Internet giant Google is known to build impressive campuses and office spaces for its workers. No exception is its Wharf 7 office in New South Wales, Australia, where it moved a number of employees when the company experienced a boom in growth in 2012.
The building was constructed to "encourage the interaction and collaboration that is key to the innovation Google promotes," IDEA Awards, an interior design awards program, states on its website. A gaming room, café, bridges, and walkways all contribute to the collaborative look and feel of the building.
While the interior design of Google's Wharf 7 is impressive, two security vulnerability researchers discovered that the system controlling much of the building's functionality had not received as much attention.
Billy Rios and Terry McCorkle, both of security firm Cylance, gained access to the corporation's building management system, a computer-based system that controls electrical and mechanical functions within the facility. They achieved this breach by exploiting unpatched vulnerabilities. In other words, they accessed the network that controls HVAC, lighting, fire and life safety systems, and more, because Google had not run security updates on some of those platforms.
"Among the data they accessed was a control panel showing blueprints of the floor and roof plans, as well as a clear view of water pipes snaked throughout the building and notations indicating the temperature of water in the pipes and the location of a kitchen leak," according to a May 2013 Wired article.
Upon learning of their research, Google promptly patched their systems and thanked the white-hat hackers for their warning. The lessons learned have far-reaching effects for facility and security professionals as they navigate their buildings' complex automation and control system environment.
Intelligent Building Management Systems
Intelligent building management systems (IBMS) are embedded in most contemporary buildings. IBMS continue to grow by anywhere from 15 to 34 percent each year, according to a report from revenue intelligence company MarketsandMarkets. Such growth is due to the demand for reduced operating costs, improved information flow, greater sustainability, and meeting increasing government regulation in building ownership and operations.
By 2022, it is estimated that the IBMS industry will be worth approximately $104 billion, according to a study by Transparency Market Research. However, this technological enhancement comes with a substantial set of security vulnerabilities that many facility and security professionals have not accounted for. As the Google example shows, if the security of IBMS is not considered, organizations will remain exposed to harm from nefarious actors.
Vulnerabilities. The security vulnerabilities associated with IBMS stem from their incorporation across the built environment. IBMS integrate a building's operational management systems, such as HVAC, lighting, and life safety systems. They are also integrated into security systems, such as intruder detection, access control, and surveillance systems.
A detailed research project, funded by the ASIS International Foundation, the Building Owners and Managers Association (BOMA), and the Security Industry Association (SIA), recently investigated the security of IBMS, including vulnerabilities and mitigation strategies, as well as facility managers' understanding and practice.
The following is a discussion of the security issues associated with IBMS in the modern built environment. One of the more significant outcomes of the research project is Intelligent Building Management Systems: Guidance for Protecting Organizations. This guidance document was developed to be a consultation tool to aid the decision making of security and facility managers, as well as provide guidance to protect a building against an array of threats and risks.
The scale of IBMS varies, from a small automated home heating system to a large and complex high-rise intelligent building, which centrally automates all functions including HVAC, lighting, elevators, audio-visual, security, and life safety systems, along with maintenance, administrative, and business functions.
With the advent of the Internet of Things (IoT), and its connectivity of all things electronic such as smartphones, vehicles, cashless vending, and more, IBMS will continue to expand into more diverse areas of everyday life. In other words, when you drive towards your building, the IoT will facilitate automatically opening the garage door as you arrive and allow your phone to open doors and turn on the building's lighting and heating.
The connectivity, automation, and control of the built environment with IBMS is achieved through a standardized technical architecture. This architecture is based on three defined component levels—management, automation, and field device.
The management level is the interface where a manager facilitates the day-to-day management of IBMS. The automation level is the core of IBMS and provides the primary automation and control devices, with controllers connected via a dedicated data network. The automation level implements defined rules set at the management level. The field device level includes the physical input sensors and output activators connected to the plant and equipment to monitor and control the built environment.
Security risks. The fact that many IBMS devices are linked through a common communications protocol introduces security risks. These consequences can be divided into categories of loss, denial, and manipulation. All of these potential hazards threaten the organization's ability to maintain occupancy, manage operations, and protect data. Such risks can result in threats to life safety, as well as major financial loss and reputational damage.
