 - RC21 EDGE Summer Issue
P. 34

 SPOTLIGHT: Cybersecurity
 OT CYBERSECURITY IN 2021: PAST AND PRESENT ISSUES PLAGUE THE CRE INDUSTRY
STEVE FEY
CEO
Totem Buildings
HOW IS THE OT (OPERATIONAL TECHNOLOGY) industry in 2021 coping with the risks posed by cyber criminals and the many forms of malware that negatively impact the control systems we depend on to run our buildings? This article looks at the industry’s response to this challenge.
How real is the problem?
We first need to acknowledge that today’s generation of control systems are subject to the same threats as the IT systems we use to run our businesses. A typical build- ing automation system operates over wired or wireless Ethernet networks, is accessible over the Internet, uses general purpose servers to run the application, is viewed through your browser and is integrated into cloud-based services. If this sounds like your IT environment, it should!
How widespread is the threat? What is the impact? In answering the first question, we need to recognize that there is no government regulation requiring building owners to disclose a breach. Building control systems rarely include personal information. As a result, there is
significant ignorance of the extent and magnitude of the problem unless you have been directly affected.
The objective of an IT breach is to steal data. OT systems are connected to mechanical and electrical systems, thereby suffering real world consequences including equip- ment damage, lost productivity and risks to life and safety. While we must defend against direct hacking, the most prevalent problem is ransomware. Ransomware comes
in through phishing emails or poorly protected laptops, workstations and servers. When ransomware infects an OT server, it is no longer functional and if the only backup for the system resides on the affected server, you are start- ing over. Your choice is to pay the ransom or rebuild the system. The latter requires days or even weeks to recover with costs ranging from $10K to over $100K per incident. The second most common occurrence is poor system configuration caused by a lack of security policies and their enforcement. We know of multiple large organizations who have gone completely down from this “internal” problem as opposed to external threats.
What is required to minimize these risks?
There are five areas that that every system must manage: 1) OT Network (both local and remote )
2) OT Server
34



















































































   32   33   34   35   36