B2B Tech Talk with Ingram Micro
B2B Tech Talk with Ingram Micro

Episode · 1 month ago

Building Management System Security

ABOUT THIS EPISODE

Smart building technology has evolved over the last few years. In fact, we are putting all kinds of IoT technology into our buildings today to make them more energy efficient, reducing our carbon footprint and so much more.

The evolution of building technology has also led to an evolution of the infrastructure that supports it—and this new connected infrastructure means that buildings are susceptible to attacks the likes of which they never had to worry about before.

Shelby Skrhak speaks with Michael Rothschild, Director of OT Solutions at Tenable, about:

- Cyber security risk in smart building technology

- Most common vulnerabilities with building management systems

- 3 things you need to know about building management system security

- How Tenable helps with mitigating risk

For more information, contact Amy White (amy.white@ingrammicro.com) or visit tenable.com.

To join the discussion, follow us on Twitter @IngramTechSol #B2BTechTalk

Listen to this episode and more like it by subscribing to B2B Tech Talk on Spotify, Apple Podcasts, or Stitcher. Or, tune in on our website.

You are listening to B to B Tech talkwith ingram Micro, the place to learn about new technology and technologicaladvances before they become mainstream. This episode is sponsored by ingrammicro security, strengthen your security practice, let's get into it.Welcome to B to B Tech Talk with ingram Micro. I'm your host shall be scarehawk. And my guest today is Michael rothschild, director of IOT Solutionsfor Tenable. Michael. Welcome. Thank you. It's great to be here. Well,absolutely, I mean today we are talking about building management, systemsecurity, but first, Michael, will you set the scene or the stage for whatyou're seeing in smart building technology and really how much it'sevolved over over the past few years? Certainly one of the things that'sinteresting about buildings is we've gone to office buildings for a longtime. We may live in buildings of various types and we see thesebuildings getting smarter, for example, in the case of an elevator, in somecases you don't even have to press the button anymore. They have differentelevators going to different places, they have HIV A. C systems, heating,ventilation, cooling systems that are all smart. In some cases there arebuildings that take advantage of the sun and actually have solar arrays thatmove around. There's all types of smart things that we're putting into ourbuildings to make things more efficient, energy effective, reducing costs,reducing carbon footprint and just so much more. And this requires an entireinfrastructure in these buildings that perhaps we've never seen before. Andthat's really the basis for our discussion today because if you thinkabout the buildings that are there today, they can actually be susceptibleto an attack because of these different types of systems and we'll talk moreabout that as we go. Well, yeah, I mean the systems that we're talking aboutyes, H V A C and lighting and you know...

...who can access the building, thosesorts of things, but I O T for building management kind of makes all of thispossible. But what are the risks and uh what level of cybersecurity risk reallyexists with smart buildings? Right. So in smart buildings there are two majorcomponents or systems that are in place, one of which is what we calloperational technology or O T. For those that are familiar with it, therewouldn't be servers necessarily. But there are other things likeprogrammable logic controllers, human interfaces, all of these types ofthings to get the system running as you mentioned, there are also IOT or theinternet of things devices. It can be something as simple as a sensor thatsenses of somebody's in the room and the light will go on or off the IOT isthe centerpiece and the O T piece is the, is what actually runs the smartsystems now, given the fact that in the past these systems were closed off,meaning that they did not have access to the internet, people didn't have anycontrol in and out of them. They were basically an air gap system. Therewasn't really a security concern but today with all of this technology likeeverything else it is a potential attack. Surface and new attack vectorsare being found are being taken advantage of that. Attackers can get inand make changes. They can disable security that can change readings onstuff and do all kinds of bad things depending on what's actually housed inthat building. It can actually be pretty dire in certain instances. Right,well, so I mean I want to get into some of those specific examples. I mean, youknow, what does then a cyber attack on a building really look like maybe fromthe very earliest symptoms, the earliest anomalies to, you know, a fullon attack. Yeah. So you know, one of the first things that we say and thisis across security in general is that...

...hackers are not going after the hardesttarget. They're going after the easy targets. The quick wins, whatever theirwinds would be, whether it's financially oriented, which is perhapsmore what we're seeing today with ransomware or the old stuff taking thesystem offline for for whatever reason based on what's in that building. Youknow, we can make simple changes for imagine for a moment that you're a bankand you have a data center housed in the building. All I really have to dois an attacker is raise the temperature a couple of degrees in the data centerand that data centre fries. In other instances, you know, if there is money,if it's a bank, I can disable certain security elements, I can do all kindsof things when we get into the more advanced things where you know, we'rechanging solar arrays or other things like that. Again, pretty pretty direconsequences. And what we're actually finding is that while today we'retalking about building management system sometimes called BMS or buildingautomation systems, B A. S. Those are kind of used interchangeably. There's abigger story behind that, which is our smart cities, right? So it's not justthe building that's smart now but its buildings or a city that is smart. Soagain, depending on what's in the building, I can defeat security systems,climate control, I can destroy data centers, I can open up safe so I can doall kinds of things. And the reason that this is so concerning is becauseif you take an office building or an apartment building or something of thatnature, people are in and out all day, Right? It's not necessarily ascontrolled an environment as say an office complex or high security area.So what we typically think about when we think about identity and accesscontrol is actually reduced because there are visitors that are coming inand out every day. So really you can have that physical manifestation ofsomebody actually connecting to a system causing trouble or now becausethere is no air gap anymore. People can...

