Author(s): Jesse Roman. Published on February 8, 2021.

Knowledge Race

When it comes to building systems cybersecurity, both the good and bad guys are still learning the ropes 

BY JESSE ROMAN

Examples of hackers infiltrating building systems become more numerous by the day, and include everything from pranksters hacking baby cameras to spy on families to nation states seizing control of and sabotaging a nuclear enrichment plant. Hackers have targeted smart thermostats to infiltrate a casino database; hacked parking garage printers to access a residential high-rise; and even hacked the operational systems of Google’s Australian corporate headquarters.

Perhaps the most well-known breach involving a building system occurred in 2013 when cybercriminals used credentials for the HVAC system to break into the customer service database of the retail giant Target. Some 40 million credit card numbers were stolen, resulting in Target paying an $18.5 million multistate settlement in 2017—the largest ever for a data breach. More recently, hackers have targeted medical devices, such as blood pressure monitors and telemetry monitors, to access to hospital networks. The vulnerabilities have led, in part, to an epidemic of ransomware attacks on US health care facilities—nearly 800 such attacks were launched against US hospitals in 2019, according to Emsisoft.

And those are only the ones we know about. “For every successful ransomware attack you read about in the news, there are five others that you never hear about because companies don't want it getting out that their facilities were compromised due to a vulnerability or a lapse of judgment,” said Phil Owen, the director of information assurance and cybersecurity at M.C. Dean.

The security experts I spoke with believe that loss numbers from building systems attacks could be even worse if not for the fact that many hackers don’t yet have the knowledge or foresight to breach those systems—the concept of smart sprinklers and alarms is just as new for the hackers as for some facility managers

Last November, M.C. Dean outfitted a two-story office building with the range of connected infrastructure—fire systems, elevators, IP cameras, wifi devices, HVAC, and more—found in modern buildings, and invited more than 60 teams of hackers from around the world to try to infiltrate it. One of the most interesting outcomes, Owen said, was how little attention the attackers paid to the building’s fire safety systems; none of the teams seemed to view these vulnerable systems as a worthwhile target.

“If they had, they could have owned those systems pretty easily,” said Ken Donaldson, the information systems security manager at M.C. Dean.

Owen said that the hacker teams skewed young and most likely didn’t yet have a sufficient understanding of how these fire systems work to mount an attack. “Attacking automation systems is not a neophyte game; it’s the older, more experienced professional who is going to understand how to do that,” he said.

But it’s not going to stay that way for long. With each successful breach of a large corporation like Target, or with every lucrative ransomware attack on a hospital, it’s a certainty that hackers will study these methods and devise even more innovative methods for capitalizing on previously overlooked vulnerabilities.

“I think we're all assuming that the bad side is still on a learning curve,” said Jens Alkemper, the director of cyber research at the insurance firm FM Global. “But as that’s happening, the defense side has to be working to shorten its learning curve as well. We have to be ready for this, because It's coming.”

JESSE ROMAN is associate editor of NFPA Journal.