Are your buildings and cloud cyber secure?

April 29, 2021
Many data centers that support the cloud as well as commercial buildings have not adequately addressed control system cyber security. The lack of adequately addressing building control system cyber security was demonstrated to have caused very significant financial and potentially safety impacts. When you consider these control system cyber threats can affect multiple buildings, the insurance issues can become existential. Additionally, the use of multiple locations for data centers can be compromised by common network vulnerabilities from building operators and/or maintenance organizations. In this age where ransomware and hacking are rife, control systems need to be adequately addressed or it could be financially devastating to the building owners and insurance companies.

This blog was on LinkedIn 4/28/21 from Gerry Kennedy at Observatory Holdings:

Joe Weiss PE CISM CRISC ISA Fellow and I had a robust call with a cloud service provider with the IT company that brought us to them on Monday. They were very proud of their IT approaches to security and redundancy. They were very correct in their prideful responses. However, when we asked “What about your OT security” they were a bit stumped! We expected that response. Once we got to our point, they were EXTREMELY appreciative of our perspectives. They had never thought of it! Presented OT Threat vectors: HVAC, Fire Suppression, Power (Direct & Indirect), Communications (Direct & Indirect), Facility security (Facilities attack like AWS), Service Level Agreements or SLA’s and more! The IT SERVICES company that sourced them were stunned at the liabilities this OT problem had in store for them too! My cloud goes down I will have to sue the people who failed the assessment of these OT liabilities of the cloud provider times THOUSANDS of clients = bankruptcy on legal expenses alone! If your cloud goes down YOU GO DOWN! Ask Yale U Medical!”

(CS)2AI ONLINE coincidently held their Smart Building Cyber Security Symposium also on 4/28/21. The Symposium discussed five cases, three of which were directly relevant to control system cyber security.  The same types of incidents occurred in other industries. Unfortunately, there is no information sharing between industries. The moderator and presenters identified several items that are applicable to every organization with control systems:

1)     Control system cyber incidents are not disclosed as there are no reporting requirements. The only reporting requirements are for network data breaches.

2)     There are no control system device forensics.

3)     Many building owners are depending on cyber insurance.

4)     Incidents are only considered cyberattacks when they are malicious and come from the outside.

5)     Many of the building networks used common userID and passwords at all of the buildings maintained or operated by the building maintenance organization. This common use of userID and passwords across multiple facilities is not unique to building facilities organizations.

Control system cyber cases

The first case was a 20-story building with 90% occupancy. The hack was initially a phishing attack and aimed at IT. Because of the lack of segmentation, the attack was able to progress to the OT networks and from there causing physical damage to control system equipment and facility hardware. It took 92 days to recover.

The second case was a new 100-story building with 10,000 control system devices. The day before the building was to open, IT did a final detailed penetration test and caused a denial-of-service (DOS) to 6,000 control system devices. This is all too common as IT using inappropriate pen testing tools have caused DOS and even damage to control system devices in many industries. It cost $1.25Million and 15 days to reset each control system device.

The third case was an organization operating 100 buildings. The lead senior facility manager was let go for cause and his administrative rights cancelled. However, the building controls for the 100 buildings were tied to the dismissed manager’s account and consequently 100 buildings lost all communications. This was not considered a cyber event as it was not an external malicious attack even though it caused impacts to all building occupants and could have been a safety risk.

Insurance ramifications

Per Gerry Kennedy, each of these scenarios open multiple insurance coverage exposures that have not been contemplated by actuaries and business enterprise personnel within the insurance industry. When you consider these control system cyber threats can affect multiple buildings, the insurance issues can become existential. Additionally, the use of redundant locations for data centers can be compromised by building operators and/or maintenance organizations using common network access.

The first case exposed the insurance carriers to unfunded loss exposures to Business Income & Extra Expense for 92 Days of putting the certificate of occupancy and all of the leases at risk.  If the Elevators or Fire Suppression systems were compromised the fire departments would have to close the building due to life safety considerations.  The loss exposures are not limited to property exposures but in fact liability exposures for bodily injury & physical damage.

The second case was a professional liability for the penetration tester.  However, it brings forth the likelihood that there is a real vector for the mass theft of real and personal property via coordinated efforts to ransom the likes of a Real Estate Investment Portfolio or government facilities or of course where your data is stored.

The third event is actually a claim that could find coverage under Crime coverage for a whole portfolio of buildings. This clearly is not a contemplated possible loss scenario the actuaries would have contemplated.  However, this would not preclude coverage for the carrier affected.  This would result in and unfunded loss exposure.  If enough of these events happen simultaneously, this could amount to a severe catastrophic loss for the industry. The lost income and extra expenses to rectify these nefarious acts could bring many other coverages to the forefront.

Summary

The Russia SolarWinds hack and the Chinese attack on Microsoft exchange servers defeated existing IT cyber security defenses and bringing a focus to cloud cyber security. Now reconsider the lack of addressing control system cyber security by Gerry Kennedy’s Cloud service provider. Also realize there was no discussion about how data centers or commercial buildings are addressing SolarWinds SNMP vulnerabilities or the issues addressed in my 2018 blog -  https://www.controlglobal.com/blogs/unfettered/data-centers-have-been-damaged-and-they-are-not-being-adequately-cyber-secured. In this age where ransomware and hacking are rife, control systems need to be adequately addressed or it could be financially devastating to the building owners and the insurance companies.

Joe Weiss