The use of connected data in building operation and management is fuelling the rise of cybercrime, warns information security specialist Andy Compton, MD of information security consultancy Blackfoot UK
Interconnected systems and digital information have revolutionised the way we shop, work and play. The evidence is everywhere. We share many of our waking moments on social media, track our every step and calorie intake on smart devices, and access online marketplaces and banking services anywhere, anytime.
The growth of connected devices has been remarkable; so much so that at some point this year, the number of devices with internet-fuelled connectivity will surpass the number of living people. In fact, in 2017, 3.7 billion internet users will access up to 9.4 billion connected computing devices, many of which will use applications, systems and devices that receive, store and process the 2.5 exabytes of business, personal and sensitive personal data that is produced each day.
The explosion of accessible devices and electronic information has resulted in the ability for limitless processing and analysis of information. Today, this capability drives scientific advances, supports expert decision-making in the commercial world and brings efficiencies and wellbeing to the workplace.
However, as the digital world grows, data has become a highly desirable commodity to organisations and criminals alike, with both seeking to monetise it. In business, organisations collect, shape, analyse and convert data into insights that can drive profits or competitive advantage. By comparison, cyber criminals monetise data by stealing it, corrupting it or making it unavailable to support nefarious activities such as fraud, extortion and crime. We’ve seen the impact of this with the recent attacks on legal firm DLA Piper, shipping and transport firm Maersk, and also on GP surgeries in England and Scotland where up to 40 NHS services were affected.
Similarly, and with particular relevance to facilities managers, US retailer Target was attacked and, in a single incident, lost 40 million credit cards and 70 million customer records through an exploited data connection used by their HVAC supplier for billing and project management. In all these examples, data was the target and financial gain the objective. The impact was huge, including operational disruption, fiscal loss, embarrassment, reputational damage, not to mention in the case of the NHS a potential risk to life.
As connected systems and devices are often not designed with adequate cyber security and are commonly deployed in organisations with immature levels of governance and technical security, they are frequently targeted for attack. The rise has caught firms napping. The Cyber Security Breaches Survey 2017 states that ‘a sizeable proportion of businesses still do not have basic protections or have not formalised their approaches to cyber security,’ and that virtually all UK businesses covered by the survey are exposed to cyber security risks. It also states that just under half (46 per cent) of all UK businesses identified at least one cyber security breach or attack in the previous 12 months. This rises to two-thirds among medium firms (66 per cent) and large firms (68 per cent).
The increase in cybercrime is partly down to greater use of cloud-based systems to store information remotely. But it also highlighted the internet of things, where the connection of everyday objects potentially opens doors to hackers looking for a chink in a company’s armour.
Building operators amass significant data sets through a variety of property, space, maintenance, compliance, security and building management systems. In the future, these information stores will swell further with the increasing use of building information modelling and the deployment of connected devices or sensors that optimise temperature, manage power, intelligently light spaces, inform wayfinding, assess air quality and monitor security. It goes without saying the positive use of information will bring greater cost benefits, performance efficiencies and wellbeing.
However, the richer the data sets, the more attractive an organisation becomes to financially or maliciously motivated cyber criminals. Sadly, devices and systems that leverage the power of data often become the point of network compromise, when poorly secured devices are networked and create jump points to critical systems such as fire alarms, HVAC and CCTV systems where data can be stolen or abused.
To understand who might want to steal, expose, corrupt or make a building operator’s data unavailable, FMs need to consider the data they store, transmit or process in conjunction with those known to target data stores. These typically include cyber criminals, terrorists, nation states, press, activists, competitors and disgruntled employees. This will help to build a picture of risk.
Building operators and facilities managers store and process sensitive and confidential data about sites, buildings, equipment, networks, systems and workers, some of which will be for organisations operating in the 13 critical national infrastructure (CNI) sectors. Those outside of the CNI space may also hold information about public or semi-public spaces used by large groups of citizens. Examples of both include government buildings, defence and nuclear facilities, airports, arenas and roads. To an ideologist or committed activist, this information might be useful in planning an attack. Depending on their level of sophistication, such a perpetrator could launch or commission an attempt to harvest data from FM applications, their directly linked partners or even building information models (BIM).
The analysis of maintenance costs and environmental efficiency provides FMs with an opportunity to reduce lifecycle costs, make intelligent purchasing decisions and plan for environmental improvements. However, where the performance, utilisation and safety of publicly funded buildings fall below that reasonably expected by citizens, the data can become desirable to the press, political opponents and environmental activists.
While we expect the press and political parties to conduct themselves in entirely honourable ways, we may be less than confident when recalling such incidents as phone-hacking to boost newspaper sales and the Russian state-sponsored hacking rumoured to have interfered with the US election.
The risk to ordinary people has been brought into sharp relief by high-profile security breaches at telecoms provider TalkTalk, electronics giant Sony and adultery website Ashley Madison. Although it’s less likely FMs will manage or process sensitive personal data, they are connected to HR systems and others that identify employees. Personal data is the holy grail for financially motivated cyber criminals who can often glean sufficient information from private employee work, health, belief, sexual life and salary records to commit identify fraud, extortion and various online crimes. It’s important to remember attackers’ motivations are many and varied, and with globally connected systems, the attacks could come from anywhere in the world at any time.
Most organisations will have a CCTV surveillance system in place, but many may not be fully aware of its remote access capabilities. If organisations are unaware of these vulnerabilities, they are more susceptible to remote attacks where online criminals can gain unauthorised administrative and root-level access to network surveillance and archived footage – without the owner being aware. These vulnerabilities not only provide an attacker with access to internal and potentially sensitive video and audio feeds, but can also be leveraged as a critical foothold into a target network. Additionally, if an organisation’s CCTV footage isn’t secure, they could face large fines for not complying with GDPR regulations.
WHAT CAN FMS DO?
FMs manage and use a multitude of connected data-driven applications, web-enabled devices and partners. These are increasingly under attack from motivated individuals unrestricted by geographic boundaries who are able to remain anonymous. FMs must understand how data can negatively affect the achievement of their objectives and the buildings they manage in order to protect visitors and the people that work within them.
FMs should lobby those who are responsible for the safeguarding of information to commission a data assessment. These help organisations identify what critical information is stored, processed or transmitted, to establish why the data might be an attractive target, to whom and why, and recognise any relevant regulatory compliance.
With the value of data understood, FMs should then encourage the same parties to commission a formal risk assessment to identify the possibilities of reducing any unnecessary storage and processing, assess the likelihood and impact of an attack and formally identify what an appropriate security baseline should be. This will expose any gaps between the existing and target positions. In many cases, an efficient data risk assessment will recommend the adoption of an information security standard and frameworks such as ISO27001 that help organisations respond to data risk by establishing a platform for implementing, operating, monitoring, reviewing and improving information security.