Over recent decades, as buildings have developed greater connectivity, the starkly different worlds of Operational Technology (OT) and Information Technology (IT) have found themselves converging in the emerging smart buildings space. In this new landscape, OT teams find themselves victim to cyber threats that they have never had to deal with before, while IT teams struggle to get to grips with cyber security for physical systems. The result is a dangerously wide range of smart building cyber security vulnerabilities that no one is taking responsibility for.
“This segmentation and segregation from the IT networks was historically seen as adequate protection from the majority of cyber security risks, with IT & security professionals adopting an “out of sight, out of mind” attitude to OT systems, with these systems rarely being subject to the same levels of monitoring or cyber hygiene as IT systems,” reads our new cyber security research. “Roll forward to today, with the built environment rapidly transforming into its own digital ecosystem, with building systems increasingly linked to other corporate systems and networks, and a historic failure to focus (and invest in) securing OT systems comes starkly into focus.”
“Having OT systems interconnected to other building networks and exposed to the internet significantly increases the security risk, making building systems susceptible to IP-based vulnerabilities, such as authentication bypass and insufficient encryption of critical data,” explains the new market report. “Worse still, OT environments also suffer from additional vulnerabilities relative to IT systems, due to lack of overall focus on cyber security concerns in the OT domain, its historic isolationism and the ongoing usage of thousands of legacy devices operating on unsecure protocols.”
Typically, OT teams are not equipped to defend their increasingly connected assets from cyber-attack, while IT teams tend to focus on network cyber security and neglect the novel vulnerabilities of the OT world. Hackers around the world are now identifying weaknesses that emerge in the gaps between OT and IT defences, giving them an easy route into the building network where all connected systems are at risk. This cyber weak spot is then further exacerbated by blurred lines of ownership and control and divergent systems priorities between IT departments, facilities staff, vendors and third-party contractors.
“Cybersecurity programs run by IT departments don’t typically address risks related to building automation. Meanwhile, OT staff have historically not focused on, or been effectively trained to manage the cyber risks that are now facing smart buildings. This situation means that responsibility for the cyber risk management of smart building systems falls in the cracks between OT and IT teams,” warns the comprehensive cybersecurity report. “Significant differences in IT and OT cultures must be overcome to drive effective collaboration and cross-domain support and alignment on objectives, expectations, and decision-making processes.”
A 2021 survey by SANS found that the responsibility for the security of industrial control systems ultimately fell on IT managers in 39% of organizations, followed by CIO/CISO or other corporate-level IT or security executives at 34.6%, then systems owners/operators at 34.1%. In a significant 16.6% of cases, organizations even delegate responsibility for cyber security control to the vendors or suppliers who originally built the solution. This ambiguous system of cybersecurity responsibility can significantly increase the level of risk faced by buildings, and clear governance policies must be established for each stakeholder group to address the persistent cyber threat in a holistic and sustainable way.
“Successful IT/OT convergence will require close cooperation between the previously separate IT and OT groups with improved understanding of each respective party’s culture, priorities, practices, and technologies to properly mitigate emerging cyber threats. A wide range of different stakeholders may have a role to play in maintaining effective cyber security for smart building systems at different points in the building life cycle,” explains the brand new report. “Developing integrated IT/OT security that is capable of delivering cohesive and coordinated cross-domain risk mitigation and response can be critical to ensuring that responsibility for the cyber security of smart building assets does not fall through the gaps”.