At first blush, the ransomware attack on Colonial Pipeline in May 2021 and a hacker’s attempt to poison the water supply in Oldsmar, Fla., in February of the same year may not appear to have much bearing on the safety of the average commercial building. But in reality, most buildings are vulnerable to these types of cyberattacks, experts say.
“There are over 40 years’ worth of digital technology in our building stock,” said Fred Gordy, director of cybersecurity at Charlotte, N.C.–based consulting firm Intelligent Buildings. “It’s not just in so-called ‘smart buildings.’ ”
Operational technology and information technology can be open doors for cybercriminals, said Lucian Niemeyer, CEO of security firm Building Cyber Security in Bethesda, Md. Most people know what IT means—OT is simply all of the technology in a building that physically interacts with the world, such as HVAC and electrical systems, parking, access control and fire alarm and suppression systems. “Office buildings, malls, schools, banks, sporting venues—all of these places have physical systems that are now integrated with IT,” said Niemeyer. “And all of these places are vulnerable.”
Gordy offered a real-world example involving one of his clients, the owner of a 30-story office tower. A tenant in the building received a bomb threat from hackers who gained remote access to the tenant’s printer and produced a menacing message. The entire office building was evacuated. An investigation revealed that the threat had come through the parking system, which was run by a third-party contractor and not by the building management or owner. Still, the building owner’s reputation was at risk because of the incident. “Tenants don’t know who runs what,” Gordy said. “If your name is on the building, then you’ll get the brand damage.”
Bringing contractors up to speed is an important step in shoring up vulnerabilities in commercial buildings, said John Hester, owner of Hester Consulting, a building operations firm in Peachtree Corners, Ga. As many as 3,000 technicians and staffers can interact with the OT systems in a large building, Hester said, and even small- and medium-sized buildings can have multiple contractors entering on any given day. “Contractors create open spaces for risk,” Hester added. “You have to manage them and do your due diligence. Know what they are doing to vet who comes into your building.”
Administrative systems that control who can access the building’s other systems are often vulnerable points, Hester said. Contractors and building management staff may be given access that doesn’t expire when their employment ends. Systems that don’t require a VPN login are another potential weak spot. When access isn’t properly controlled, Hester said, systems such as fire alarms, elevators, and security cameras can become vulnerable to cyberattacks.
Mitigating cyberattacks in any building boils down to two steps that every owner can take: inventory and assessment of OT. “For inventory, you have to know what you’ve got. For assessment, you have to know how old it is and who’s working on it,” Hester said.
While the task of evaluating OT systems may seem overwhelming, it’s worth the effort, and owners should remember that it’s a process. “Don’t think you have to know it all,” Hester said. “A little time and money spent now can save you a lot later.”