Cyber Evangelist and Cyber Security Advocate Fred Gordy delivers another critical collection of cyber security and cyber terrorism information — as it pertains the building management systems’ world. If you don’t have a policy or internal guidance yet, print this article out and hang it on the break room refrigerator, and use it as a starting kit/tool at your next board meeting, whatever it takes to get yourself and your organization Pre-Acting!
April 21, 2015 Are You Ready? React or Pre-Act, that is the question.
Two things building owners and property managers need to know:
- Never underestimate your building control system as a vehicle of breach for hackers.
- Cyber security is a problem that will never be solved.
According to a FireEye/Mandiant Study entitled Cybersecurity’s Maginot Line: A Real-World Assessment of the Defense-in-Depth Model this year, nearly 97 percent of organizations has been breached, meaning at least one attacker had bypassed all layers of their defense-in depth architecture. Three-fourths of organizations had active command-and-control communications, indicating that attackers had control of the breached systems and these systems weren’t just compromised; they were being actively used by an attacker for activities that could include exfiltrating data.
Mandiant also published these statistics:
- 100% of victims have up-to-date anti-virus software
- 63% of breaches are reported by third parties
- 243 the median number of days advanced attackers are on the network before being detected
- 100% of the breaches involved stolen credentials
The Ponemon Institute has issued its annual report entitled “Cost of Data Breach Study,”, a study on the economic impact of data breaches. The Cost of Data Breach Study is sponsored by IBM, its results show an increase of the average data breach cost per victim, it is nearly $145 per compromised record.
According to the Norton Cybercrime index for 2013
- There were 253 data breach incidents and a total of 552,018,539 identities exposed as a result
- The average number of identities exposed per incident was 2,181,891 compared with 604,826 in 2012 (this is an increase of more than 2.6 times)
According to Identity Theft Resource Center:
- As of 12/12/14 the total showed that there had been 666 breaches to date and this represents a 25.6 percent increase over the same time period last year which was 529 breaches
These attacks are no longer being performed by high functioning programmers. Today unsophisticated hackers are wreaking havoc. Hacking no longer requires you to learn sophisticated hacking techniques. There are tools, which have been sold via PayPal for as little as $40. “Blackshades was a tool created and marketed principally for buyers who wouldn’t know how to hack their way out of a paper bag,” wrote Brian Krebs of Krebs on Security. “The product was sold via well-traveled and fairly open hacker forums, and even included an active user forum where customers could get help configuring and wielding the powerful surveillance tool.”
Some questions to ask yourself and your team…
- Do you know who gets involved in breach investigations?
- More and more it is the secret service and the FBI.
- How is your customer network configured?
- Building Control networks have and are being set up with un-managed switches, exposed to the web with little or no protection and then are bridged to corporate networks.
- Hackers see these networks as an on-ramp to your corporate network.
- Do you have common username and password that is in all of your customer systems for ease of access?
- It is likely that past employees still remember this access.
- Once a hacker knows this login, they will know that they can get into any of systems you installed.
- Who owns the responsibility for administering the system username and passwords?
- Does Dell administer your user when you buy a server? No… and neither should you. Your customer should be responsible for this. By doing this you are passing responsibility and liability off your shoulders.
- In most cases the BMS vendor does this and is expected to take care of it.
- Does Dell administer your user when you buy a server? No… and neither should you. Your customer should be responsible for this. By doing this you are passing responsibility and liability off your shoulders.
- When an employee leaves, what measures do you take to remove them from access to customer control systems?
- If you are still administering your customer’s users, do you change the password to all the sites (big headache, I know… another good reason to turn this over to your customer).
- Fired employees are more likely to retaliate within a few days of termination so how quickly they are removed may prevent damage. Don’t forget former employees are also prime targets for hackers to purchase their log in info.
- If your customer is administering their users, do you let them know?
- If you don’t and the former employee does damage to their system, you could be held liable.
- If you are still administering your customer’s users, do you change the password to all the sites (big headache, I know… another good reason to turn this over to your customer).
- Is the building control PC/server locked away and is it only used for serving up the webpage to users or are they in a building engineer’s office accessible by anyone to use to surf the web and check their social media?
- Do you have breach response and recovery plan for inside your organization as well as for outside of your organization?
- Who is the response and recovery team lead?
- This is the single point of contact for all internally reported incidents or suspected incidents.
- Who is the company “voice” for external communication?
- Who speaks to the media, reports to key stakeholders, and external agencies such as law enforcement, government agencies (FBI, Secrete Service, etc.), the customer, etc. after the incident?
- Do you have a communication strategy? For example:
- Lists of all necessary contacts in the media, emergency responders, etc.
- Prepared and vetted statements and press release information that would be available for immediate use. This is particularly important when the organization provides a product or service on which the public depends.
- A current list of contact names with the respective skill sets at key vendors for critical systems and components in the overall control system.
- Do you have response time deadlines?
- The length of time you take to respond can make you or break you and mitigate brand damage.
- Have you identified the SME/acting expert/go to person in your organization as a resource on cybersecurity threats and vulnerabilities?
- Have you developed organizational policies and procedures related to incident response?
- Have you identified operational impacts to the organization in the event of an incident?
- Have you identified who will be responsible for gathering forensic information to support analysis and any legal actions?
- Do you have safe guards in place to prevent a recurrence of the incident?
- Have you developed remediation strategies after the incident?
- Do you “fire drill” your breach response and recovery plan?
- Do you have policies in place that address actions to be taken against an employee or contractor when the incident was caused by someone inside your organization?
- Do you have information disclosure policies in place to address your organization’s position on disclosure and what actions are to be taken in the event of a breach?
- Do you have an incident notification plan? For example:
- After-hours phone numbers
- Offsite contact numbers
- Contact information for customers and partners
- Phone numbers for backup staff
- Contact information for management and rules for escalation
- Criteria for filtering out false positives
- Contact information for any relevant regulatory authorities
- ICS-CERT/US-CERT contact numbers and information
- Vendor/integrator responsibilities and contact information
- Have you considered how you will analyze the incident? For example:
- What dangers or effects on the facility or facility personnel safety may be caused by the event?
- If the reported incident is real or a false positive?
- What stage the incident is in—beginning, in process, or has already occurred?
- What the impact might be to the organization?
- The specific type of incident?
- What systems and equipment are or may be affected by the incident?
- If the system has failed over to an available backup system?
- If the incident has the potential to spread across other networks or even outside to partners or customers?
- What organizations will be affected and who should be part of the response?
- Who is the response and recovery team lead?
- Do you have cyber liability insurance?
- If you do not, are you planning on acquiring in the near future?
- Make sure and research this one carefully. Not all policies are created equal.
- If you do not, are you planning on acquiring in the near future?
And finally…
Whose responsibility is it to keep the building control system safe? Vendors and integrators have a share of the responsibility, but the system owner has to shoulder part of the responsibility too. It is hard to predict what the attack vectors will be but it is incumbent on vendors, integrators, and building owners to work together to secure the control system.
Some of the information above I pulled from the Department of Homeland Security paper entitled Recommended Practice: Developing an Industrial Control Systems Cybersecurity Incident Response Capability (Oct 2009). If you would like a copy go to https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf. It is a free download.
3 Responses
I was pretty pleased to find this great site. I wanted
to thank you for ones time due to this wonderful
read!! I definitely savored every bit of it and I have you book marked to check out new information in your blog.