We Hacked a Commercial Office Building. Here’s What We Learned.
Countless high-profile, high-stakes incidents over the past few years have made it clear: anyone can be hacked, and there is no limit to the scope or reach of cyberattacks. New reports seem to emerge every week of international retailers, government organizations, political groups, and even entire cities suffering a major data breach or aggressive ransomware attack, resulting in leaked data and costly response. It’s a security professional’s nightmare, and organizations large and small have been taking steps to lock down networks filled with sensitive personal or proprietary information that might tempt a cybercriminal.
But not all cyberattacks are equal, and if you look more closely at the headlines you might notice an entirely different threat: the digital disruption of physical systems. As more physical security systems, including access control, lighting, building operations, and other industrial control systems are linked to and controlled by Internet-connected networks, the more risk there is that these systems might be caught up in—or even targeted by—cyberattacks.
As someone who has worked in both physical security and cybersecurity, I have long been concerned about this gray area where, often, nobody owns the responsibility to protect it. Even in the early days of convergence, there was always the question of whether engineers, facilities managers, or the security department owned the physical spaces where networks exist, and that has evolved today into building control and automation, including elevators, sprinklers, chillers, and more.
All of these components connect to the same data network, but who is responsible for protecting industrial control systems, and what security gaps does that gray area create?
This is a question me and others in the security industry have been asking for more than a decade. And as more physical security components are getting caught up in digital breaches, concrete answers are more important than ever. After much research, I realized that others were talking about the susceptibility of integrated physical systems, but nobody was publicly discussing just how vulnerable these systems are.
So, about a year ago, a group of security professionals made up of physical security experts, building automation and controls security leads, and cybersecurity experts began strategizing a way to gather this information, and in March 2019 we carried out a cyberattack on a Class A commercial office tower. Through my organization CISO Insights, we funded a simulation of a full-on attack of physical and cyber systems against a commercial real estate organization’s 16-story commercial building. This type of attack presentation has rarely been seen before because of the implications—organizations are hesitant to open themselves up to exposing vulnerabilities and the corporate liability that comes with that knowledge.
But thanks to our strategic partnership with the organization and the building’s owners, we were able to provide an actionable assessment to the organization while documenting significant results about the state of today’s physical security systems and their ability to detect, respond to, and withstand attacks. The results of this testing shook the multibillion-dollar organization to its core and provoked a complete realignment of how they design and maintain their buildings. It also provided us with valuable data that we used to build a set of basic rules and principles for buying, installing, and configuring connected physical systems.
The types of systems attacked in the plan included access control, camera and alarm systems, building automation and control systems, and local IT infrastructure and wireless connections.
The attack plan used publicly accessible information to identify external attack options available from the Internet, as well as a physical site visit to confirm onsite technology in use. Much of what we will expose in the full report are the commonly available tools and methods that intruders use today, and just how easy they are to acquire.
When carried out, the planned attack quickly escalated, bringing a number of unintended systems into scope. This is the reality of the way today’s networks are built and buildings are connected: it’s all integrated. For years we have known it was cheaper and more efficient to integrate technology, but as today’s legacy building systems and company data networks are combined with Internet of Things connectivity, this approach gets much more interesting—and risky.
The full results of the attack and their implications will be shared in our session this September at Global Security Exchange (GSX) in Chicago. They will confirm some of your worst fears about real world security protections, identify common weaknesses in similar building control, building automation, IoT, and physical security systems.
Much of what we learned, though, are the same big-picture lessons applied throughout the security industry—do you know how secure your environment is? When you add a new piece of technology, have you assessed the risks and engaged security professionals before deploying it? How do you know it will stay secure, and who is responsible?
Access control, CCTV, alarms, and similar systems are all connected with different software programmed by different manufacturers. Very little of what we found suggested a holistic approach to understanding the problem. Often these components are maintained by third parties, integrators, or internal resources from IT, leaving common gaps that you should look for to protect these systems.
Besides the standard security issues like passwords taped to HVAC systems and power systems vulnerable to physical attacks, the building control systems use connect points that leave them vulnerable. Much of what we learned during the exercise revealed a new way in which building systems need to be managed and maintained to protect them for the next 20 years.
We found several physical vulnerabilities, but it was the cyber vulnerabilities—and the converged threats that live between the physical and cyber worlds—that were not properly mitigated, which proved to be very valuable in discovering where the building was easiest to attack.
At one point or another, all of these systems operate on the company network, and the details of how IT manages the data network makes a difference in how secure the systems are. At GSX, we will discuss the fundamental mistakes made when connecting data networks to building systems and physical security applications. Further, we will discuss common techniques for protecting physical buildings against these types of attacks.
Dave Tyson is CEO at CISO Insights and a former ASIS International president and board member. His presentation at GSX, Cyber Attack on a Commercial Building, will discuss the full findings of the building cyberattack exercise conducted earlier this year. To hear Tyson and other experts speak on these topics and to meet with reputable companies who supply security technology, register for GSX at www.gsx.org.