by Deke Smith and Jim Whittaker — Originally published in the March/April 2016 issue of FMJ
RISK, IMPACT AND PREPARATION
There is an 800-pound gorilla in the room that most do not want to recognize exists — IT security.
The risk has reached the levels of extreme that can strike significant calamity quickly. It affects individuals, companies and countries on a daily basis. It can take the form of identity theft or corporate espionage, to name a few.
While facility managers may consider IT security to be someone else’s responsibility, recent cyberattacks on facilities and through FM IT portals have demonstrated vulnerabilities that FMs must take part in addressing. While the level of protection is normally based on the value of the information or items being protected, penetration into a network will likely be through its weakest link. For example, the financial records of a corporation could potentially be accessed through the heating, ventilation and air-conditioning (HVAC) controls system in order to pass classified information in the clear.
Between 2011 and 2014, the number of cyber incidents involving building automation systems (BAS) reported to the U.S. Department of Homeland Security (DHS) increased by 74 percent. The following examples illustrate that these systems are at risk:1
- In 2014, a U.S. federal agency reported a cyber incident at a wastewater treatment plant.
- In 2013, the retailer Target experienced a breach in its payment card data, which the company believes occurred after intruders obtained an HVAC system vendor’s credentials to access the outermost portion of its network.
- In 2010, a sophisticated computer attack was discovered that targeted control systems used to operate industrial processes in the energy, nuclear and other critical sectors.
- In 2009, a security guard at a Dallas-area hospital loaded a malicious program onto the hospital’s computers, one of which controlled the HVAC control system for two floors, which, according to court records, could have affected patients’ medications and treatments.
- In 2006, Los Angeles city employees hacked into computers controlling the city’s traffic lights, an action that disrupted signal lights and caused substantial backups and delays.
Because our IT assets are such a target-rich environment, it may seem only a few are affected. However, the problem is massive and not easily managed because of the level of dependence we now have on Internet-connected devices.
To increase efficiency, centralized control of building and access systems is increasingly achieved through automation. These systems, and the devices within them, are often configured with connections to the Internet. These Internet connections allow remote access to the systems for software patches and updates, which also makes them vulnerable to cyberattacks.
Intelligent buildings operate on a single communication backbone, which creates opportunities for attack by hackers. More than 84 percent of respondents to an automation survey2 said they had BAS connected to the Internet. Some Internet-enabled building and access control systems in facilities include:
- Closed-circuit camera systems: Cameras, televisions or monitors, recording equipment and video surveillance capabilities
- Access control systems: Card readers, control panels, access control servers and infrastructure such as door actuators and communications lines, which restrict access to allow entry of authorized persons only
- Fire annunciation and suppression systems: Fire alarms, emergency communication equipment and water-based or other systems designed to prevent, extinguish or control a fire or other life safety event
- HVAC systems: Equipment for heating, cooling, moisture control, ventilation/air handling, and measurement and control (often managed through a BAS)
- Power and lighting control systems: Lighting devices and their controls, advanced metering controls, power distribution systems, and emergency power or lighting systems (often managed through a BAS)
- Elevator control systems: Operating machinery, safety systems and control systems or panels
A cyber-attack on our power grids or communications infrastructure would impact our world as effectively as climate change or war. Without an information infrastructure, all communication, finance, transportation and work would stall. Add a lack of power and even toilets or potable water would be inaccessible.
IT security includes not only securing the information itself, but also protecting the grid delivering the power needed to run devices. The fact is that power and information flow can be affected by anything from that which is beyond our control (like a solar flare), to an electromagnetic pulse as occurs with the explosion of a nuclear device, to terrorism or simple vandalism. All of these possibilities substantially increase the scope of the protection issue.
Another area of vulnerability is through open-source software applications and interoperability of building information modeling (BIM). While BIM is most often thought of as a tool for design and construction, it is also now increasingly viewed as a tool for operations and maintenance. The information developed during design and construction can be of significant value in supporting IT management, IT infrastructure and thus IT security.
BIM offers a huge advantage by showing IT infrastructure overlaid on physical infrastructure. Knowing exactly where cabling is located can help prevent cutting a cable accidently when remodeling interiors. This is also true for externally buried cable. Utility location services can help, but knowing what devices are affected is also of significant value and a utility locator does not give this level of detail. Make sure your redundancy is not two cables buried in the same trench.
Cyber security has been under discussion for quite some time, but it seems to be an issue that doesn’t come to the forefront until major disasters occur and/or government regulations are published. It is likely that both of these will be motivators for improving building automation systems and interoperability via BIM in the future.
Some recent U.S. government regulations and international standards addressing cyber security include:
- ISO 27001: Information technology – Security techniques – Information security management systems – Requirements: This international standard was developed to provide requirements for establishing, implementing, maintaining and continually improving an information security management system.
- U.S. Homeland Security Act of 2002: Under section 1706 of the Homeland Security Act of 2002, DHS is required to protect the buildings, grounds and property that are owned, occupied or secured by the federal government as well as the persons on the property.
- U.S. Federal Information Security Management Act of 2002: The act requires, among other things, that:
- Each agency develop, document and implement an information security program to include periodic assessments of risk, policies and procedures that are based on these risk assessments; security awareness training for its personnel; and periodic testing and evaluation of information security policies; and
- Each agency prepare and maintain inventories of major information systems under its control and to develop procedures for detecting, reporting and responding to security incidents.
