By now, many employers will have implemented some kind of cybersecurity training for employees to ensure they aren’t tricked by a phishing scam that ends in the company falling victim to a ransomware attack.
While corporate tenants may have procedures and training in place to avoid such attacks, do those strategies consider the HVAC company hired to fix or replace an air conditioning system in an office building, or the elevator technician contracted to maintain service?
Commercial buildings have become increasingly “smart,” which is to say increasingly internet-connected. This is known as the Industrial Internet of Things (IIoT).
In a typical modern commercial building, there can literally be thousands of digital devices trading information “packets” over the internet, including key card door lock systems, elevators, security cameras, HVAC systems and smart lighting systems.
It’s estimated there are now some 30 billion internet-connected devices in the world, and a whole lot of them are visible on Shodan—an internet-of-things search engine.
“As everything now has become digital, the number of ways to get into a company has gone from maybe five, in the beginning, 20 years ago, to hundreds if not thousands, per company,” says Phil Fodchuk, a partner with MNP’s digital services.
“The bigger the connected landscape in a building, the more opportunity you’re given for threat actors to get in,” adds David Masson, vice-president of enterprise security for Darktrace.
“In a short span of time, smart systems and the [IIoT] have become the new reality for commercial real estate (CRE) organizations—from HVAC systems that can monitor occupancy trends and lower your utility bills, to elevator systems that run analytics to boost efficiency and reduce lineups,” MNP says in report on cybersecurity in commercial real estate.
“They’ve brought significant benefits, such as lower costs, improved efficiency and tenant satisfaction within CRE. But they don’t come without risks.”
There was a time when only major industrial facilities such as nuclear power plants, hydro-electric dams and pipelines had to worry about back-door intrusions through supervisory control and data acquisition—or SCADA—sytems.
Today, the typical modern office tower can have its own version of a SCADA system, but without it being air-gapped from the rest of a company’s or buildings’ computer system. All these devices connected to the internet provide an expanding digital warren through which malicious programs can run.
“These new internet-connected systems are geared towards user-functionality but have minimal cyber security features built in, making them an easy target for attacks such as ransomware,” MNP warns.
“Additionally, third-party vendors and building staff working on maintaining and managing these systems are often not trained in cybersecurity and further contribute to the risks.”
The commercial real estate sector faces “unique risks” when integrating intelligent building systems, according to Fortinet. These include:
• Lack of end-to-end network and cybersecurity monitoring and visibility;
• Multiple internet connections in buildings with no centralized control;
• Poor network and device patch management practices; and
• Insecure remote access technologies and processes.
Fortinet notes that many IIoT systems were deployed to perform specific functions—control elevators, for example—but then get layered onto a network with little consideration for the security vulnerabilities they may introduce.
“This created a situation where disparate systems, networks and remote access connectivity were deployed without the appropriate management processes and monitoring required to protect digital assets and data from cyber criminals properly,” Fortinet warns.
The MNP report points to a 2013 breach at U.S. Target stores as an example of how IIoT in commercial buildings can increase vulnerability. That breach cost Target US$18.5 million just in settlements alone. It was caused by a third-party HVAC vendor’s system.
Internet security experts talk about IT (information technology, which includes computers and computer networks) and OT, or operational technology. If IT is the network on which computers operate, OT is the system on which “things” operate—everything from security cameras to lightbulbs.
As IT and OT become increasingly integrated and connected via the internet, it increases vulnerability within the network because there were traditionally fewer safeguards built into OT systems than IT systems.
Smart lightbulbs, for example, are not password protected, Masson points out, even though they connect to the internet just like a laptop or smartphone.
Fodchuk notes that, in the past, an elevator technician would show up with a toolbox. Today, when a repair person shows up to fix an HVAC system or EV charger or elevator, his or her “toolkit” may include a laptop. And who knows where that laptop has been?
Fodchuk says building managers and IT departments should be familiar with a series of standards—ISA/IEC 62443—that define requirements and processes for running secure industrial automation and control systems.
Under these standards, a third party who needs to connect to your system for whatever reason should not be allowed to use his or her own computer, but should be given a company laptop or computer to use.
“You actually don’t allow untrusted devices or untrusted data to come in,” Fodchuk says. “If you need a computer to connect in and do something, we’re going to give it to you because it’s trusted—we don’t trust your laptop.”
The most common way for bad actors to get into a network is still through phishing. But there are other ways to introduce malicious code. Attackers can exploit IIoT systems through third-party supply chains, for example.
In 2020, one of these attacks was through Orion, commercial software made by SolarWinds. Advanced persistent threat (APT) attackers had infiltrated the SolarWinds software through its supply chain, Fodchuk says.
“You use something, a tool, to run your pumps, to run your elevators,” Fodchuk explains. “That software often is provided by a third-party company, and that third-party company uses another third-party company for software or coding.
“So when you get it, as a customer, and you’re operating, there may have been four or five, six other companies that had to contribute, and they may have a weakness.
“Attackers figured out, if we can get into SolarWinds, and we can adjust the code to put a back door into SolarWinds, when a client buys SolarWinds, we now have a back door directly into that client.”
Attackers can also simply get into a network through a phishing attack, and when IT and OT systems are connected, the OT side of things—all those hundreds or thousands of devices—provides the attacker lots of space to move around in, and more door handles for digital entry.
And some “smart” devices are connected to the internet without any password protection. You can find them on Shodan—the search engine for connected devices.
“Most of these internet tech things, whether it’s a lightbulb or whatever, don’t have passwords,” Masson says. “So you don’t need a backdoor. They’re just there broadcasting away on the internet.”
One way to keep a building’s IT and OT systems safe is with the type of AI software that Darktrace uses.
RioCan Real Estate Investment Trust uses Darktrace to protect The Well in Toronto—a large mixed-use development with residential, office and retail buildings.
The Darktrace AI program runs in the background on the company’s computer network and learns “the entire digital infrastructure of a building,” Masson explains.
“What the AI is ultimately doing is learning what is normal for that digital infrastructure,” he says. “It only focuses on the data produced by the digital infrastructure that’s in that building.”
The system learns what is “normal” for data flows and develops “pattern of life models” for everything in the system—from the company’s laptops to its printers and security system. Once it knows what it normal, it can quickly detect abnormal behaviour.
“It understands how you are,” Masson says. “And because it understands how you are, when that changes, you’ll see that change in real time, and (it will) tell you, ‘Hey, the printer in your accounts department isn’t just printing and scanning, it’s now sending data out to Syria. It never did that before.’
“The AI tells you, ‘Now you’ve got to do something about it,’ or you can use the AI to just kill the communication.”
This article was originally published in Office Space Magazine.
