Building systems such as air conditioners, elevators, and door locks are collectively known to technologists as operational technology or OT. This equipment is vital to a building’s operation but is also often a forgotten avenue to get into a company’s private networks. One of the most high-profile examples of this was when Target was hacked during the holiday season in 2013. The hackers found their way in through remote HVAC controls. Eventually, they found their way into the retailer’s database and stole information on an estimated 40 million credit and debit cards. The incident sparked a multi-state investigation that Target eventually settled for $18.5 million plus, of course, the reputational damage that was done.
In order to prevent these kinds of hacks buildings need to be designed and used in a way that can seal off these systems from other private networks. In order to do that, though, building management first needs to understand what their risks are. Rahul Bammi, Chief Business Officer at View, a provider of smart building solutions, works with his clients to help them understand the need for more secure building systems and connected devices. “A lot of building owners and operators don’t even know they have a problem,” he said. “Sometimes they don’t know every piece of equipment that is on their network, other times they still have their login as ‘admin’ and their password as ‘password’, making them easy targets for hackers and bad actors.”
To stop buildings from being an easy entry point for hackers, Bammi and his team first create a clear separation between a building’s OT network and the outside world. “We put a firewall between the building’s connected devices and its OT networks so that anything behind it is invisible to the outside world,” he said. “We also provide customers with an integrated data platform, edge-compute capabilities, and a microservices architecture so they can safely extract data from every connected device.” From there the data goes into a secure data warehouse or a private cloud to be analyzed for the kinds of insights that can reduce their energy usage, lower operating costs, and improve operating efficiency. The key to doing this, according to Bammi, is modular, standards-based, scalable data architecture. Only then can important automations like HVAC control or occupancy sensing be implemented without worrying that bad actors might use it for their own nefarious purposes.
Making a building more secure isn’t just about proper data architecture, though. A gate is only as good as its gatekeeper so the system’s users also have to be diligent. Many hackers find that tricking people into giving them their login and password is often the easiest way into a network. “We can not reasonably expect real estate operators to be IT systems experts,” Bammi said. “We therefore created a platform and data architecture that is easy to deploy even across portfolios larger than several hundred buildings, scalable, and easy to manage and operate. We also monitor and update it continuously in order to keep it safe as new threats develop.”
A tight labor market has caused building teams to have more turnover than ever. That can create opportunities for hackers. Either by spoofing as a qualified user or by entering the building and plugging a malware device directly into the system. To prevent such threats, good cybersecurity systems should grant only the necessary permissions to each user, log every user’s interactions with the system, and instantly flag any unprotected devices or unusual activity. This way, even if a threat has been able to get into the system, it can be quickly identified and investigated.
The FBI has warned of increasing state-sponsored hacking from places like Russia and North Korea. These hackers can be particularly frustrating because they are not always looking to steal money or data, instead they are perfectly happy just creating chaos and throwing a wrench in operations. Now that buildings run on software, hackers are not just a cyber security threat, they can put the people inside a building in real physical danger.
To prevent what could go from a needless loss of time and energy to a real threat of harm, building systems are being designed from the ground up with cybersecurity in mind. To protect hackers from using an open system to get into more sensitive, private networks, each needs to be closed off to each other and every user needs to only be granted access to the systems that are critical to their role. Hackers are always going to eventually find flaws in a system, that is why it is also important to have a system in place that can automatically flag any strange behavior such as uploading a large amount of data or requesting administrative access. OT security might not be on the forefront of many building operators’ minds when they are doing their day-to-day jobs but someone at every building should be thinking about ways to prevent hackers from getting into the system and stealing sensitive data, or worse.
