When FM meets IT
Might the weak underbelly of a building-management system provide a route to attacking an organisation’s IT infrastructure? Bob Mann share his experiences and ideas.
It seems no one is immune from the various exploitation methods used to infiltrate companies, personal computer systems, smart mobile devices etc. We hear constant news about the theft of personal information, social-engineering attacks, account takeover, bank-account intrusion, identity theft, including the (not so) new efforts to attack corporate facilities such as building services. As technology marches on so does the hacker fraternity's methods. So perhaps another look at the relationship between IT (information technology) and FM (facilities management) is prudent at this juncture!
We explore the importance of the facilities-management (often and colloquially referred to as building-services) teams and the efforts they undertake to service us all. In addition, we examine the important work that IT (aided and abetted by information security) teams also undertake to keep the lights on. Why is their stance often viewed as adversarial, often by each other? Intrusion by hackers is steadily increasing (Verizon’s 2012 Data Breach Investigation Report) so is it now time to bury the past and work together?
I have to declare a personal interest that in a previous life I have been engaged in ‘testing’ physical security measures and products. This included both physical and stealth attacks on locks, doors, fences, lighting, sensor devices etc. Testing was to verify manufacturer claims of their robustness and prove just how difficult a deterrent they really posed to a determined attacker. Perhaps due to my past (or in spite of it) I have also for many years believed that IT & FM were inextricably linked, as physical security controls began to be computer operated rather than mechanically controlled.
How different those attacks are today — if I was so inclined to try! Now, a few kilos heavier and less inclined to run the mile in about five minutes, I'm more likely to 'work from home'. A steadfast mindset, a fast broadband connection, and a ‘magic’ toolbox, I'm much less likely to get caught whilst I attempt to take control of those building services remotely. No longer do I have to loiter with intent, work in inclement conditions and stand around for hours gathering intelligence for my test scenarios. I'll now opt for the easy life, use obfuscation and electronic stealth to test those building-management systems (BMS), or building-automation systems (BAS) whilst lounging in my favourite chair. Controls and sensors are very much computer based today, they're programmable and, therefore, much easier to exploit.
Verizon’s 2012 Data Breach Investigation Report (you can search for it on the Internet) is full of interesting facets about unauthorised intrusions; a snippet is below.
• 98% of breaches were from external agents
• 97% of breaches were avoidable through simple or intermediate controls
• 79% were targets of opportunity
• 96% of attacks were not highly difficult
• 85% of breaches took weeks or more to discover
Oh, and whilst I'm in I think I'll wheedle my way into the main ICT infrastructure and see what's going on there — files, records, personal details, archives, IT systems! And, perhaps, this is the rub...
This article is exploring the IT v. FM conundrum from an information-security perspective. For clarification, information security does not just focus on technology components such as firewalls, servers, network infrastructure. It considers a wider security management overview, for example (but not limited to) aspects of risk, fraud, human resources, business continuity planning, compliance, physical security, etc.
Often IT and FM have distinct — and for want of a better phrase — computer systems, each jealously guarding their individual fiefdoms from the other. This has led us, in my opinion, to where we are today — a slightly misaligned position. Why?
Perhaps FM see the complex monoliths that IT teams create, the lengthy time taken from design to implementation and the post deployment problems they always seem to create. Their systems constantly fall over, denying access to e-mail and Internet access. Well, that’s according to their users anyway. Is this the FM's justification for designing and deploying their own computer-controlled BMS/BAS solutions. Whether it’s keeping the lights on, managing building access, controlling the year-round heating and ventilation — FM wants to keep things simple, manageable and under control. Many now outsource the day-to-day operation to third parties, both local and remotely.
The mantra I often hear from IT is, ‘We're IT, we're the experts at running computer networks, so all computer systems should be run and maintained by us!’ Perhaps IT see a direct threat to their services and operations — data centres, local servers, test rigs and office endpoints (desktops, laptops) etc. Many BMS solutions control, amongst other things, HVAC systems, and a failure of these can seriously impact IT services. If IT isn’t controlling those systems that can directly affect the services they (IT teams) operate and maintain 24 x 7 x 365 they feel threatened!
There is a perception that BMS/BAS vendors don’t have the same level of expertise or maturity in designing their systems as ‘standard’ security vendors. Do old technology and ancient protocols in use currently in many outdated BMS/BAS solutions pose a significant threat to our ICT infrastructure? Many feel that this is where we are right now. This is where IT teams get nervous and twitchy; they don't hold all the aces and are therefore at the mercy of the FM crews!
Security teams have long recognised that web access is everywhere and the associated risk that this brings to organisations. IT now accepts that this is a credible and frequent attack vector, perhaps FM teams do not — yet! Man-in-the-middle attacks (interception and hijacking) are now fairly common, just as the requirement to remotely manage building services is also becoming common practice. What perhaps isn't so common is the realisation or belief that such attacks exist, intercepting communication channels used for remote access and, as a consequence, taking control of building management services or building automated systems. These ‘man-in-the-middle’ attacks are just one if the many ways to infiltrate an organisation, using less secure and outdated BMS solutions and striking at the heart of IT operations.
Should we also consider the ’elf and safety’ of buildings where the attacker, if minded to, has the ability to interfere with fire alarms, sprinkler controls, electronic door release systems, pumps, fume extractors, lighting etc.? If he/she/they were so inclined, how about corrupting the carefully laid out building plans, or deleting those desk layouts, the result of many hours of wandering around the building capturing that information?
Perhaps it is understandable that IT teams are a little spooked by this scenario, not knowing how efficient FM services are at keeping their automated systems secure. However, information-security teams recognise the problem and are here to help both IT and FM operate in a secure manner so as not to inadvertently raise an organisation’s risk profile.
Whilst this article examines external threats, let’s not forget that attacks can also come from within an establishment.
Personal experience is that security teams have not exactly excelled at selling themselves to non-IT folk, often wrapping up requirements in technical speak rather than business language and all too often resorting to scare tactics to get their way. As a consequence, the true message may be getting lost in the noise from both IT and FM.
However, there is a way forward in this entire melee!
I see a joint exercise here, where information-security teams can assist in becoming the Good Samaritan, a friendly ‘man in the middle’ to assuage the fear of both FM and IT teams. FM also has a golden opportunity to have its environments secured and IT the assurance that the HVAC measures supporting their efforts to keep the ICT infrastructure 'lights on' is finally recognised and addressed!
Don't be protectionist, don't be bashful, talk to your local information-security experts. They are there to provide a range of information security advice and assurance services.
This is a win-win situation — embrace the opportunity!