When IBMS are compromised, consequences may range from denial of service attacks to manipulation of building systems. For example, turning HVAC off is denial of control that may be uncomfortable for the building occupants as the temperature changes, but also has the potential to shut down computer network servers when they overheat.
Vulnerabilities within IBMS vary significantly, ranging from physical access to a field-level device to a highly technical remote cyberattack. Unauthorized access to an automation level controller may allow an attacker to manipulate local control of field devices or launch a cyberattack on the automation network. This attack may allow the actor to map out how the building is used, alter the automation and control programs to unlock doors and isolate alarms, and further access the network covertly.
Though IBMS attacks are rarely publicly disclosed, there are a number of notable examples. The Target breach of 2013, for instance, compromised more than 41 million payment card users when a hacker stole an internal network access credential from a third-party HVAC maintainer. In Finland, a denial of service attack on a company's network shut down the heating in two buildings. Popular hacker search engines, such as Shodan, publish a list of IBMS vulnerabilities that can be easily accessed.
Failure to understand and properly respond to IBMS vulnerabilities will result in exposure to security risks. Because of their abstract nature and the fact that they are often presented in a highly technical manner, IBMS vulnerabilities can be difficult for practitioners to understand and mitigate.
While IBMS include security functionality, most IBMS are managed and operated by facility managers rather than security professionals. However, these facility operators tend to focus more on broad organizational functions and cost management, and less on security, making it pertinent that security professionals pay close attention to these vulnerabilities.
The project found that the body of IBMS security knowledge is spread across a diverse array of literature. To date, there is no single source document that security professionals can use to understand the significance of this security concern or guide their threat mitigation.
Furthermore, the project identified several important issues in the security of IBMS: professional responsibility and the siloed effect, awareness and understanding of vulnerabilities, who the IBMS security experts are, the integration of security systems, and the lack of a common language in the security of IBMS.
Responsibility. The research found that facility professionals manage and operate IBMS, with 36 percent of participating building owners and operators indicating they have such a responsibility.
In contrast, security professionals predominately manage and operate the functional elements of the security systems, and information technology professionals manage and operate the technical elements of networked systems, including the broader IBMS architecture. Nevertheless, each profession generally focuses only on their areas of practice, resulting in silos of responsibilities.
Awareness. The project also found a significant disconnect between security and facility professionals' understanding of IBMS threats and risks and their technical knowledge of vulnerability significance. Although 75 percent of the security and facility professionals responded that they had an awareness of IBMS architecture—and half of these participants featured IBMS risks in their risk management documentation—the majority displayed a limited understanding of IBMS technology and vulnerabilities.
Both security and facility professionals rated the criticality of IBMS vulnerabilities as relatively equal in criticality. Such findings support the assumption that many professionals lack technical understanding of IBMS vulnerabilities.
Expertise. Within the project, an expert IBMS technical security group emerged. Integrators—vendors, installers, or maintainers—and cybersecurity professionals displayed a more accurate understanding of IBMS vulnerabilities and their organizational significance. This group rated attacks against the automation level equipment and its network at a higher criticality. Such attacks include manual override of the controller, automation network traffic monitoring, and unauthorized access to a workstation.
Unlike the security and facility professionals, who rated vulnerabilities at about the same level, the expert group identified a significant difference between the most and least critical vulnerabilities. This demonstrates that they hold a higher level of technical comprehension that can be leveraged by organizations to achieve more robust IBMS security.
However, many integrators provide service and maintenance, rather than best-practice operational and security advice. Participants noted that advice given by integrators may be viewed as an attempt to sell their products and services, and they may not be recognized as a strategic partner providing high-level IBMS security advice.
Effective management of the security of IBMS requires that integrators or cybersecurity professionals work with the facilities and security departments. These professionals could be in-house information technology or cybersecurity professionals, or third-party contractors such as integrators.
Half of the project's participants reported that IBMS integrated into their security systems, which can put these systems at increased risk. The type of security systems used varied widely among respondents. The study also showed a discrepancy between security and facility professionals' understanding of security risks and jurisdictional responsibilities.
