Weekly Briefing

article sponsor image

OT Cybersecurity in 2021: Past and Present Issues Plague the CRE Industry

7 min read
listen to article Listen to this article

How is the OT (Operational Technology) industry in 2021 coping with the risks posed by cyber criminals and the many forms of malware that negatively impact the control systems we depend on to run our buildings? This article looks at the industry’s response to this challenge.

How real is the problem?

We first need to acknowledge that today’s generation of control systems are subject to the same threats as the IT systems we use to run our businesses. A typical building automation system operates over wired or wireless Ethernet networks, is accessible over the Internet, uses general purpose servers to run the application, is viewed through your browser and is integrated into cloud-based services. If this sounds like your IT environment, it should!

How widespread is the threat? What is the impact? In answering the first question, we need to recognize that there is no government regulation requiring building owners to disclose a breach. Building control systems rarely include personal information. As a result, there is significant ignorance of the extent and magnitude of the problem unless you have been directly affected.

The objective of an IT breach is to steal data. OT systems are connected to mechanical and electrical systems, thereby suffering real world consequences including equipment damage, lost productivity and risks to life and safety. While we must defend against direct hacking, the most prevalent problem is ransomware. Ransomware comes in through phishing emails or poorly protected laptops, workstations and servers. When ransomware infects an OT server, it is no longer functional and if the only backup for the system resides on the affected server, you are starting over. Your choice is to pay the ransom or rebuild the system. The latter requires days or even weeks to recover with costs ranging from $10K to over $100K per incident. The second most common occurrence is poor system configuration caused by a lack of security policies and their enforcement. We know of multiple large organizations who have gone completely down from this “internal” problem as opposed to external threats.

What is required to minimize these risks?

There are five areas that that every system must manage:

  1. OT Network (both local and remote )
  2. OT Server
  3. Configuration of the application
  4. User administration
  5. Security policies and procedures

At a minimum, network access must be restricted to authorized users, all communications should be encrypted and systems should never be discoverable over the Internet. You depend on the OT server to operate the system. It doesn’t belong under a desk. It should be treated like any IT server with restricted access and environmentally protected. Only the application should be running to minimize malware infection from visiting web sites, emails or running other types of software. And most importantly, the server should be backed up regularly to a separate and secure location.

All system manufacturers have recommended guidelines for setting configuration parameters such as password strength, default accounts, and auto-logoff. These best practices should always be followed. It is also critical to run supported software with all security patches installed.

In the fragmented world of OT, each system type often involves a different manufacturer and a different local service provider, making user administration the single biggest challenge. Unlike IT departments that administer users through Active Directory, this is not an option in most OT systems. Therefore, it becomes largely a manual task and one that starts with granting network access and then separately assigning access to each OT system.

Finally, there is the issue of cybersecurity policies and procedures. There is much work to be done here across all stakeholders. In addition to policy management and continuous training, it is becoming increasingly practical to run phishing campaigns to test user cybersecurity awareness.

The chain is only as strong as its weakest link, so spend considerable time researching and dissecting the problem and then design a risk management platform to address all five of these areas.

How are suppliers addressing the challenge?

Many suppliers are now including security dashboards with their management consoles. This is helpful but also challenges building owners because they always have multiple system types and often different OEMs for each one. The BAS industry’s most familiar open protocol standard, BACnet, has released a much more secure version called BACnet / SC to address the significant security vulnerabilities in the current version. Although a major step forward, BACnet is only one of many protocols in use across the industry.

What about engineering firms?

The MEP consulting firms that specify the majority of OT systems in new projects have also been slow to incorporate cybersecurity protections and policies into their specifications. There are a handful of specialized consulting and services firms that address this, but the vast majority of new projects do not incorporate cybersecurity practices into the requirements.

Who is liable in the event of a breach?

This is a sensitive topic particularly among service providers, engineering firms and insurance companies. Irrespective of the money that is spent on technology and services, it is impossible to guarantee (or warrant) that all breaches can be prevented. The best defense is a good offense. Investments in each of the five risk areas are required. Ultimately the responsibility falls upon building owners to determine what risks they are willing to accept and therefore what preventive measures will require ongoing mitigation. Building owners should carry cybersecurity policies to cover the costs of forensics, restore functionality and business interruption. Our research shows us the insurance industry is ill-equipped to provide such coverage in all cases unless specifically related to third party loss.

IT and OT working together

In 2019, the IT industry spent $124 billion on cybersecurity products and services. There is no corresponding estimate for the OT industry, but we are confident it is insignificant in relation to the need. Where money is being spent, it is allocated from IT budgets since facility budgets rarely treat this as an ongoing expense.

IT on the other hand is unfamiliar with OT systems and the many differences that exist in the technology and the supplier environment. What the IT industry brings is a head start in managing cybersecurity risk. Major organizations such as NIST and ISO have well-recognized cybersecurity standards for the IT industry. While these standards represent a good starting point, they are often mismatched and insufficient. The Gartner Group pointed this out in 2019, “... porting IT security technology and practices to address OT security will not result in a more secure OT environment.” Why is this the case?

  1. Different Worlds: Despite the fact that OT systems today leverage the same underlying technologies found in the IT industry, the actual implementation is typically done in ways that are incompatible with the tools and devices used to secure IT environments. There are many examples of well-intentioned IT staff shutting down OT systems in their effort to identify vulnerabilities.
  2. Different Priorities: OT systems operate mechanical and electrical equipment and physically secure buildings on a 24 / 7 basis. Facility engineers and contractors understand this environment which is foreign to many IT engineers.
  3. Complex Solutions to Remote Access: IT departments traditionally limit access with complex and costly remote access solutions. This is seen as too difficult for the fragmented and turnover-laden OT environment. There is a new breed of secure remote access that is much more “plug and play” friendly for OT contractors and staff. It will take time for this to become the norm.
  4. Cultural Unfamiliarity: OT personnel whether in-house or throughout the supply chain are uncomfortable in having cybersecurity discussions. They have neither the background nor the experience. It starts with training, but requires a cultural shift, whereby cybersecurity safeguards and risk management becomes a natural part of how the work gets performed.

Where should we go from here?

  1. The entire industry from building owners through suppliers must recognize the seriousness of the risks.
  2. Risk management resources must become a standard component of the OT operating budget.
  3. The existing inventory of systems needs to be assessed, remediated and placed under risk management programs that include networks, systems and people.
  4. IT and OT staffs must work together and learn from each other. OT staffs including service providers need maximum flexibility to deliver on operational objectives but must adhere to the same cybersecurity principles as IT departments.
  5. New building specifications must include cybersecurity performance standards for networking, system configuration, user administration and ongoing risk management and be commissioned as such.

Steve Fey, CEO, Totem Buildings
Steve Fey is CEO of Totem Buildings. Fey is an industry expert in operational technology with over 35 years in building automation, physical security, and industrial automation. Previously, he was CEO of Tridium from 2006 to 2012 and more recently served as president of Proxios, a mid-Atlantic, “IT as a Service” firm.

This Week’s Sponsor

Facilio's AI-driven property operations platform allows real estate owners to aggregate building data, optimize performance, and control portfolio operations - all from one place. Customers in the commercial office, healthcare & retail categories use Facilio across 40 million square feet to reduce operations costs, increase net asset value & derisk operational liability. Headquartered in New York City with offices in Padova, Dubai, Chennai & Singapore, Facilio is a global company backed by leading investors including Accel Partners and Tiger Global Management.