Cyber security: time to close the back door

Cyber security threats are not a new phenomenon. For as long as we have had information technology (IT) systems, we have had to protect them from unauthorised access. However, today we face a new era in cyber-attacks that has emerged as a direct result of the increased use of the Internet of things (IoT) in our buildings. The COVID 19 challenges we are currently confronting have further compounded this problem.

Cyber security is an ever-evolving challenge, changing year by year to keep pace with the sophisticated advances in hacking technology. Cyber-attacks themselves are typically motivated by one of three aims: to access, change or destroy sensitive information; to extort money from the victim; or to interrupt normal business processes. The perpetrators of these breaches might be an individual, activists, criminal elements, terrorist organisations, or state-sponsored entities, but they all share the same three goals.

Until recently, hackers have generally targeted networks, programs, the cloud and end-point devices, such as computers, routers, servers and smart devices. It is the proliferation of smart devices—especially those outside the normal IT umbrella—that is causing the latest cyber security dangers. Needless to say the current environment due to COVID 19 is making these types of attacks even more prolific as evidenced by the numerous media articles pertaining to increased cyber security issues being experienced globally.

Cyber security has traditionally been considered solely an IT problem by most companies, as their IT systems have been both the ultimate target to be accessed by hackers, as well as providing the numerous potential entry points into an organisation’s private digital domain. However, with the development of smart buildings, this accepted battleground is changing.

Today, in addition to their IT networks, many companies now have Operational Technology (OT) systems designed to run the physical environment, such as the Building Management System (BMS) that monitors and manages the lighting, HVAC and other services within a building. As part of a building’s OT ecosystem, there are also an increasing number of internet connected smart devices each having the potential to be hacked. These devices operate alongside traditional technologies such as BMS, HVAC, lighting, fire panels, access control etc., all of which are critical in maximising the revenue generating capacity of a building and lowering its running costs.

Cause for concern
As an IT issue, cyber security demands a significant part of the overall IT budget. For example, a large organisation might happily consider spending 30 per cent of its IT budget to keep those systems safe. By comparison, OT has typically commanded a much smaller budget, which means that almost without exception, a company’s OT systems are less secure than its IT networks. The combination of the number of IoT connected devices within a modern OT system and their hitherto lack of protection means than many companies find themselves at serious risk of having these systems breached.

This is a huge cause for concern on two levels. Having penetrated a company’s OT system, a hacker will be effectively free to manipulate heating, cooling, lighting, fire-protection, alarm systems, lifts and all other services within a building, which could be extremely disruptive to business. However, the greater worry is that a hacker might not be content to breach the OT system simply to wreak havoc on the building services, but might instead target the OT infrastructure in order to gain access via the back door into the IT systems where all the lucrative information resides.

The recent Realcomm conference in Nashville, Tennessee highlighted this critical challenge to property owners. The proliferation of IoT presents a momentous opportunity for businesses as they are endeavouring to make their buildings smarter and provide greater amenity to their occupants whilst lowering running costs. These investment strategies cannot be implemented without first adequately protecting their OT systems.

There are two principle philosophies regarding next-gen cyber security to address this risk for OT ecosystems. These can be best understood by the layperson as the ‘Moat and Drawbridge’ and the ‘Invisible Cloak’ analogies.

Competing philosophies
Proponents of the ‘Moat and Drawbridge’ school of thought believe if a business or building can be surrounded with a metaphorical moat that is deep enough and wide enough, then all cyber traffic can be directed through a single point of access—the drawbridge—into which all necessary protective measures can be installed. This philosophy necessitates the removal of all other entry points into the IT and OT networks, other than the drawbridge itself.

The competing belief—the ‘Invisibility Cloak’ approach—is based on the concept of making a building digitally invisible to all but those people who need to see it, such as trusted users, clients, suppliers and business partners. Even though these people will be allowed admission, this access will be restricted to the parts of the system that they need to see, while the rest of the building will remain invisible to them.

Which solution is most appropriate ultimately depends on the situation at hand. These technologies need not be mutually exclusive. They should operate alongside each other thus accommodating the various commercial realities across different property portfolios. An integrated approach is critical. By way of example, an existing firewall /router cyber security solution should be able to stay in place whilst an invisibility cloak is placed over the entire OT ecosystem, thus making the most of the best attributes of each technology. Of course, doing nothing is the worst choice of all.

Key questions
Facing this challenge of protecting their OT systems, businesses need to ask themselves four key questions:

  • Firstly, which of these philosophies makes most sense for their business? Does the business have anything in place at all or alternatively does the business have existing viable drawbridge and moat infrastructure that needs to remain, and if so, can an invisibility cloak work alongside this infrastructure?
  • Secondly, what are the up-front installation and ongoing administration costs of each option?
  • Thirdly, what loss of strategic flexibility are they prepared to suffer in the name of security?
  • And perhaps most importantly, what is the cost of doing nothing?

Businesses today need to understand that although it is normal practice to spend 30 per cent of an IT budget on IT security, the same does not necessarily apply for OT security. The solutions required to deliver adequate cyber security to OT systems must operate within the lower cost paradigms applicable to the OT space whilst still safely allowing remote access by numerous OT maintenance vendors. OT solution providers, like Grosvenor have an intimate understanding of this reality.

Grosvenor has secured cutting-edge technology and established procedures that guarantee the installation, maintenance and administration of its cyber solutions can both complement and enhance the protection of OT systems at cost levels not previously possible. In this way, property owners, managers and end-users can embrace all the benefits of smarter buildings without the cyber security risk.

Grosvenor Cyber Solutions is an entity of Grosvenor Engineering Group Pty Ltd

https://www.tempered.io

[addtoany]