Language. The project found that the IBMS term "integration" is not widely understood and remains broad and undefined, with various interpretations of meaning depending on a person's occupational role.
Consequently, there is a lack of understanding and clarity of language with IBMS terms and practices. Differences in the security and facility professionals' idea of what integration means shows a cultural difference between the perspectives of IBMS. This discrepancy of language can result in a failure to address vulnerabilities to system integrity.
The IBMS Guidance
To overcome the security obstacles to IBMS, the project developed a guidance document, Intelligent Building Management Systems: Guidance for Protecting Organizations. This document provides a first-generation publication for all relevant professionals to address the many and changing IBMS threats and risks, as well as the organization's ability to maintain occupancy and operations. The guidance will not only aid decision making in IBMS protection, but will help to develop a common language between IBMS stakeholders.
The guidance directs the reader to identify the organization's criticality, or impact level, if exposed to an IBMS-related event. Criticalities are ranked, using a matrix, across one or many categories such as operations, finance, safety, regulatory, information, or occupancy.
Security questions. Following are hierarchical, criticality-based IBMS security questions that are addressed. These security questions are divided into five levels of criticality that align to the criticality matrix, from low to critical. Responding to these questions facilitates either demonstrated compliance or the need to ask relevant professionals further questions.
The security questions are divided into subsections, comprising management, security risk management, personnel security, physical security, cybersecurity, incident response, continuity planning, and maintenance. A typical low level 1 security question is "Do you have a written and endorsed Security Policy?" In contrast, a critical level 5 security question asks "Do you undertake a IBMS specific threat assessment?" In all, there are 136 security questions, divided into impact levels from low to critical.
Looking ahead. Intelligent building management systems are becoming embedded into new buildings for many reasons, including the drive for greater operational efficiency and the need to meet increasing regulation. All building devices and equipment are likely to be converged with IBMS at some level of automation, including security systems.
For security professionals to have an awareness and be relevant in the modern organization, they must possess a professional level of IBMS understanding. To raise awareness and provide guidance, Intelligent Building Management Systems: Guidance for Protecting Organizations provides both the security and facility professional with the aggregated information they need to address IBMS threats and risks. Familiarizing themselves with the results of the research project will help security practitioners work alongside other personnel to provide effective security to their facilities.
SIDEBAR: ASIS INTERNATIONAL FOUNDATION IBMS REPORT RECOMMENDATIONS
Across the security and facility professions, the ASIS International Foundation research project identified several key recommendations:
Gain a better general awareness of your IBMS and its vulnerabilities. This awareness does not have to be a highly technical cybersecurity understanding; rather, a broad understanding of what your IBMS does, and its function in the business and physical locations. Many of the vulnerabilities are physical or procedural, in which general security strategies will provide a suitable level of protection.
Form an IBMS security working group from across the organization's stakeholders. This group will help to break down the siloed approach of IBMS and improve cross-department cooperation with membership from security, cybersecurity, facilities, engineering, and other relevant stakeholders.
Audit your building's IBMS. Know where the physical IBMS devices, such as controllers and communication networks, are located and their level of protection.
Ensure that IBMS is included in your security risk management documentation. For example, are the IBMS listed as critical components in the documentation? How do they help in incident response, and what happens to your security systems when IBMS fail?
Build a working partnership with IBMS experts, especially with information technology and cybersecurity professionals, as well as IBMS integrators. These professionals may be in-house or third-party contractors but should have an understanding of the security issues with IBMS.
Obtain a copy of Intelligent Building Management Systems: Guidance for Protecting Organizations. This guidance will provide you with a tool to rate your building and a list of security questions you can use to start addressing your IBMS security. The guide provides a first-generation document for all professions to address the many and changing threats and risks to IBMS and its organization.
Dave Brooks, PhD, MSc, BSc is the post graduate security science coordinator at Edith Cowan University in Western Australia. He is the ASIS International Western Australia Chapter 226 treasurer and member of the chapter's executive committee. Michael Coole, PhD, MSc, BSc is the security science course coordinator at Edith Cowan University in Western Australia. He is a member of the ASIS International Foundation Research Council.