THANK YOU FOR SUBSCRIBING
With advancements in technology, Building Management Systems are being used widely in large buildings, significantly increasing the risk of cyber threats.
FREMONT, CA: There are significant risks in the structural layout of large buildings and inherent issues with the devices themselves. Devices are either hidden in the ceilings or mounted in equipment vaults, out of public sight. Because so many of them operate in near-physical darkness, they can go unnoticed for months or even years. They may, on the other hand, be out in public, exposing themselves to hundreds of people. For a malicious actor, acquiring access is quite simple in all scenarios. When a device is hacked, it becomes a zombie that can be used to launch man-in-the-middle attacks.
As building management systems start to connect more to the Internet, there is no wonder that they are vulnerable to a lot of remotely started threats like malware, phishing attempts, worms, and ransomware. Risk is significantly high by obscure system ownership and irregular maintenance practices. The installation of building systems is commonly designated to the lowest bidder during the construction stage. Subcontractors and system integrators gain these awards farther down the construction chain. The developer of the property ultimately turns the building over to the occupant to manage. Even though most of the companies outsource facilities management to a third-party property manager, it still remains dependent on the tenant's network (typically on a VLAN)
Corporate Information Technology (IT) is not usually expected to keep such extensive systems up to date (because they also control physical assets). The systems are often housed in satellite localities with limited or no immediate access to IT assistance. As a result, they are hosted on a corporate VLAN that needs limited surveillance, and the cybersecurity of building management systems tends to break apart in the maintenance and management structure.
Building systems entirely depend on local service companies to make programming modifications and mend faults to increase the matter even further. This means that an identical stream of vendors routinely logs in over the workplace network or remotely via a VPN. Endpoint security is lacking in this setup.
Intelligent buildings have various uses, including being physically safer, significantly more energy-efficient, more robust and more comfortable for employees. On the other hand, the industry is now beginning to discern the vast attack surface that these complex designs involve. Enterprise IT and Operational Technology security teams need to correct these flaws and establish best practices, or major consequences will follow.