Cyber Security in the Age of OT and IT Convergence
By Sandy Jacolow
Maya Angelou, an American poet, said “You can’t really know where you are going until you know where you have been.” Her wisdom still rings true and can be applied to how we approach many of today’s technology challenges. As real estate leverages Prop-Tech innovation to enhance the tenant experience, and improve operating efficiencies, our exposure to Operational Technology (OT) cyber threats grows each day.
To frame our exposure, we need to first define OT and how we incorporate it into our physical assets. Historically and traditionally, OT was closed building systems designed to be on their own isolated network. With no connection to the Internet, other building systems, or corporate networks, cyber threats were limited and not factored into their firmware, software, or technology stack. Today, “Operational Technology (OT) is hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events in the enterprise”, according to Gartner. OT security also protects people, assets, and information involved in the monitoring and/or control of these devices. By contrast, Information Technology (IT) is data-centric incorporating use of computers, storage, networking devices, and infrastructure.
From a real estate perspective, it’s quite simple; our wired and wireless networks must be capable of interfacing with smart building systems, while being adaptable to an ever-changing technology landscape. They must be designed to embrace next generation platforms like Industrial Internet of Things (IoIT) and Low-Power Wide Area Networks (LPWAN), while providing provide full visibility into building operations. Additionally, in the age of COVID, firms are leveraging existing corporate IT networks to provide remote access to building systems for maintenance and support.
This convergence and cross pollination of networks, along with the lack of IoT regulatory standards complicates defending against these new cyber threats. To bring this point home, in 2014 Target’s Point-of-Sale (PoS) system was compromised impacting 110 million customers originating from an HVAC system breach. So how do we approach securing our building systems and corporate networks from these exposures and vulnerabilities? Let’s start with the NIST Cybersecurity Framework (CSF) and NIST Guide to Industrial Control Systems (ICS) Security. Together they provide guidance on how to understand and implement an approach to identify, protect, detect, and respond to cyber-attacks across your OT, IT, and converged technology environments.
To understand your cyber exposure along with identifying your firm’s or building’s risk, start with performing a discovery and complete inventory of all physical and virtual assets. This analysis should include comprehensive information about each device and their respective, operating system, firmware, and software. This will facilitate keeping you apprised of the latest security alerts, vulnerabilities, and patches.
With a plethora of IoT devices running our buildings, cataloguing how they communicate across network segments, VLANs, subnets, and Internet services providers should be an essential component of your analysis. One area that is often overlooked when identifying OT exposure is understanding the facilities access to hardware and how it is secured.
Once you have identified your risks, the next step is to design and implement a plan for securing and protecting your OT, IT, and converged networks. Your cyber protection program should include detailed technical guidelines outlining how to review, test, and apply updates, along with network access controls. One of the most neglected aspects of protecting your systems is through development of comprehensive policies and procedures addressing employee awareness, education, and training. Distinct policies for OT related building systems and remote access should also developed for engineering staff.
Perhaps the most important aspect in the protection of your OT and IT networks is quickly detecting and identifying cyber threats. This is achieved through deployment and implementing of a variety of active network monitoring and asset discovery tools. Continuous monitoring ensures visibility into unusual endpoint activity, changes in behaviors, or network traffic patterns. These alerts are designed to reduce response time to a potential event, along with regulatory compliance.
Should a cyber event occur, containment of your threat is essential to minimize impact and spread across multiple systems. A response plan should outline steps to identify the extent of the event, along with defining an internal and external (e.g. tenants, vendors) communication plan to effected parties. Remember to update your plan as new hardware and software systems are introduced into your OT and IT environments.
With ever increasing endpoint deployed in smart buildings it is possible that a cyber event could result in loss of a core building system (e.g. HVAC, elevators) or data loss. A recovery run book that details a step-by-step plan to failover to backup systems or restore services to impaired systems should be developed and tested. This plan should be prioritized to align with essential building operation systems and business requirements. Once the threat has been mitigated, a post-mortem of to evaluate detection, response protocols, and lessons learned should be performed to improve performance for future events.
While a vast majority of organizations still grapple with basic IT cyber challenges, real estate’s adoption of PropTech to create smart buildings introduces OT related cyber threats into the overall enterprise technology landscape. Navigating risks associated with a converged OT and IT network required continual vigilance coupled with striking a balance between traditional IT security controls and OT specialist security tools.