The Cyber Threat to the Built Estate

First appeared in Tomorrows FM Magazine April 2013

Increasingly smart technology and systems could be placing our buildings at risk of cyber-attack. The realities of a remote attack are seriously and potentially dangerously under-scoped in the built estate security picture. The big picture includes not only the security of our buildings but of our national infrastructure. Smart buildings we hear the phrase all the time, some of you may manage one, some buildings may not be so apparently smart but their systems could be. Say for instance, remote access air conditioning and climate control. Web enabled, a business can take advantage of being able to control the climate in a building, via a web- based platform, potentially from hundreds of miles away. We at Advent IM have extolled the benefits of integrated systems, particularly between security and building management. The potential to be able to harvest data sets from integrated systems can have widespread business benefits when analysing and using it for cross silo insight. How these systems are hosted and secured and the resulting data managed however could have a big impact on whether there is vulnerability being created as an unintended consequence. In the old days, CCTV span in its own (coaxial) orbit. Now, along with many other security and management systems, CCTV and its resulting images are networked. But are these systems protected in the same way as other networked systems? There has been coverage in the press recently about a large number of DVR manufacturers (19 I believe) that all use allegedly vulnerable firmware, creating CCTV DVR systems that basically allow a hacker to enter, watch, copy or delete images. You can read about it in detail here http://www.theregister.co.uk/2013/01/29/cctv_vuln/ In times which are increasingly paranoid about backdoors in imported (primarily Chinese) equipment and systems, we cannot make assumptions about the security of any system, software or hardware regardless of whether it is a security system or not. For example, the recent panic about a US used microchip imported from China which has a backdoor allowing it to be remotely shut down or re-programmed without the users knowledge. We have also heard the story about pre-loaded malware on brand new PCs purchased by Microsoft again from China. You can
Advent IM Ltd 2013 any republishing in part or full with express permission of Advent IM

probably see where this is going. Its beyond the security of a building now and moving into the security of the National Infrastructure and everyone has a part to play in that. So these examples show a buildings potential cyber vulnerability. One last anecdotal example, recently during a site visit to a client, an Advent IM consultant discovered a door entry system sat on a network, however it was entirely without a firewall or any other kind of protection. To assist the client in understanding why this was a bad idea, the consultant accessed the system remotely, first locking the building down, preventing anyone from leaving or entering, then opening it up, making all areas freely accessible to anyone. (This was a short, controlled demonstration before you panic.) Bear in mind also that many modern systems generate information or Big Data. For instance, using PIRs to help work out peak occupancy or having them report by exception to help work out efficient Air Con and climate control during periods of non-occupancy. It may also include door entry data, perhaps to ensure that someone who has not swiped in cannot get their workstation powered up as technically they are not present. This data is valuable. Could it have a value to someone who may be intent on attacking a building or its people? It needs to be generated, managed and deleted securely. Add these elements together and think about it. A determined cybercriminal targets your building. It may not be to attack your business; it may be a neighbour, perhaps the building is multi tenanted. (do you know who all your neighbours are? Now might be a good time to make sure they are scoped in your threat assessment). Within minutes the building could be disabled door entry system disabled or locked down automatic barriers disabled or locked down CCTV disabled or similarly compromised fire & life safety systems disabled and finally Air conditioning disabled

Now the building, its assets and its people are now at the mercy of someone who could potentially be on the other side of the word. (Just ask Iran about Stuxnet) For a building to be truly smart, the people need to be in the mix too. This might be FM staff and Security staff working together it might be extensive training in new areas for existing building management staff. If it is multi tenanted then it might be the building FM or Security staff ensuring all tenants staff have adequate security awareness training to make sure all systems work as they are supposed to work and
Advent IM Ltd 2013 any republishing in part or full with express permission of Advent IM

everyone understands the part they play in security. So the building, the technology and the people create something truly smart.
By creating these powerful smart buildings, people, systems and data, we have in effect, created another asset, the smart entity itself. This asset needs to have as much care taken to protect it in cyberspace as any other cybervulnerable asset. Unfortunately, the critical element we mentioned here is people. People are the loose cannon when it comes to security. Sometimes its due to poor training, sometimes due to negligence or occasionally due to malice, but they cause headaches for an awful lot of Security Managers. A recent survey from Deloitte (Deloitte Global TMT Survey) revealed that 70% of responding organisations said that a lack of security awareness was vulnerability, yet less than half of the respondents had any form of security related training in place. So hypothetically, we have created one vulnerability and enabled it with another.

We need critical thinking around secure security systems. Though a DVR system for CCTV may be a security system, we have explained here why we shouldnt be assume it is secure and therefore the appropriate steps for all security and BM Systems have to be taken in order to protect them and the information they create in the same way we protect all other physical and information assets. Our marvellously integrated systems and buildings needs marvellously integrated security thinking too. They need to be brought into the asset fold and penetration tested along with other systems. The cyber threat to the built estate should be included in every Threat Assessment and scoped into every Business Continuity Plan. As our buildings get smarter, our integrated thinking has to keep a pace.

www.advent-im.co.uk Head Office: 0121 559 6699

Advent IM Ltd 2013 any republishing in part or full with express permission of Advent IM

London Office: 0207 100 1124 Email: bestpractice@advent-im.co.uk Advent IM is the UK's leading independent information security and physical security consultancy. We specialise in holistic security management solutions for Information Security, HMG Information Assurance, Business Continuity, PCI-DSS and Physical Security and have a proven track record of successful certifications.
Our blogs www.adventim.wordpress.com

www.adventimforarchitects.wordpress.com www.adventimforuklegal.wordpress.com www.adventimforgambling.wordpress.com www.adventimschoolsecurity.wordpress.com

Advent IM Ltd 2013 any republishing in part or full with express permission of Advent IM