Supply chain changes caused by shifting global economic policies and geopolitical tensions are leading to increased cybersecurity risk for cyber-physical systems, like building management and control systems, according to a Sept. 17 report by Claroty.
Among other things, bad actors are exploiting remote access by vendors to gain access to building management and other systems that sit at the nexus between organizations’ physical infrastructure and their cyber systems.
“A ripple effect of shifting supply chains is the escalation of risks associated with third-party remote access,” Claroty says in its report.
“We’re just now starting to see how vulnerable our critical building management systems are to cyber attack,” Sean Tufts, field chief technology officer at Claroty, said in an interview.
Almost half, or 45%, of cybersecurity professionals are concerned about their ability to reduce cyber-physical system risk, with more than two-thirds saying they are reconsidering their supply chain geography in order to mitigate the risk, according to a survey of 1,100 cybersecurity professionals who manage cyber-physical security systems, or CPS.
A large majority, 73%, said third-party remote access to their operations is being re-evaluated, with companies demanding visibility into security from their vendors. This may exacerbate existing security challenges, with 46% of respondents having been breached in the past 12 months because of third-party access and 54% saying they’ve discovered security gaps or weakness in vendor contracts after an incident, per the report.
Vendors can become weak points in security, allowing unauthorized access into key facilities and networks, raising the stakes for building operators.
“A facility owner has roughly two to three times more full-time employees than they think, because those third-party contractors are as critical to their network as their employees,” Tufts explained. “What [operators] don’t realize is that a technician walks from one building to another with the same laptop … and he can be a source, a weak point in our cybersecurity standard.”
Widely distributed access raises key concerns, especially as buildings are targeted in the ongoing theaters of war, said Tufts, pointing to Russia’s use of cyber-physical system attacks in Ukraine. “[Russia] launched a malware campaign … onto the building maintenance system of a facility in the Ukraine during mid-winter [and] took out the heating during a cold spell,” he explained. “That’s very interesting for building management. Temperature is always the most important, because in Texas in the summer or Minnesota in the winter, [that] causes real fatalities.”
There also have been cases of cyber attacks knocking out utilities internationally, which affects building management, “because we need to make sure our backup power systems are running,” Tufts said.
To assess a facility's cybersecurity risk, operators first need a comprehensive inventory of their systems. Because assets like lighting and elevators are often managed on older, legacy systems, security operations are often flat-footed when it comes to preparation and defense, Tufts said.
“The people that program those systems and keep them running day-to-day are not instant responders [in a cyber event]. They’re not someone that works in a security operations center, so we need to pull that knowledge of assets back. When we have something that is an indicator of compromise, that’s actively being targeted, then we can do the research and help aid those people that are on-site,” Tufts said.
This requires gathering contextual information on systems, such as if they are customer facing or how critical systems are to a business occupying the space. “We can give [cybersecurity] teams knowledge of what these systems are, so they’re not just coming out and saying ‘Turn this machine off’ when it’s a critical part of the … process,” Tufts said.
Take lighting systems. “We were on-site at a major manufacturer in the transportation space, and if the lights turned off, the union labor packed up and left. That was in their contract,” he explained. “We're not asking for systems to be totally refreshed today, but we need to understand when a good time to come back would be. A lot of these systems have long time or long-term maintenance contracts. Let's find the window that works.”
Bottom line: Since building systems aren’t part of the technical infrastructure that security teams have a long history of working on, facility managers need to work with cyber teams to help them close the unique vulnerabilities they present.
