Building management cyber security should be part of an overall risk management process and a company procedure. “We Can Learn From the Target Cyber Incident,” by Marc Petock, Vice President Marketing, Lynxspring and Connexx Energy as published originally in the March, 2014 edition of automatedbuildings.com.
The Target incident is another example of a cyber-incident that struck close to our industry and is another stark wake up call to businesses to be more vigilant and to take more preventative care when it comes to the cyber security of their assets. HVAC systems were in the spotlight and sparked discussions in just about every circle from building owners, to facility management, to contractors, integrators, to IT and security. Attacks like this erode confidence about our industry and some of the technology and services we deliver.
As the discussions and fallout continue and the painful after effects occur (Target is facing losses of billions of dollars, countless numbers of lawsuits, their brand has suffered greatly, they have lost the trust of their customers and given them a reason to shop somewhere else), while many details about the incident remain to be questioned, there are several things we can learn from it.
Cyber-attacks cause significant issues and have major strategic business and operational implications. All it takes is one opening in a device, a fault in an application, software vulnerability, poor remote access, inadequate credentials management and encryption methods, insufficient segmentation or improper setup and control within a network to give cyber criminals access to sensitive data and an opening to go wherever they want to.
We are facing non-traditional approaches from more vectors than ever before. This latest revelation is yet another example that access through one means can be an entry point into another and the damage is not just physical or operational disruption, it’s also is monetary, has social consequences, generates negative publicity, causes loss of customer confidence, comes with potential lawsuits, and has direct financial loss.
This incident has also put remote access in the spotlight. It is part of our service delivery; don’t lose sight of the many advantages and business value secure remote access provides (key word here secure).
Remote access increases service efficiency, provides a higher level of accountability, improves decision making, provides a higher level of analytics, enables higher levels of equipment performance and operational efficiency. It reduces maintenance costs, enables for the monitoring of equipment for service requirements and warranties, and provides immediate access to troubleshoot to quickly solve equipment issues. Secure remote access can spot likely failures before they occur, enable a proactive versus reactive service level, manage equipment repairs better, maximize service provider efficiency and effectiveness and ties together an ecosystem of disparate systems and equipment.
Business and operations today still are not sufficiently protected against cyber-attacks in spite of all the headlines, and coverage. There are large sums of money in play and the stakes are high. Company’s need to have consistent security protection. Building management cyber security should be part of an overall risk management process and managing cyber risks related to these systems should be a part of a company procedure.
Cyber security truly is a shared responsibility (you have heard me say this repeatedly) among technology providers, integrators/contractors and end users. It requires collaboration across a host of business functions. Enlist facility personnel, building owners and IT and get them to understand the business risks associated with insufficient cyber security practices.
As part of the value chain, integrators and contractors need to examine and review their own security practices within their organizations and how it relates to their customers. Also take the time to review all of your deployments and the security of these installations to ensure the systems and networked devices are properly protected. Integrate a cyber-security strategy for the systems and secure remote access to them with additional layers of defenses into all new deployments.
Owners and facility management don’t overlook the security of your supply chain providers. Cyber-attacks can come through third parties and a breach in one partner’s environment can easily propagate across today’s connected systems. Have steps in place to supervise provider activity within your network and ensure that appropriate security controls and procedures are in place.
As companies connect to each other, they should be aware of what the other is doing with regard to security; otherwise, they may be opening themselves up for a major breach. Any company, when asked, should be able to verify and document how they manage information security, including password policies, patch management, hardening systems, network management, and audits, just to name a few.
The Target incident does have an upside; we can learn from it and be more diligent moving forward. Maintaining a strong security posture is vital. We should take action and whether you are an integrator, contractor, building owner, in facility management or IT, ask yourself, “is a cyber incident worth the risk?”
Blog Photo credit: Newscom