The need to make commercial property renovations and new building projects more energy-efficient and user-friendly creates a serious and unwanted consequence: these smart buildings open up new attack vectors for cybersecurity threats.
Internet-connected systems that control elevators, escalators, heating and security access can be used to monitor and optimise performance, saving building operators money and making life more efficient for occupants. But that same utility has created a new business opportunity for cybercriminals.
Building systems which were once protected by “security by obscurity” are now designed to be more open and run on common architectures.
Insecure systems could be exploited to take a building hostage — possibly by disabling the lifts or building entry systems, or through a more subtle attack like raising the temperature to increase energy costs.
There’s also a risk that internet-connected physical assets can be exploited by hackers to access internal IT systems. For example the temperature controls inside a casino fish tank were used to steal high-roller data.
To mitigate these potential risks, the Australian construction and property industry has formed a group that brings competitors together to develop the standards and frameworks and engage government to ensure mature cybersecurity frameworks.
The Property Council Cyber Security Roundtable was formed in mid-2018 and currently has members from 12 organisations including GPT, Charter Hall and Mirvac.
It has five main objectives:
- To agree on a framework for cyber accountabilities across all players in the property and construction value chain.
- To work together on a cross-industry cyber crisis response plan.
- To work together to lift the cybersecurity capability of its supply chain and technology partners.
- To play a collective advocacy role to its stakeholder community including government, boards, and investors.
- To link with similar bodies in other jurisdictions to create a global network with common objectives.
Bob Hennessy, Group CIO, Lendlease, and Chair of the Property Council Cyber Security Roundtable, told Which-50 the group recognises a bad event for any of the members would reflect badly on the industry as a whole.
“Our initial thought was simply that there appeared to be an opportunity to collaborate on cyber to collective advantage as we were all facing common issues. We agree that this should not be a point of competitive tension,” he said.
Hennessy explained cybersecurity has expanded as more smart systems are used in construction and property management.
“Without wanting to be alarmist about this, once a building’s control systems are connected to the internet it becomes possible for anything those control systems can do, to be available to those who break into those systems. It is indeed a scary prospect if you think about the worst case, and that is why we need to work together to do all we can to combat these threats.”
The Lendlease IT chief said a number of the roundtable members have spent time in the financial services industry. He explained that the main thing they have learned is the fact that working together makes sense.
“It was surprising and incredibly refreshing to see how quickly all of us agreed that working together made sense. It was only three months from our first discussion — where the matter was floated — to having our first official meeting under the Property Council banner. A great outcome and a reflection of the good thinking and the sense of urgency of all involved.”
Security shouldn’t be a trade secret
Nick Savvides, Chief Technology Officer Asia Pacific at Symantec, argues the increased level of digitisation across all industries is putting increased pressure on cybersecurity, forcing more industries to find ways to collaborate.
“Historically, cybersecurity has been considered a hygiene function for many other industries — something they had to do, but provided no real business benefit. Today, every industry and every business is digitising and cybersecurity is a big part of that, making threat collaboration something that many industry groups should look at,” Savvides told Which-50.
“There may also be the perception within some industries that exchanging intelligence and collaborating with other organisations will reduce competitive advantage.”
He expects to see more cross-industry collaboration as organisations realise cybersecurity is not an individual issue, but a shared issue that impacts whole industries.
“As industries become more aware of cyber attacks and the impact they can have on businesses, organisations will realise the advantage of collaborating with industry peers,” he said.
Savvides says industries should develop mechanisms so their cybersecurity teams can share threats seamlessly, securely and privately between one another.
“Cyber threats are constantly evolving. So for organisations to defend against malicious and destructive threats, they need to consider their defence strategy and draw from shared industry knowledge. This will enable them to respond quickly and effectively.”
The end of “security by obscurity”
Gartner analyst Kristian Steenstrup told Which-50 there is an increase in awareness of threats and vulnerabilities as all sorts of operational technology becomes smarter, allowing for more automation and remote monitoring.
“The market has demanded greater efficiencies and cleverness of the technology, and part of that cleverness of the technology is enabled by software products that can make your elevator smarter, more efficient, use less energy, and predict when they need maintenance and notify the maintenance people about what’s needed on the location,” Steenstrup said.
“But all that means that you’ve now got software and processes embedded in equipment and very frequently connected to building management systems or externally to your maintenance provider.”
Steenstrup explained that in the past they were proprietary systems, protected by “security through obscurity” — because only the person who designed it could get into it. They now run on well-known operating systems such as Microsoft Windows or Linux controlling your heating and ventilation.
“That means they are no longer isolated and no longer obscure,” he said. “As you move to more open systems, that creates this potential where they could be accessed and manipulated more easily because they’re now running on a more accessible operating system.”
According to Steenstrup, a threat in building and facilities systems could be “annoying operational vandalism” or it could be economic, impacting the profitability of a commercial property by increasing energy usage.
“The repercussions are not just an inconvenience, but can be an economic repercussion, a health and safety repercussion. And those things are real outcomes for an organisation,” he said.
He said he had already seen these attacks targeting connected operational technology in the industrial sector. For example power plants in the Ukraine, and steel firms in Germany, have been targeted.
“Given that we had the same type of control systems in building automation and given that the precedent for attack is existent. I don’t think we’re drawing a long bow to say this is something we should be thinking about.”
Those threats get really scary when you consider the risk in the context of hospitals, healthcare and medical facilities.
CIOs should step up
Steenstrup says the threats can be easily mitigated as long as those risks are managed.
Part of the challenge in tackling the new threats from software-controlled physical assets is they are often outside the purview of CIO, run by facilities managers, or as a part-time activity of somebody who deals with physical access security.
“The CIO in most organisations has got good awareness and we think increasing maturity around how to manage cyber threats and create a more resilient organisation. But part of that side of the CIO’s domain, it’s very difficult for them to influence or control,” Steenstrup said.
Gartner argues that the CIO is well placed to deal with these threats as IT and OT converge.
CIOs, as software experts, can advise or give direction on how these things can be done better. They also need to be involved during technology acquisition to ask vendors important questions about securability and maintainability of systems. Because in many cases, systems are designed to work and not be touched again.
“The CIO should be, I think, increasingly at the centre of attention, because they’re the ones that are the most skilled and prepared to deal with these complex IT-based network technologies.”
Steenstrup noted that by collaborating with others in their industry and forming communities, CIOs learn together and can exert more pressure on suppliers to create products with certain security standards.
“So that as a community, you’re approaching uniformity of standards, you’ve got common shared risks and threats. So there is usefulness in working together on that, and forming a wider working group.”