By Matt Ehrlich
From the February 2020 Issue
Cyberattacks are increasing, and threat actors are continually evolving and looking for easy access. As IT boundaries strengthen, building control systems often offer a path of least resistance for these cyberthreats. In traditional IT, the focus is mitigating risk and solving problems, but in operational technology, organizations often don’t know what risks and problems exist. It’s critical to determine what you know, and recognize where your operational technology (OT) vulnerabilities still exist. Fortunately, there are ways to protect your facility and your organization.
Basics of IT, OT, and IoT. With varying cycles of innovation, keeping up with the landscape of IT, OT, and IoT (Internet of Things) can be complicated. IoT and OT are not the same thing but are related. IoT includes connected devices, while OT involves building controls—things like commercial HVAC, lighting, elevators, access control, water treatment, and power monitoring. This type of OT is commonly referred to as building automation or building management systems. (Critical infrastructure, such as oil and gas, power grid, water control is also considered OT, but is known to vendors as industrial control systems/supervisory control and data acquisition.)
Risks Within Control Systems. There are varying degrees of awareness around what cyber and operational risks are currently present within these critical systems and how threats have taken shape within them. How the technologies have evolved impact where we are today. Historically, IT and OT have worked separately. These began to converge in the late 1990s with the advent of web-based controllers, and the convergence ushered in the necessity for IT and OT to collaborate. However, collaboration is just now beginning to occur. IT is becoming more involved in the process of securing building control systems, but policy and education must occur for both IT and OT.
In one case, a healthcare organization’s IT department updated Java on several control system front-end/application servers. The update crashed the application, and it couldn’t be restarted because the Java version was not compatible with the application. As a result, surgeries had to be canceled, which caused a ripple effect on the schedules and a lot of unhappy patients. IT had to uninstall the Java update, and the control system vendor had to reinstall the application. Vendor intervention was required to get the systems fully functional, but the damage due to the failure was already done.
Differences in IT/OT Innovation and Budget. IT has had years to prepare and budget for cybersecurity. If IT experiences a cyberattack, they can buy new or update existing tools to bolster their defenses. IT now expects and reacts promptly to change—budgets allow for hardware to be replaced every three to five years and software to be upgraded and updated often. OT, on the other hand, performs upgrades out of necessity. Because OT operates on a delicate balance of what is necessary to maintain a functioning control system, updates and patches are often viewed as having the potential to disrupt and create additional work.
The easy access that control systems offer began with years of focus on system availability to facility engineers and open protocols to allow interoperability between various manufacturer platforms and system types. Identifying risks within these control systems and devices is often overlooked, and as a result, the reality of risks may not be identified until after an event occurs.
Solutions to Protect Your Organization’s Operational Technology. There are basic, low-cost solutions that can go a long way in increasing control system security.
- Inventory and assessment: Most organizations don’t know exactly what control systems, contractors, and connectivity exist in their portfolio, which makes even the most basic remediation cumbersome, if not impossible. Start with an IT/OT assessment to identify connected devices to give you a baseline of all connected devices in the network.
- IT solutions: Place publicly exposed devices behind a firewall or secure gateway device with a facility management-owned and controlled remote access solution. Implement unique users with role-based access. Control vendor access through policy and enforcement.
- Vendor Management 2.0: Create policy not only for remote access, but also for system setup, configuration, and backup of all control systems, and regularly audit. Incorporate threat monitoring designed and implemented specifically for OT systems.
- Experienced partner: Find a services provider that understands your business goals and can partner with you in securing building control systems.
Although not a complete list, these steps can protect an organization against a hacker’s attacks as the organization continues to improve its overall operational technology cyber posture.
Ehrlich is an executive director at TEKsystems Global Services, a provider of full-stack technology services that address the pressing strategy, implementation, and talent needs for more than 80% of the Fortune 500.
Do you have a comment? Share your thoughts in the Comments section below or send an e-mail to the Editor at [email protected]
Want to learn more about technology and facility management?
Check out more technology and facility management news in previous Facility Executive Tech & FM Columns.