In the rapidly evolving domain of cybersecurity, especially within building systems, continuous learning and adaptability are crucial. The May 2024 Lunch & Learn webinar brought together experts across fields to share their knowledge on cyber-physical security and operational technologies in building automation, a topic that is increasingly relevant in today’s interconnected world.

Exploring Cybersecurity Challenges and Strategies

Ari Reubin, Head of KMC Consulting, opened the webinar by emphasizing the importance of enhancing cyber physical security for both retrofits and new constructions. He highlighted the need for proactive discussions and solutions in this area, inviting the distinguished panel to share their insights and experiences.

Insights from Industry Experts

Andrew Rae from SmartNet Zero shared a fascinating historical perspective, recounting a significant cyber event in 2010 at Google’s Wharf 7 building in Australia. Rae explained how cyber-security researchers used advanced search engine hacking techniques to uncover vulnerabilities in the building management system (BMS). Their method allowed them to discover the BMS running the entire building, which was using a configuration file (stored outside of the root folder) containing weakly encoded security protocols. This gave them access to all the building HVAC systems, a problem which could have been mitigated through timely software updates and patches. He remarked, “Technology moves at a pace, doesn’t it? Ten years ago, such events highlighted critical weaknesses that still need addressing today.”

Louis Parks, CEO of Veridify Security, discussed the concept of zero trust within cybersecurity frameworks, explaining that while often talked about, misinformation abounds. Zero-trust refers to the security model of denying access by default; access is granted and tailored to authenticated users and their devices pertaining only to those data and systems they need to do their jobs. He clarified that zero trust is an architecture with principles rather than a certifiable standard. Parks encouraged attendees to refer to the NIST 800-207 guideline to understand zero trust better, emphasizing that securing devices and managing identity are crucial steps in the process. “A device in the field must be updatable,” he explained. Unfortunately, many buildings and their original systems were not designed and built with this in mind.

Tim Vogel of KMC Controls focused on the cybersecurity disparity between IT and OT systems. He noted that many organizations meticulously update their IT networks, yet neglect OT systems, which often lack the capability for over-the-air updates. Vogel stated, “Firmware updates in the OT side of the house aren’t pulled often, but they need the same attention as their IT counterparts to prevent vulnerabilities.” He compared the Google Wharf 7 issue to a reported incident from May 2024 regarding a security platform provided by Johnson Controls. He mentioned that operators often do not update their firmware or OT systems unless there is a specific problem to be fixed. Operators may hesitate to do so out of fear that updates can cause more problems than they fix. However, he cautioned that it is a gamble and a risk that could cost operators more than they anticipate should they fail to update all their systems when those updates become available.

Implementing Secure Frameworks: Beyond Compliance

The conversation also explored the different approaches to cybersecurity standards from government and commercial perspectives. Drew DePriest from McKesson advised integrating IT and CISO frameworks with OT management to enhance security. He stressed the importance of autonomous scanning tools and comprehensive device inventories, standard practices in IT that are now being adapted for OT environments.

Ari Reubin prompted further discussion on the implications of connecting buildings to the cloud. Tim Vogel highlighted the unique security considerations for cloud-connected buildings, arguing that not all buildings require such connections. He reasoned, “Defense in depth should be the guiding principle, considering the specific needs and risks associated with each building type.” He commented that people often focus on disaster recovery, but cyber-security focuses on disaster prevention.

In the final moments in the discussion, Andrew Rae pointed out the frightening capabilities of technology today, especially that hackers do not have to be on site, nor do they even need a deep level understanding of technology to be able to hack into some buildings.

Louis Parks mentioned the importance of redundancy and failover capability, such as what air traffic control systems and government security systems typically have. For the average user, this could mean having two HVAC controllers, etc. This would be important during tornados, earthquakes, and security hacks, but unfortunately, these types of redundancies have not been typically utilized in the world of building automation systems. Andrew Rae raised the point that end users typically avoid redundant systems due to cost considerations. Drew DePriest agreed, saying he has seen that users have to evaluate the value of these systems to justify the cost of a redundancy. “Can you afford to lose control of a certain system?” he asked. If the answer for your business is “no,” then redundancies should be a cyber-security consideration.

Key Takeaways and Looking Forward

The May 2024 Lunch & Learn panel concluded with actionable insights for enhancing building cybersecurity:

1. Conduct Regular Cybersecurity Assessments: Establishing a thorough risk assessment process is vital. Understanding potential vulnerabilities helps prioritize resources efficiently.
2. Promote Cyber Hygiene: Continuous education and awareness can significantly reduce the risk posed by social engineering and other common attack vectors.
3. Embrace a Unified Approach: Aligning OT security measures with existing IT protocols fosters a cohesive and secure environment, leveraging frameworks like zero trust where applicable.
4. Invest in Resilient Solutions: Particularly in high-impact sectors, redundancy and robust cybersecurity measures are essential to safeguarding critical infrastructure.

The session underscored the importance of innovation and collaboration in fortifying building systems against cybersecurity threats. By implementing the frameworks and best practices discussed, industry leaders can ensure a safer and more resilient future for building automation and management technologies.

Watch the entire episode: