Cyber attacks are an unfortunate reality of our connected world, and as more of our smart buildings get online, it seems there is no stopping the increased threat to them from hackers. While we may be helpless in reducing the wide variety of attempts to bring down or hold to ransom our connected assets, we can do more to protect ourselves against the effects of these attacks.
In the highly anonymous world of hacking, it seems there is often little or no moral code. In February 2017, for example, hackers disrupted the services of the Hollywood Presbyterian Medical Center, a hospital facility in Los Angeles. The attack blocked access to patient records, laboratory results, surgery and critical patient information – with experts equating the human cost to some natural disaster situations.
This was not a terrorist scenario however, it was in effect a cyber-kidnapping, as the critical hospital systems would only be released once a ransom was paid. The medical center eventually paid the $17,000 ransom in untraceable bitcoins, while the subsequent LA police force and FBI investigations were unable to track down the perpetrators.
This nefarious attack on a vital healthcare facility is not an isolated event. In May this year, the global WannaCry ransomware attack targeted, among other things, the British National Health Service (NHS), forcing hospitals across the country to turn away patients. Less than two months later, the ExPetr ransomware attack disrupted, among other things, the Heritage Valley Health System, which runs hospitals and care facilities in Pittsburgh. Even more disturbing, the latter of these incidents did not include a release function once the ransom had been paid.
“One of the key differences [of ExPetr] from WannaCry is that there doesn’t appear to be a kill-switch, i.e. a mechanism that will stop if from infecting. This is why it’s essential to ensure that systems are fully updated and to ensure that data is backed up regularly,” Kaspersky’s Principal Security Researcher, David Emm, told Memoori shortly after the event.
The Internet of Things (IoT) and smart buildings seek to connect our physical world to bring about efficiencies and a host of other benefits that are elevating society into a new technological era. “Smart buildings promise significant benefits to owners and operators in terms of efficiency, safety, comfort and functionality, but these systems also carry potential costs, as without the right levels of protection, they can act as tempting targets for would-be hackers and or malicious insiders,” states our recent report Cyber Security in Smart Commercial Buildings 2017 to 2021.
These IoT devices, when improperly secured, provide the easy entry point for hackers into wider systems. Furthermore, IoT devices on mass have been used as ammunition for Distributed Denial of Service (DDoS) attacks, which overwhelm systems through a barrage of digital requests – the most infamous of which bringing down a host of major online services in October 2016.
“In an IoT world where a camera or building management system (BMS) can potentially launch a cyber attack and disable a building’s critical services, there is an imperative to address these risks at all levels of the build, design and deployment stages. Builders, engineers and critical services specialists who do not factor in potential cyber risk threats as part of their design considerations expose their assets, their occupants and the public to considerable risk,” explains Alan Mihalic, Senior Cyber Security Consultant for Norman Disney & Young.
Mihalic promotes “security by design” as the only way to effectively protect against the wide diversity of cyber attacks our smart buildings are now vulnerable to. This philosophy requires that the construction, building infrastructure and facility management sectors better incorporate cyber security into the core of their design processes.
“The inclusion of smart technologies within building services and design considerations requires a collaborative approach to help ensure that security and privacy standards are maintained,” says Mihalic. “This collaboration must extend to electrical and mechanical engineers, HVAC, fire safety, BMS, and audiovisual specialists. Whether engineering companies work in collaboration with cyber security firms or build out their own competencies, the need for an integrated approach to cyber security challenges is required,” he adds.
In a ‘better late than never’ scenario, industry bodies such as the not-for-profit Internet of Things Security Foundation (IoTSF) have established working groups to address key industry requirements. Such foundations are tasked with developing vital channels of communication between engineers, designers and urban planners on cyber security issues. As the physical world gets increasingly connected, the physical industries must become increasingly cyber security savvy.