“Perhaps one of the greatest fears shared by critical infrastructure professionals in today’s age of connected infrastructure is the risk for a cyber attack that goes beyond data theft and can bring down the entire facility HAVAC system or a high-rise tower control system and even threatens occupants’ lives,” says Dr Rida Hamza, VP of Critical Infrastructure Protection at Parsons.
“This pervasive introduction of sensors and connected devices into our lives and with such a divergent and broad technical understanding required to execute this transformation quickly, it begs the question of how well versed and disciplined we are in applying proper measures,” Hamza continues.
There have now been enough cyber attacks for everyone to understand that there is a danger and to know that they must protect their systems or face potentially catastrophic consequences. The time has come to stop complaining about cyber attacks and focus on how to protect our emerging smart society.
“I see no helpful reason to cry wolf or further project the ominous and dire warnings about damaging cyber events, hacks, outages or problems. We are aware of those on our own. We should be talking about solving or improving the work that we do, the difficulty of the task at hand. We should be promoting concepts that deliver positive outcomes and improve this smart infrastructure,” says Hamza.
One of the key cultural barriers holding back our security efforts is the digitization of operational technology. OT has traditionally been kept separate from IT networks and all things cyber, both good and bad. However, the Internet of Things (IoT) has presented too many potential benefits to ignore, and for many of the people who own and operate those OT systems, cyber-threats appear to be too easy to forget. More often than not, connected equipment is purchased and installed with little thought of cybersecurity. Protective measures are then added as an afterthought, usually bolted on through a software modification in reaction to an attack.
The reality is that IT and OT can no longer be considered separate in our smart buildings and cities, while operational by function our connected OT systems are now driven by data. The majority of OT networks are transited over a building’s IT networks, utilizing the same internet protocols, operating systems, and often connected wirelessly. Unless cybersecurity is applied to smart-OT at the earliest stages of development, we will lose ground in the war with cybercriminals and hold back the development of our smart future. The IT community knows this all too well.
“In the past, the IT teams delivered digital systems to achieve corporate efficiencies: office tools, email, internet-connected business processes and other improvements to corporate performance and personal quality of life measures. When we tried to bolt on cybersecurity, we often disrupted the performance of the digital systems we were trying to protect. The cyber efforts often collided with system performance, all without even understanding the IT department’s mission of delivering digital capabilities,” says Hamza.
“Today is not much different. If we are to converge cybersecurity with our infrastructure systems, we need to have a unified approach. If we don’t accomplish this, we will just repeat the IT and cyber errors that have been the bane of business delivery and customer satisfaction,” Hamza continued in an article on ME Construction News.
We need a unified approach to cybersecurity across OT and IT systems in our smart buildings and cities, and we need to need to apply that approach from the earliest design phases. If we are motivated to invest in smart technology for all the benefits it can bring, then surely the potential loss of those systems through cyberattack is motivation enough to protect them effectively. However, cyberattacks not only disrupt systems and steal data, they also have the potential to cause irreparable damage and endanger people’s lives.
“While it remains an attractive and futuristic concept to have truly smart cities and mind-blowing technology at our fingertips, there are many steps to be taken to ensure that it is safe to step into that advanced world,” says David Emm, principal security researcher at Kaspersky Lab. “Cybercriminals are licking their lips at the prospect of havoc and financial gain that smart cities present them, and we must not oblige by depending on networks that aren’t safe, and easily hackable.”
As is all too often the case, we will have to look towards governments to introduce strong cybersecurity regulation. That appears to be the only way to ensure that all connected aspects of smart buildings and cities are operating at the same minimum standards.
Only regulation can force every OEM to put their equipment through extensive security planning and design. Only regulation will guarantee those building owners and operators invest in secure smart systems. As governments around the world brag about their smart credentials they also set their citizens up for cyber-disaster unless they take action to mandate effective cybersecurity standards.
“Governments the world over have to set cybersecurity regulations, including how security is designed and maintained in connected devices that will circulate throughout buildings, from smart lighting to networked door systems,” says Emm, who previously spoke to us on cybersecurity culture. “It is the responsibility of governments and cybersecurity firms to ensure that awareness and knowledge is spread on how to defend against cybercriminals, particularly as nearly every aspect of our lives now involves being online or using connected devices.”