Bad Actors Never Stop
Cyberattacks on the U.S. healthcare system are growing in frequency and in popularity, particularly as hospital systems continue to invest in digital transformation initiatives at their facilities. As such, healthcare should serve as a bellwether for the Commercial Real Estate industry that is still reeling from the impact of occupancy impacts stemming from COVID-19. In this latest incident, the bad actors managed to thwart the native Operational Technologies (OT) and Internet of Things (IoT) systems to allegedly hack three major hospital systems in the Metro Boston area. The hack was revealed by the perpetrator/threat actor, who reported to a cybercommunity group that they compromised an HVAC vendor’s OT system at all three facilities in order to collect sensitive information such as hospital structured wiring plans and floor plans, which were then shared to the cybersecurity group to provide affirmation of the attack. While no consequential damage to hospital operations were reported, the cybersecurity implications to all stakeholders were laid bare. Imagine the consequences to care operations if the threat actor disabled smart room automation systems that controls lights, shades, and room temperature settings? Or, if they disabled security around critical parts of the hospital such as staff/employee entrances?
Unfortunately, the alleged incident above is not just constrained to OT systems. All building owners across the market spectrum of Commercial Real Estate, Sports and Entertainment, Healthcare, and Hospitality must pay heed to other potential sources of vulnerability in order to holistically ensure that their facilities are safe-guarded against such attacks. Predominately, IoT presents the greatest opportunity risk. This is not surprising given the amount of automation that facility owners have invested in this technology. More specifically, green energy initiatives coupled with on-demand patron responses have fueled investment in automation that relies heavily on sensor-based approaches. Examples include temperature, humidity, occupancy, time of day, and other factors. The latter typically interface using various different wireless interfaces (i.e., Bluetooth Low Energy, WiFi, and/or cellular) to some form of building automation system (BAS) that governs operation. Variation in design implementation standards and different wireless protocol security and privacy standards create ambiguity about levels of cybersecurity fitness, which can lead to penetration by bad actors who understand the weaknesses that such standards present. Moreover, in many newer environments, Applications (APPs) are a convenient way for building maintenance personnel, staff, and authorized agents to manage disparate systems such as water, heat, and electricity. Unfortunately, convenience of operation also exposes the building against the strength of the APP and its accompanying operating system, which can be defeating in terms of the purpose and intent of the APP to create an easy means to manage facility systems. An representative use case is that of a patient smart room: to what extent can and/or should patients have the ability to manage in-patient amenities using a Bring Your Own Device (BYOD) platform such as their personal smartphone versus a hospital provided platform such as a pillow speaker and/or a smart speaker?
What is the Impact?
Such attacks range in magnitude of the scope and purpose. For instance, some may be directed to gather sensitive information such as personnel schedules, occupancy periods, or point of sale activities. Others may be used to harm people by shutting down key operating infrastructure or severely adjusting pre-configured setpoints. For example, elevator operation may be completely stopped. Similarly, temperature sensitive systems designed to keep certain expensive medications at specific temperature levels may be adjusted beyond safe storage ranges, spoiling the medication (i.e., COVID-19 vaccinations). Greater severity of attacks may be those that significantly damage appliances and other building systems beyond repair. For instance, the rapid cycling of HVAC compressors could lead to mechanical seizure of the compressors, necessitating not only their removal for repair but potentially lengthy lead times for the replacement parts. Finally, a shut-down of the building’s water distribution plant could lead to a total loss of available water for facility washrooms and/or fire suppression equipment.
Building a Zero Trust Environment
In response to these attacks, the industry is taking an offensive posture which is known as Zero Trust. What it means in simple terms is that every appliance and end-point is treated in a segmented manner, compartmentalized into enclaves to minimize exposure should one of more appliance and/or end-point be compromised. A crude analogy is that of water tight compartments found in ships – should one compartment be breached, the ship remains afloat. In a similar way, enclaves segment data between sensors and systems, and then using intelligent monitors to watch for activities that don’t fit typical patterns and/or parameters. These, coupled with secure encryption techniques collectively serve to harden the overall system against attack through authentication challenges, monitoring techniques, and finally, isolation, if necessary. For example, let’s suppose a bad actor gains control of a building’s environmental controls via an unsecured end-point sensor such as wireless HVAC zone controller. In a zero trust approach, out-of-band messaging or errant signaling (intentionally initiated by the bad actor via the sensor) would be identified by a watchguard system, which would in turn isolate the device against established norms and alert facility owners, thereby minimizing the effect of the attack.
Modern buildings rely extensively on technology to create an environment conducive to enhancing productivity and value for its tenants and stakeholders. Minimizing barriers to utilization while promoting user security and privacy pertaining to on-premises data infrastructure requires balancing proactive measures so that they are pragmatic. Assessing the appropriate level of user experience tolerance is not simplistic. It depends on the use cases and other factors that influence the level of cybersecurity protection measures. While zero trust works exceptional well for dedicated building infrastructure, some users may find constant authentication challenges annoying. To address this, the cybersecurity and wireless network industries among others are creating new standards-based methods to transparently provide security capabilities while balancing privacy concerns. This is where Artificial Intelligence (AI) is demonstrating excellent effectiveness by analyzing patterns of utilization against other determinants such as personal identifiers. While not perfect, investments in such systems by building owners diminishes risk from cybersecurity incidents while also providing meaningful data analytics to help determine future investments in amenities, changes to workflows, and other considerations.
Achieving a Pragmatic Balance
Creating zero trust frameworks will ensure that building owners are prepared to thwart nefarious activities. Creating that pragmatic balance means making architectural design and operating best practices considerations to build zero-trust capabilities into the building when opportunities present themselves, such as during modernization programs and/or new construction. This duality may mean many different things. For instance, supporting different wireless modalities for different end-point devices, private and public. It may also mean creating zoned data infrastructure networks by function and role, something often referred to as network access control and security access control. It may also mean investing in AI-based governance systems operating via cloud-based systems in the event to ensure survivability of facility based/on-premises infrastructure and data, in the event of a severe attack. The latter is also useful in untoward events should an incident by precipitated by a natural disaster. Finally, establishing a facility governance plan including role-based permissions by executives will speed decision making and minimize ambiguity during and after an attack.