By Lucian Niemeyer, CEO, Building Cyber Security
Have you ever heard the phrase, “Your chain of trust is only as strong as its weakest link?” In an age when zero trust is the trendy solution to mitigate evolving cybersecurity threats, what is the impact on the new generation of devices we are plugging into the Internet of Things? Rapidly advancing operational technologies (OT) enabling smart homes, buildings, and industries to function provide significant benefits for our lives, economy, and environment. However, the vast adoption and integration of smart products also raise risk, vulnerability, and the opportunity for bad actors to cause harm through cyberattacks.
Experts expect global cybercrime costs to grow by 15 percent per year over the next five years and reach up to $10.5 trillion annually by 2025. In fact, in March 2021, Forbes reported that the year 2020 broke all records regarding data lost in breaches. In a 2020 study on the State of Operational Technology and Cybersecurity, nine out of 10 organizations experienced at least one system intrusion in the past year, up 19 percent from 2019. More than six in ten organizations had more than three intrusions. Additionally, these sophisticated threats to organizations increase from applying emerging technologies such as machine learning, artificial intelligence, and 5G, and from greater tactical cooperation among hacker groups and state actors.
The Colonial Pipeline cyber incident that shook the East Coast in May exploited a weakness in the standard information technology (IT) software for automated business operations, including the smart system between meters and billing software as well as back-ups systems. Although the ransom was paid, Colonial’s systems took weeks and millions of dollars to recover. While the forensic investigation is underway, one thing is clear—similar attacks are occurring in every business sector, with most of the victims remaining anonymous. The business model is ideal for bad actors to monetize a cyber vulnerability—very little expense, easy to deploy, and a simple payoff. Every hacker, criminal, or terrorist with a keyboard wants in, and every business with cyber weaknesses is a target.
Exploiting Smart Buildings
Criminals can exploit and attack any smart device through a weak router or exposure to the internet, and most can be easily accessed wirelessly without using a network or the router. The advancement of wireless technology has made it possible that even your coffee machine can end up asking you for ransom simply by modifying its firmware. Once the morning coffee is threatened, life as we know it starts to degrade.
Simply put, any smart building controls can be exploited to cause significant disruption. Elevators can be seized. Sprinkler systems can be activated. Digital thermostats can be manipulated through cyber commands to be converted to a listening device. Electricity can be shut off or surged to destroy equipment. Cyber locks can be opened for theft. The current control system inventory used for buildings known or suspected to be compromised could have little recourse for the system manufacturers to reach out to end-users to patch the security of their products. It may come as a surprise that most end users do not know if the control systems used in their work area can threaten their reputation, compromise operations, or even harm employees.
Securing Operational Systems
Unchecked cyber risk has increased because both organizational and technical gaps exist in securing traditional operational systems (cyber-physical systems) compared to traditional IT. While securing OT has been dramatically improved with the advent of Standards, including NIST 800.53 and IEC/ISA 62443, IT shops rarely include compliance with these Standards within their responsibility. At the same time, the team operating the smart building management systems or other automated systems are not aware of the full range of cyber attack vectors and mitigations faced daily by the IT team. Until now, incentives for the two organizations to communicate, cooperate, and collaborate have not existed. But as cyber risk grows into an existential threat to the brand or bottom line for a company, the shareholders and private investors are starting to notice as liabilities increase.
Building Cyber Security, Inc. (BCS), a 501 (c)(6) nonprofit organization, was established in 2020 and has gathered private sector participants from multiple business sectors, technology companies, associations (including NEMA), and insurers. All have a mutual need for an overarching framework offering market incentives to asset owners and operators to improve the security and safety of installed technology systems and devices.
What makes BCS unique in the nexus between the built environment and technology is the collaboration with leading global insurers to incentivize the adoption of cyber certifications for tiered levels of protection (bronze, silver, gold, and platinum) that match the risk identified by asset owners. As insurance policy rates related to cyber risk continue a rapid climb and potentially start impacting the costs of property and casualty policies, adoption of the BCS framework will reduce those policy costs or even mean the difference in getting insurance at all. For a CEO, investing in cyber protections will now offer a firm financial return and competitive advantage instead of being strictly the cost of cyber risk mitigation.
In collaboration with NEMA, the International Society of Automation, and other industry associations, the BCS framework will enhance the protection of OT and associated IT systems by delivering a cyber protection assessment and rating based on existing Standards and evolving industry best practices. The BCS framework will reward the engineering and design of protections into a device or integrated system. The BCS framework will also reward persistent cyber hygiene, addressing the people (training), processes (governance), and the technology (controls) over the life cycle of an asset. Adopting the BCS framework mitigates the risk that bad actors will use weaknesses in technologies to threaten harm. In the end, enhancing cybersecurity for the smart technologies we rely on daily in our homes, cars, work areas, and communities for essential services is a matter of human safety that we must address now.
For more information, visit buildingcybersecurity.org or follow us on LinkedIn at Building Cyber Security: Overview | LinkedIn.