- U.S. National Institute of Standards and Technology (NIST) Standards and Guidelines: NIST is responsible for providing information security standards and guidelines for non-national security information and information systems.
- U.S. Presidential Policy Directive 21: Issued in February 2013, this directive establishes the protection of critical infrastructure against both physical and cyber threats as national policy. The directive:
- Requires DHS to provide strategic guidance to promote the security and resilience of the nation’s critical infrastructure; and
- Tasks agency and department heads with the identification, prioritization, assessment, remediation and security of their internal critical infrastructure that supports primary mission-essential functions.
In addition, the U.S. Cybersecurity Act of 2012 sought to protect computer networks running power grids, gas pipelines and water supply and transportation systems from hackers by creating security standards. The act, however, was not enacted by congress.
Fortunately, businesses can implement a first line of system protection based on personal information protection by requiring individuals to have access cards, to know passwords and/or to use biometrics such as fingerprint or iris scanners. Today, however, few organizations require such a robust level of protection. In fact, they most commonly rely on relatively easy-to-guess passwords, which are poorly protected and often shared. Full protection should also include physical protection, survivability and hardening (securing a system by reducing its surface of vulnerability), as well as backup and redundancy.
The solution, just like the problem, is complex and multilayered. The first step is to develop awareness of the issues, ensuring that all stakeholders are keenly aware of the critical risks and enormous impacts. Then, develop a usable and realistic disaster recovery and continuation of operations plan (DR/COOP).
Disaster recovery and continuation of operations plans should consider:
There are some excellent international standards, such as ISO/IEC 27001:20133 and ISO/ IEC 22301:20124, that provide the full scope of a DR/COOP. Although each organization should adjust the plan according to its needs, it should also address the issues identified in these standards.
Redundancy, back up and well-trained personnel are keys to flawless operation. ISO standards are also foundational to developing a framework that will ensure access to data long into in the future, which is critical for facility support.
An IT security operation can range from protecting data on computers or smartphones to an infrastructure operations center that continuously monitors all IT assets. Often in the latter configuration, the monitoring of a larger infrastructure is likely combined with a network operations center, as well as linked to physical security systems in order to make it as cost effective and as comprehensive as possible.
Even with the best of intentions and an unlimited budget, it is unlikely that all potential problems will be eliminated. Organizations should be prepared to act quickly when the inevitable event occurs. They should predetermine a plan and rehearse it on at least a monthly basis. Ideally, business processes will be in place that can be modified through a change management process. One of the items mentioned in ISO/IEC 27001:2013 is identifying goals and working to achieve them. It is of significant value to know how long it takes the IT team to identify and correct problems.
Security of operational information technology
The role of facility managers has expanded to include working with the chief information officer and the assets associated with supporting IT. In addition, BIM and facility products are becoming so closely integrated with IT that ultimately every object will have an IT component in the envisioned Internet of Things.5
From an environment not that many years ago in which few on the FM team even had a computer, to today when everyone now has mobile connectivity, information security has become everyone’s issue. FMs manage data centers and increasing amounts of both sensitive and critical facilities, people and financial data.
With BIM and BAS enabling the use of more real-time facilities information and control, FM professionals have an ethical responsibility to protect not only physical and personal property, but information as well. They have to tailor a response predicated upon several things, including the degree to which users of BAS have access to other organizational networks, IT capabilities, use of vendors and outside contractors (and how those vendors are allowed access to networks), and finally, education of staff, who in many ways are the linchpin behind the security of an organization’s operational technology and informational technology.
- GAO. 2015. Federal Facility Cyber Security: DHS and GSA Should Address Cyber Risk to Building and Access Control Systems. GAO- 15-6. Washington, D.C., USA.
- FacilitiesNet, 2015.
- ISO/IEC 27001:2013(E) – Information technology — Security techniques — Information security management systems — Requirements, published 2013.
- ISO/IEC 22301:2012(E) – Societal security – Business continuity management systems – Requirements.
- en.wikipedia.org/wiki/internet_of_things. Accessed Dec. 7, 2015
Dana Kennish “Deke” Smith, FAIA, is a partner in the firm DKS Information Consulting, LLC and a senior analyst with Cyon Research. He was formerly the executive director for the buildingSMART alliance®, a council of the U.S. National Institute of Building Sciences, and a member of the buildingSMART International Executive Committee. He is co-author of “Building Information Modeling: A Strategic Implementation Guide,” published in 2009 by Wiley.
James P. Whittaker, P.E., CFM, CEFP, FRICS is president and CEO of Facility Engineering Associates. Whittaker has more than 27 years of experience managing facility management technology and consulting projects throughout the United States, the U.K. and Central and South America.
Currently, he is past chair of IFMA, chair of the ANSI US/TAG for ISO TC/267 FM Standards (ISO 18480-1 and 2), convenor of WG3 for ISO 41000 FM Management Systems Standards and serves on the board of directors for the National Research Council of the National Academies of Sciences Board on Infrastructure and the Constructed Environment.
Whittaker sits on the industry advisory board of Brigham Young University’s Facility and Property Management degree program and is an instructor in the facility management program at George Mason University. He has also served on the APPA Educational Facilities Professionals board of directors and on numerous IFMA committees.