Understanding the Vulnerabilities of Building Control Systems

Thank goodness companies have IT security specialists to protect those vital business systems that are the target of so many sophisticated hacker attacks. Sure, physical security professionals have to protect some systems, such as business controls or other less sensitive systems.

The thing is, those business control and security systems are increasingly tied to each other and other business systems. And the business control and security systems can be the easiest for hackers to attack and exploit. Uh oh.

The learning sessions at GSX 2021 will feature theaters carrying themes where like sessions are grouped. Kicking off the Offensive Strategies theater at 10 a.m. EDT on Monday, 27 September, Coleman Wolf, CPP, will lead a session on “Hacking Building Controls for Fun and Profit: Security Risks to Cyber-Physical Systems.” In the session, Wolf will give participants knowledge and strategies to try to prevent the “uh oh” from ever happening.

This session and all other Offensive Strategies Learning Theater sessions will be available in-person at GSX and livestreamed to all digital attendees. Register now for an All-Access Pass so you don’t miss it!

Wolf is a 25-year security management and security engineer veteran, currently serving as senior security consultant at ESD Global, Inc. The GSX Blog caught up with Wolf to gain insight on the issue of the vulnerabilities of business control systems.

What are the vulnerabilities of these systems and why should people care?

Building control systems were not traditionally built with security of the system in mind. They were self-contained systems, nearly impervious to external access—it would take physical breach to compromise them. That’s all changed. More and more, these systems are connected to each other and to other systems, becoming part of the larger IT infrastructure. A lot of people will build a connection between a building control or operational control system and, for example, a remote access IT system, but they would build this connection without first really thinking through the security ramifications of that.

One of the reasons is because the building controls were not seen as highly valuable targets. Maybe someone gets in and gains access to turn the lights off. Annoying sure, but it’s not worth expending a ton of resources to stop a practical joker when the resources could be used to fortify actually mission critical systems. One of the things we’re going to spend some time on in the session is how wrong this perception is. Not only can they be an access point to do additional damage, a hacked building control system can cause serious harm to a company.

If these systems are becoming more vulnerable, why not just revert to more self-contained, unconnected systems? What are the advantages to the interconnected trends you describe?

The main reason why they are interconnected and connected to business systems is for functionality and intelligence. It generally starts with there being a business reason to remotely monitor a system. Maybe you want the ability to see what is happening in a system at home during off hours, so you can decide if it needs immediate response or if it can wait. Or maybe you have a portfolio of different sites and locations and you want to monitor them from a central location.

In addition to the functional reasons, companies realized that they can use information from these systems to improve. As the systems grew more intelligent within the building, and different systems could start talking to each other, we now have this intelligent building platform. You can pull actionable data, build dashboards using intelligence from a variety of systems, and make strategic decisions. An example that relies heavily on building control data might be operating at peak energy efficiency—the savings to a company with a large footprint could be significant.

What do you say to a physical security professional who sees it as IT’s job to secure building control and security systems from cyber attacks?

Everyone in the session will leave with a good understanding of the differences between operational technology and systems and information technology and systems. Where the responsibility for securing OT vs. IT systems lies is in a state of flux. Traditionally OT rested in facilities, not IT. The operations folks didn’t want to be burdened by IT controls. Similarly, IT folks recognized that these systems were different animals, and they didn’t want the responsibility of securing systems that sat outside the traditional IT framework and thus did not have various IT protections and protocols built into it. This is probably another reason this is such a high risk for an organization. Companies are beginning to understand that both OT and IT systems need to be managed holistically under the umbrella of risk management.

I’m the physical security professional and one of the operational technology systems under my purview is hit successfully with an attack. What do I need to be thinking about?

There are two fronts. You’re going to be pressured first and foremost to resume operations ASAP. That’s somewhat at odds with the other front, which is forensics to identify what the cause is and, in the case of something like ransomware, you’ve got complex political calculations to make: Do you pay the ransom and hope that your operations will return to normal? Do you pay the ransom and hope that other malware other bad actors won’t try to hold you for ransom again? A lot of companies are finding it might be more prudent to go ahead and pay that ransom because the compromised system is crippling operations.

So those are the two primary things you will have to deal with. In the best situation you’ve got a business resumption, emergency response plan for cyber incidents. Some companies will incorporate this into a comprehensive business continuity plan.

In a lot of ways, you’re talking about a different approach or mindset. How do you get people responsible for building controls and people responsible for IT security to speak the same language?

In traditional IT and cybersecurity approaches, you look at what they call the CIA triad, which stands for confidentiality, integrity, and availability. Those are the elements that need to be addressed. When you look at these building controls and operational controls systems, you have to add something to that mix. You have to add safety. If these systems are compromised, it’s not just the business aspects you have to worry about, you have to add the health, safety, and well-being of anyone—staff, customers, the public—who might be in an environment that is affected by one of the compromised systems. Going back to the attitude that hacking a building control is akin to perpetrating a practical joke—turning the lights off. The breaches can be very serious in any number of ways.

And finally, I’m hoping to do a bit of a demonstration. A demonstration that will show just how easy it is to identify, locate, and access some of these systems—and discuss what people need to about the vulnerabilities.