Cybersecurity Concerns in the Built Environment
While the information technology (IT) domain heavily invests in cybersecurity, with numerous prominent suppliers providing robust solutions, the situation is markedly different in the operational technology (OT) sector. Many facility operators lack a clear understanding of the OT assets within their buildings, which can lead to significant vulnerabilities.
These OT assets are often complex and extensive, incorporating specialized building automation systems that manage functions such as HVAC, lighting, energy management, fire safety, and security measures like access control and CCTV. Each of these systems is supported by a range of connected sensors and devices, from cameras to thermostats. Maintaining visibility and understanding the cybersecurity posture of these OT assets is crucial—not only for operational efficiency but also for safeguarding the broader supply chain.
The Cybersecurity Risks of Building Automation: A Case Study from Target
The importance of cybersecurity in the built environment became glaringly evident with the 2013 cyber attack on the retail giant Target. The breach occurred when a third-party HVAC vendor, granted remote access to Target’s building automation systems, was compromised by attackers. This allowed the cybercriminals to infiltrate Target’s network, eventually installing malware on point-of-sale (POS) systems. The result was one of the largest data breaches in history, with over 40 million credit and debit card accounts compromised.
This incident highlights how OT systems, traditionally considered separate from IT, can pose a significant risk to enterprise cybersecurity. The boundaries between IT and OT security are increasingly blurred, and an attack on one can have severe repercussions on the other.
Why Cybersecurity for Building Automation Systems is Often Overlooked
Despite the clear risks and historical lessons, many in the warehousing and logistics sectors have not thoroughly assessed the cybersecurity of their built environments. The OT domain within these environments often lacks the security expertise and adoption of recognized cybersecurity frameworks that are more common in industrial control systems (ICS). Standards like ISO 27000, NIST CSF, ISA/IEC 62443, and CIS Controls are less frequently implemented, leaving significant gaps in security.
In many cases, OT assets within building automation systems are not even segregated into dedicated networks. Instead, they often share networks with IT and enterprise systems, increasing vulnerability. As digital technologies become more prevalent in warehouses, the need for dedicated OT networks, properly segmented and defended, becomes increasingly critical.
The Expanding Cyber Threat Landscape with New Building Technologies
The ongoing shift to new technologies such as the Industrial Internet of Things (IIoT), cloud computing, and edge computing is driving more remote management and monitoring of building operations. As these technologies proliferate, the cybersecurity landscape for building automation systems is becoming more complex. Modern buildings increasingly incorporate “smart” technologies, from wireless thermostats to advanced sensors, which, while improving efficiency, also expand the potential attack surface.
The widespread adoption of IoT and remote connectivity has led to many buildings being managed remotely, but these connections are not always secure. Today’s integrated building automation systems can manage a wide range of functions beyond just HVAC or energy management, all within a unified system. However, this interconnectedness also raises cybersecurity concerns, as many solutions fail to adequately address security, often leaving it up to the end user to implement as an afterthought.
Steps to Implement Cybersecurity Programs in Building Automation
To mitigate risks, users should start by assessing the likelihood and potential impact of cyber threats on critical objectives like financial performance, safety, compliance, and operational continuity. A thorough cyber assessment of the built environment is the first step. Additionally, conducting a detailed asset inventory is crucial, as it often reveals unknown or insecure assets within OT networks, such as unprotected IP cameras or rogue wireless access points.
Adopting existing cybersecurity frameworks and standards is a practical way to initiate an OT security program. Resources from organizations like the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) provide valuable guidelines and tools. The ISA/IEC 62443 standards, widely used in the manufacturing sector, also offer a comprehensive approach to OT cybersecurity.
In summary, taking proactive steps to understand and address the cybersecurity risks in your built environment is essential. Ignoring these risks can lead to significant vulnerabilities, but even small steps towards improving cybersecurity can make a substantial difference.
