Realcomm Advisory: Author: Marc Petock, Vice President, Marketing, Lynxspring & Connexx Energy.
I spend a lot of time on the road meeting and speaking with business leaders. While these conversations are an opportunity to engage with them on the challenges they face and where they want to take their organizations, a consistent and mounting topic in all of these discussions is the issue of cyber security. An overwhelming concern is the potential for financial, reputational and physical damage caused from cyber incidents.
Cyber security has emerged in recent years as the number one priority and if it has not for you, it should. What was traditionally seen as a simple component of an organization’s infrastructure – throwing a firewall and antivirus solution down has evolved into something that can keep you awake at night.
It’s impossible to miss the daily headlines on the latest breaches and cyber-attacks. And these include cyber threats, network compromises and vulnerabilities directed at building and energy management systems. Headlines such as Hackers’ Next Target Maybe Your Facility’s Control Systems, Hackers Breached New Jersey Industrial HVAC System, The Internet of Things is Under Attack, Texas Hospital Discloses Huge Breach, Australian Google Office Building Hacked, Software Security Vulnerabilities Climb 26%, Vulnerability Lets Hackers Control Building Locks, Electricity, Elevators and More, Building Heating, Lighting and HVAC Systems are Vulnerable to Cyber-Attacks, according to DHS. And then there are all the headlines regarding the recent cyber security issues concerning Target.
We have witnessed that networked BMS and EMS technology have weaknesses, such as inadequate password protection, the use of software that can be hacked and breached and various unmonitored access points within the network. Given this, BMS and EMS systems should always be considered vulnerable to hacking and threats.
Cyber threats continue to increase. This increase is due, in part, to evolving external and malicious threats. Enterprises today aren’t just facing a single attacker or the stereotype of a teenager in the basement just doing it to be doing it. We are fighting well-organized, well-funded adversaries who have formed a sophisticated marketplace; one that is efficient at orchestrating multiple attacks on the same targets with diverse techniques.
So how did we get here? For many years, cyber security and threat protection has taken a back seat to our building and energy management systems. Today, many buildings use IP-based networks and computerized building management systems to monitor and control their systems; these structures are susceptible to cyber threats such as hacking, malware and viruses.
Looking back, our building protocols were never originally designed or built with security in mind. Most of the protocols communicating with BMS/EMS have their origins in serial communications and provide little, if any, security. The unfortunate reality is that these protocols do not possess a robust security framework that can deal with today’s real world possible intrusions and breaches.
During the ‘80’s, when communication protocols enabled systems and equipment from different manufacturers to interact with each other, BMS technology had the ability to load and execute programs in real-time, as well as update software over an extended period of time. During this era, it was security by obscurity and not that conceivable that hackers could pose some threat. Most commercial code was proprietary and used by stand-alone systems and was not considered to be entry points or posed risks. In the past, our BMS were left to be isolated as they utilized propriety technology and avoided the open standards that exist today. The last decade we have seen a tremendous increase in the number of facility systems based on open technology and connected via standard TCP/IP and connected directly to the Internet.
What Can Happen? A hacker can use a BMS/EMS device as a jumping off point to get onto other devices and systems, introduce malware, viruses and worms or engage in other detrimental activities. The social implications can be as equally devastating with negative publicity and loss of customer confidence while the financial ramifications may be compounded with lawsuits and equipment replacement and repair.
The Target case is just the latest example of this. Target’s reputation to protect the security of confidential data pertaining to their customers’ personal financial information has taken a big hit and has had a direct impact on their business. As a result of this incident, Target is facing losses of billions of dollars, countless lawsuits, their brand has suffered greatly, they have lost the trust of their customers and given them a reason to shop somewhere else.
And there is more, it is the critical role cyber security protection of building automation systems plays in the operation of our businesses. The operational, financial and reputational impact to a business is tremendous and can include:
Operational Repercussions: Uninhabitable facilities, Uncontrollable and locked-out systems, Equipment damage and replacement, Inefficient systems, Sprinkler and smoke alarm failure, Disabled elevators controls system, Lighting failure, and Compromised building access and intrusion,
Business Repercussions: Interruption of business and operations, Exposure and compromise of intellectual property and sensitive information, Introduction of malicious files, viruses to the corporate IT network, Negative publicity, loss of customer confidence, Brand damage, Litigation, and Occupant harm, loss of life.
BMS and EMS cyber threats are real. Today cyber security protection and risk prevention for building automation systems is a necessity. Building automation networks and IT networks should not be treated differently when it comes to cyber security and threat protection. Just like an IT network (you invest in its cyber protection), building automation networks should have multiple layers of defense and protection as well as policies and procedures that are continuously addressed. It should be part of an overall risk management process.
We have adopted the use of the Internet and its communication capabilities to further the development of smarter and more advanced technologies that help better operate and manage our Building Automation and Energy Management systems. Security is no longer a technical challenge; it is a core business issue. Our modern systems consist of many connected, integrated, interoperable systems and devices and intertwined business applications — all are critical for the building to run and perform at maximum efficiency and financial optimization. A security breach or an outage to a business application or an entire network has a direct impact on a company’s bottom line.
Cyber related issues play a growing role within our building networks. They are not immune to attacks. Don’t underestimate the potential for cyber vulnerabilities. It only takes one single breach to compromise the whole infrastructure and cause a serious issue.
The best way to approach cyber threats is to realize one simple truth: It is not if an attack will happen; it is only when. It is all of our responsibility to take an active role.
About the Author: Marc Petock is Vice President, Marketing at Lynxspring and Connexx Energy where he leads corporate and product marketing strategy and execution, brand management, public relations and communications to support both companies’ strategic and growth initiatives. Marc is a contributing author, noted speaker and recognized industry leader having earned Realcomm’s Top 35 People to Watch for the last six years in a row, Who’s Who in M2M, a Digital Impact Award and several other industry accolades. Marc also serves on the board of directors of Connexx Energy and as an advisor to Realcomm.
Lynxspring along with Netop recently launched LYNX CyberPRO the industry’s first cyber-threat protection solution designed specifically to enhance the protection of commercial building automation and energy management systems. For more information visit www.lynxcyberpro.com.