As building management systems become more connected to the Internet, it is no surprise that they are vulnerable to a variety of remotely started threats like malware, worms, phishing attempts, and ransomware.
FREMONT, CA: There are risks inherent in the architectural layout of huge buildings and intrinsic concerns with the devices themselves. Devices are either hidden in ceilings or mounted in equipment closets, away from where people may inspect them. They can go undiscovered for months or years since so many of them function in near physical darkness. On the other hand, they could be out in the open, exposing themselves to hundreds of people (like smart thermostats). In all circumstances, gaining access is rather straightforward for a bad actor. When a device is hacked, it can be turned into a zombie and used to host man-in-the-middle assaults.
As building management systems become more connected to the Internet, it is no surprise that they are vulnerable to a variety of remotely started threats like malware, worms, phishing attempts, and ransomware. Risk is significantly increased by ambiguous system ownership and irregular maintenance methods. The installation of building systems is normally allocated to the lowest bidder during the construction phase. Subcontractors and system integrators receive these awards farther down the construction chain. The developer of the property eventually turns the building over to the renter to manage. Even though most organizations outsource facilities management to a third-party property manager, the technology is still housed on the tenant's network (typically on a VLAN).
Corporate Information Technology (IT) is not normally expected to keep such massive systems up to date (because they also control physical assets, IT does not have a scope). The systems are frequently housed in satellite sites with little or no direct access to IT support. As a result, they are hosted on a corporate VLAN that requires less oversight. As a result, the cybersecurity of building management systems tends to ‘fall between the cracks’ in the management and maintenance framework.
Building systems rely entirely on local service companies to make programming modifications and fix faults to aggravate the matter even further. This means that a uniform stream of vendors regularly logs in over the workplace network or remotely via a VPN. Endpoint security is lacking in this setup.
Smart buildings have numerous advantages, including being physically safer, significantly more energy-efficient, and healthier and more comfortable for employees. On the other hand, the industry is only now beginning to comprehend the vast attack surface that these complicated designs entail. Enterprise IT and Operational Technology (OT) security teams must fix these flaws and establish best practices, or major consequences will follow.