Cyber Threat is now a very real physical threat to our buildings and national infrastructure. Hackers can now disable buildings, satellites, power stations, air traffic control and many other critical infrastructure elements. Learn more in this presentation from Mike Gillespie of Advent IM Ltd
Falcon Invoice Discounting: Aviate Your Cash Flow Challenges
The Cyber Threat to the Built Estate
1. Mike Gillespie – Advent IM Ltd, Independent Holistic Security Consultancy
The Cyber Threat to the Built Environment
2. • our buildings have become smarter creating new threats and vulnerabilities
• some threats may not be geographically sensitive – the threat can come from
anywhere
• our infrastructure is under threat too
• our attitude to ‘cyber’ needs to change
• we need to secure our security systems
• buying secure
• protecting them once installed
• cyber threat to our infrastructure and built estate has to be included in
Threat Assessments
coming up
3. Definitions
Smart - systems operating as if by human intelligence by using automatic computer control,
system or component that performs the correct action in a wide variety of complicated circumstances
Integrated - To make into a whole by bringing all parts together; unify
Holistic - Emphasizing the importance of the whole and the interdependence of its parts.
Concerned with wholes rather than analysis or separation into parts
Smart integrated holistic
5. Integrated systems providing big data and big benefits
Security integrating with other
systems such as heating,
creating Efficiency
improvement.
A better environment for users
and managers alike.
Cross business silo adoption
and application, returning
actionable information.
Helping move security from the
cost column and into the
investment column
aircon
light
access
control
restricted
access
heat
fire &
life
safety
water &
waste
intruder
detection
cctv
parking
control
power
management
6. The creation of this new integrated entity is the
creation of a not just a new and powerful building
management system but that of a new asset. An asset
without geographical location in the cyber world and
that needs to be protected.
a new truth
7. Cyber threat to the built environment: once your security
systems are networked, your smart building’s geography fails to
apply and your address becomes “Earth”…
…which means an attack on a building’s security systems could
come from anywhere on the globe, just ask Iran.
made in the USA
8. within minutes a building could be totally disabled
• door entry system disabled or locked
down
• automatic barriers disabled or locked
down
• CCTV disabled
• fire & life safety systems disabled
• Air conditioning disabled
10. Air quality and
conditioning systems
How secure are our security systems?
Door entry systems
CCTV and monitoring
systems
Alarm systems
some visuals courtesy of freedigitalphotos.net
11. our buildings and our national infrastructure
some visuals courtesy of freedigitalphotos.net
12. building cyber threat into Threat Assessments
some visuals courtesy of freedigitalphotos.net
13. in summary
• our buildings have become smarter creating new threats and
vulnerabilities
• some threats may not be geographically sensitive – the threat can
come from anywhere
• our infrastructure is under threat too
• our attitude to ‘cyber’ needs to change
• we need to secure our security systems
• buying secure
• protecting them once installed
• cyber threat to our infrastructure and built estate has to be included in
Threat Assessments
So we have established that networked systems create potential vulnerabilities and that traditional geographically based threats have now been augmented with the threat from cyberspace. But what could that look like potentially.? No one goes in no one goes out No vehicles can get through barriers Security systems compromised leaving people and assets vulnerable – CCTV breached or ineffective. Fire alarms or fire prevention such as sprinklers disabled, emergency lighting not working Air conditioning not working and temperature and air quality out of control in a building no one can get in or out of.
Some definitions to help us along the way.
Even if a building was not built to be a ‘smart building’ it can be made into one. Fabulous integrated systems sit all over buildings, controlling our environments, our movements and our safety. As users we rarely consider it (unless we work in FM) and yet it has a massive part to play in everyone’s working day. Frequently these systems will be hooked into a central control unit of some description. This is the cost effective way – integration and remote control of systems.
There is good business logic behind decisions to integrate systems. They can compliment each other and clever use can see things like security adding value to a business. For instance – setting PIRs to report by exception in low usage areas, enabling Aircon and lighting to be turned off or down during trough occupancy. The savings in this area can be huge. The end result is a more efficient building that can be managed from almost anywhere. For instance Air Con that can be accessed remotely over the net by the FM and turned off, turned down or fixed to never go above or below a certain temp. Key to that sentence was, ‘accessed over the web’
So we have a fabulous building with some very impressive kit in both BM and Security. These systems are networked and they are controlling our air quality, our security systems and our access in or out of places. That building and its occupants could be threatened not only by whatever sits in its vicinity, like a nearby animal testing lab that might attract attention from pressure groups, or by location in a high crime area for instance. It’s systems are networked and if they aren't properly protected or were insecure in the first place, the building is now under threat from anyone with a computer, web access and a desire to do some harm.
So our networked building is now a potential target for anyone. You may know all about what your business does to protect it’s systems but what about Building Management? Do you share a building? Do you know what your neighbours do? Could a vulnerability in their systems affect everyone in the building? It could come from anywhere, it could come from the other side of the world or be state sponsored.
So we have established that networked systems create potential vulnerabilities and that traditional geographically based threats have now been augmented with the threat from cyberspace. But what could that look like potentially.? No one goes in no one goes out No vehicles can get through barriers Security systems compromised leaving people and assets vulnerable – CCTV breached or ineffective. Fire alarms or fire prevention such as sprinklers disabled, emergency lighting not working Air conditioning not working and temperature and air quality out of control in a building no one can get in or out of.
So we have a wonderfully capable building but we have by unintended consequence created a hugely vulnerable asset that is open to the whole of cyberspace if we don’t secure it properly and holistically. It’s like putting a door in the middle of cyberspace, its only a matter of time before someone walks through it. If you’re lucky it will be a pen tester.
We know we need to protect our Network, we use anti virus, we patch, we use firewalls and encryption. We educate our users in keeping our network safe. Do we take similar precautions with our networked systems.? We have just seen the speed with which a building can be effectively disabled. That may not be the only threat. The attack may be to take information for future attacks, such as stealing or using CCTV images. Perhaps entry data to find out when target staff members are on site. Or test disable an alarm system for a combined attack across several systems in the future. How did we source our systems in the first place? Some security systems are built insecurely and so the challenge is to buy well in the first place. The objective is security so buy secure and keep it secure, protect, patch and maintain it.
Our infrastructure is coming under the same threats. Satellites, nuclear power plants, mobile phone masts, air traffic control. It might be suppliers to these critical functions that get attacked. It may connected systems or other parts of the supply chain. All organisations have a role to play in our CNI at some point and we have to start by securing our own part of cyberspace that controls our building services.
In order to protect our CNI and our buildings properly we need to look at threat and its treatment, holistically. Virus can be introduced to our systems and we need to be able to protect them properly.