What Colonial Pipeline means for commercial-building cybersecurity
Colonial Pipeline, the largest fuel pipeline in the US, recently paid ransomware hackers $4.4 million to regain control of its own pipeline, which has underscored the urgency of companies prioritizing how best to protect their assets. With the threat of cyberattacks looming large, more attention must be paid to the integrity of building management systems (BMS). From 2011 to 2014, the number of cyber incidents involving operations technology (OT) systems saw a 74% jump, with the financial costs running into the hundreds of billions of dollars each year.
Technological advances in access control systems that enabled remote operations during the pandemic have also further exposed these systems. BMS must safeguard both access to the company’s IT systems and their mission-critical infrastructure, such as power, HVAC, and smart building control systems.
Although it was eight years ago, it’s easy to recall the infamous 2013 Target hack that came in through the HVAC system contractor and compromised 40 million financial accounts. The commercial building sector must learn to protect itself against these invisible hackers who patrol the Internet in search of soft targets.
BMS’s Unique Ecosystem
Smart buildings are particularly vulnerable to cyberattacks as more Internet of Things devices are deployed and the use of remote management tools increases. While IT systems are typically focused on the core security triad of confidentiality, integrity, and availability of information, the BMS security triad is different. The BMS focus should be on the availability of operational assets, integrity/reliability of the operational process, and confidentiality of operational information. The deployment of a multidisciplinary defense approach across system levels requires a cost-benefit balanced focus on operations, people, and technology.
Managing cyber-risks starts with organizational governance and executive-level commitments. This can include developing a cybersecurity strategy with a defined vision, goals, and objectives, as well as metrics, such as the number of building control system vulnerability assessments completed. In addition, senior leadership needs to ensure that the right technologies are procured and deployed, defenses are deployed in layers, access to the BMS via the IT network is limited as much as possible, and detection intrusion technologies are deployed.
To read the complete article, visit Dark Reading.
I expected more from this publication to get the story correct. Colonial Pipeline’s billing system was the casualty of the ransomware package being executed on its platform, which is disassociated from the pipeline infrastructure across the states. The CEO nefariously decided to shutdown the pipeline halting fuel transportation. Why? The investigation’s focus should be directed towards the real calamity and the association(s) of the CEO. We’ve been played!
Please, ransomware doesn’t ‘attack’, it’s delivered package is launched by a user w/permissions logged into a system. We’re not this ignorant of our technology and its workings are we? Let me get this straight, this is the “largest fuel pipeline” organization, and you want me to believe their technologists are bumbling idiots. Really? Has everyone taken a stupid pill?