Building cybersecurity is a major issue affecting thousands of commercial properties. Understanding the importance of cybersecurity is integral to preparing for cyber-attacks, and these examples give an idea of the consequences a cyber-attack can have. In this article, Fred Gordy, Director of Cybersecurity with Intelligent Buildings LLC, gives real-world examples of incidents that his company has experienced. These stories are based on actual events with modifications to mask the identity of those affected.

Over 6,000 Devices Knocked Offline

Event Type: Policy Enforced/Lack of IT Understanding

A large commercial real estate building of over 100 floors was built with all the latest Smart Building technology and cybersecurity for IT and Operational Technology (OT) was built into the foundation of all these systems. To further ensure that cybersecurity specifications were met, they hired Intelligent Buildings to cyber commission the over 10,000 devices in the facility.

The systems had been fully commissioned and were effectively turned over to the owner. The HVAC vendor was making final adjustments to the system and noticed that they could not connect to a device they had been working on just before lunch. They began checking other devices and found that none of the devices they checked were responding. The technician went and directly connected to a device nearby, and it was unresponsive.

The tech power cycled the device and was able to connect to it directly. The tech then tried connecting to the same device over the network and was able to connect. However, none of the rest of the devices throughout the building were responsive. This represented over 100 devices. This did not include the field devices.

In the meantime, the vendor responsible for the power monitoring noticed that the devices monitoring the racks were unresponsive. The number of devices totaled over 2,000. The vendor technician had to climb a ladder to investigate. The tech power cycled the device, but in this case, they had to connect via a serial cable to confirm that the device came back online and ensure those configuration parameters that the vendor set was still in the device. At this point, other vendors (lighting, elevator, etc.) noticed they had unresponsive devices as well.

The vendor began reaching out to the general contractor and project management to inform them the systems were now not ready for occupation. The discussion started as to what was to be done. Delay occupying the building was on the table but not really an option legally. Each of the vendors had been working independently and was not aware there was an issue across other systems. So now the question was, what happened? Vendors started contacting IT to see if they could identify a cause, if there were one, from an IT perspective. IT did not see anything that they knew that could have caused.

The cyber commissioning company (CCC) was contacted to determine what might have happened. CCC found out about the vulnerability scan. They asked IT about the scans that were used. The type that was used is a known device killer. It effectively acts as a denial of service (DoS) attack on the devices. The devices cannot handle the interrogation this type of scan performs.

The vendors had to go to each device and manually reboot their devices one at a time. The vendor of the data center rack power monitoring devices had to climb a ladder over 2,000 times because each device had to be manually rebooted and connected. This vendor made the statement, “If this happens again, we’ll give you a ladder, laptop, and serial cable, and you can do it yourself.” It is believed that the cost of this one scan cost in the high six figures.

Printer Empties a Building

Event Type: Hack

Site assessments are a part of our day-to-day routine. This customer had contracted us to assess a sample set of buildings to get an assessment of where they stood. The first site we visited was one of their flagship locations with a couple of high-value target tenants. The systems to be evaluated were typical systems such as the HVAC, lighting, access control, elevator, etc. During the initial walkthrough, our assessor asked to see the parking system but was informed that it was not connected to any building networks and, therefore, would not be included in the assessment. The assessor asked if there were any policies that they, the building owner, required of the parking vendor. The company rep said no other than the usual. The assessor said, “Who’s name is on the building?” Nothing else was said.

A few weeks later, the assessor returned to this site. Between the first visit and this visit, an event had happened related to the parking vendor. The parking system had a network, and someone had added a wire-less access point that was open to the web and had default credentials. Someone from the outside had gotten to the network printer and printed, “There is a bomb in the building.” As a result, the building had to be evacuated and called emergency services to locate the bomb.

No bomb was found; however, 30 floors of tenants- including two high-value tenants- lost productivity for over 24 hours, in addition to the reputation damage done, the person or persons responsible were never identified.

Conclusion

Building systems face risks from not only cyber-attacks but also from lack of understanding. Attacks are something that most are aware can happen, but lack of understanding most organizations have not taken into consideration.  In most cases and with good intentions IT applies their tools and practices into play without consideration of the potential impact to the control system.  NIST (National Institute of Standards and Technology) in 2019 release IR8228 that made three statements that explains what to consider and the differences between IT and OT systems.

• Many OT devices interact with the physical world in ways conventional IT devices usually do not.
• Many OT devices cannot be accessed, managed, or monitored in the same ways conventional IT devices can.
• The availability, efficiency, and effectiveness of cybersecurity and privacy capabilities are often different for OT devices than conventional IT devices.

IT does not understand that something as simple as patching an operating system of the application server could totally lock out the users from the systems at the very least. Or worse could require months of rework and replacement of devices in the field. Or in the cause of the thousands of devices knocked offline in the last story a single vulnerability scan cost this organization around $1.25 million to fully recover.  IT can be a great ally in the fight against cyber-attacks on OT systems, but they must be educated about how their policies, practices, and tools can impact building control systems.

Want to learn more about cybersecurity? Other case studies on connectivity loss and recovering from a hack are available on CRE Insight Journal. You can also watch experts Fred Gordy and Michael MacMahon present about the cybersecurity framework developed by Building Cyber Security (BCS). Watch now on CRE Insight 365!

 To stay up to date on news and resources such as this and other topics of importance to the real estate industry, subscribe to the free CRE Insight Journal Newsletter using this link.