Why Building Management Systems Face Cyber Threats

Enterprise Security Magazine | Wednesday, October 20, 2021

With advancements in technology, Building Management Systems are being used widely in large buildings, significantly increasing the risk of cyber threats.

FREMONT, CA: There are significant risks in the structural layout of large buildings and inherent issues with the devices themselves. Devices are either hidden in the ceilings or mounted in equipment vaults, out of public sight. Because so many of them operate in near-physical darkness, they can go unnoticed for months or even years. They may, on the other hand, be out in public, exposing themselves to hundreds of people. For a malicious actor, acquiring access is quite simple in all scenarios. When a device is hacked, it becomes a zombie that can be used to launch man-in-the-middle attacks.

As building management systems start to connect more to the Internet, there is no wonder that they are vulnerable to a lot of remotely started threats like malware, phishing attempts, worms,  and ransomware. Risk is significantly high by obscure system ownership and irregular maintenance practices. The installation of building systems is commonly designated to the lowest bidder during the construction stage. Subcontractors and system integrators gain these awards farther down the construction chain. The developer of the property ultimately turns the building over to the occupant to manage. Even though most of the companies outsource facilities management to a third-party property manager, it still remains dependent on the tenant's network (typically on a VLAN)

Corporate Information Technology (IT) is not usually expected to keep such extensive systems up to date (because they also control physical assets). The systems are often housed in satellite localities with limited or no immediate access to IT assistance. As a result, they are hosted on a corporate VLAN that needs limited surveillance, and the cybersecurity of building management systems tends to break apart in the maintenance and management structure.

Building systems entirely depend on local service companies to make programming modifications and mend faults to increase the matter even further. This means that an identical stream of vendors routinely logs in over the workplace network or remotely via a VPN. Endpoint security is lacking in this setup.

Intelligent buildings have various uses, including being physically safer, significantly more energy-efficient, more robust and more comfortable for employees. On the other hand, the industry is now beginning to discern the vast attack surface that these complex designs involve. Enterprise IT and Operational Technology security teams need to correct these flaws and establish best practices, or major consequences will follow.

Read Also

Building a Comprehensive Industrial Cyber Security Program

Building a Comprehensive Industrial Cyber Security Program

Mohamad Mahjoub, CISO, Veolia Middle East
Bolstering Cybersecurity

Bolstering Cybersecurity

Amr Taman, Chief Information Security Officer, Al Ahli Bank of Kuwait
Building Untrusted Networks to Improve Security

Building Untrusted Networks to Improve Security

Earl Duby, Vice President and CISO, Lear
Security challenges that companies face when implementing telehealth and the solutions and best practices for managing the risks

Security challenges that companies face when implementing...

Stefan Richards, Chief Information Security Officer, CorVel Corporation
Building Cyber Resilience during Covid-19

Building Cyber Resilience during Covid-19

Aleksandar Radosavljevic, Global Chief Information Security Officer, STADA
IAM may help secure data, but it needs to be protected as well

IAM may help secure data, but it needs to be protected as well

Marc Ashworth, Chief Information Security Office, First Bank