...virtually go into buildings and makechanges well so when you look at then what are the what's that low hangingfruit? I mean you say that the cyber Attackers are going to go over theeasiest things first. So what are some of the most common vulnerabilities thatyou see with the building management systems? Yeah so there are a couple ofattack factors that we're seeing more frequently now and they changed theiralways fluid but some of the things that we're seeing right now is thatAttackers are taking advantage of what we call I. T and O. T. Convergence. Sofor example we used to say that these OT systems were self contained, had noaccess to the internet, no data came in, no data came out. It was basicallyalmost like a sterile operating room. Nothing happened today because we'reusing things like sensors, the IOT technology that we talked about beforeit automatically is connected to the internet. The problem is that while wedeploy security perhaps on the I. T. Side and we also deploy maybe somesecurity on the OT side today the two often don't talk to each other so I canactually have an attack that comes in that starts on the I. T. Side andthat's their point of entry and then laterally creeps over two the O. T sideto create havoc, it's a visibility issue. That's that's one thing we seethe lack of visibility, if you don't know what's there, you can secure it.The other thing that we're seeing is around vulnerabilities. So we're veryfamiliar on the I. T side, we hear about vulnerabilities all the time in2022 over 18,300 vulnerabilities and frankly it happens just as frequentlyon the ot side. The issue being though with OT we often don't take down thesystems as frequently for maintenance. So imagine we have a buildingmanagement system in a hospital. I can't just take the hospital, H V A Coffline to patch new vulnerabilities. So we're seeing instances wherevulnerabilities hang around for a lot longer, they're not actually identifiedand patched and the result is that...

...there are now a whole bunch ofvulnerabilities that are out there that are not addressed and again, can beexploited. So I'd say that the visibility aspect and the vulnerabilityaspect are two major attack factors that we're seeing today in BMS. Whenyou talk about the different types of buildings that we're talking about.Office buildings present a different challenge than that may be a high riseresidential and one example that comes to mind or government buildings, canyou talk a little bit about the challenges and securing governmentbuildings and why having a building management system, you know, securityprotocol in place is so important, certainly, I mean, you know, every,every building has certain systems that are the same and you know, we aretalking about things like H. V A C of fire suppression, all this other stuff.But within government buildings or let's even call them high securitybuildings, they they're not necessarily government solely. But there aredifferent secured areas. If you go into certain government buildings, there arefloors that perhaps you can't even go to and only certain people with certainclearance have that that access. So there's a whole other level of securitythat we have to deploy, not only from a systems working perspective, but alsofrom an access control and and real security perspective, so it more orless amps up a little bit. Some of the systems that might be in place that youwouldn't necessarily see in an apartment building or a run of the milloffice building, but you will see in these higher security buildings. And italso applies to other things like banks and what have you can you speak to thebecause I mean that's the thing is that our listeners are trying to securevarious various types of buildings. You know, it might be an office building,it might be a high security, it might be a data center. Sure. I guess of thebiggest challenges that come to mind, what would you say is most importantfor for somebody that's that's looking...

...into building management systemsecurity, what do they need to understand? Like what what's the youknow, if if someone walks away from this episode, what do you want them tounderstand about the risks specifically. Yeah, so I think there there areprobably three things worth mentioning. One of the things we tend to do,insecurity is you know, always have this doomsday scenario and I don'tthink it is a doomsday scenario. There's great security that's out therethat can address many of the needs today. So we certainly don't want tosay, hey, you know, everything's fine. There's no issue security. There is uh,there always will be and our job is to stay on top of it. So while the sky isnot falling, we certainly want to be diligent and, and and vigilant in termsof deploying the right security. That's the first thing. And I think that'sprobably one of the more important things you want to not go that the partof the expression, the building is on fire but you do want to obviouslysecured before there's a breach. Next # one. # two is that O. T. Systems likebuilding management systems are open today. They have attacked vectors intoit. We talked a little bit about convergence and how there could be thelateral creep of an attack. Many buildings and many OT systems still ourair gapped so some people think, well that's fine, you know, nothing's comingin, nothing's going out. But in fact there are many instances of what wecall accidental convergence. All that has to happen is let's say? I'm anelevator maintenance person and I go into a building that's completely airgapped and I bring a thumb drive to upload new firmware. Well you're justaccidentally converged, right? So even if you're not planning on going theconvergence route, which more and more systems are are converging for reallygood reasons, not the least of which being IOT technology realize that theconvergence is probably going to happen and air gapping should not be your soulmethod of deploying security. So I...

...would say that's the second thing. Thethird thing that you should take away is the fact that we know there arealways new attacks out there. We know that there are always new attackvectors and as I mentioned attack surfaces and building managementsystems is but one of many others that are out there that are emerging usingOT technology leveraging, vulnerabilities, things like that. Youprobably already have a whole bunch of security products in place today,firewalls, i D S V P N, whatever else have you any other three latinoactivity you can think of. The most important thing is that these securityproducts should work together. It should actually create an ecosystem oftrust. So for example, if I have an O T security system in place, it should begiving a feed of what's happening in the OT environment to your sim itshould be helping to update rule sets on a firewall bringing these systemstogether as I imagine you bought the best technology already. Now we'regoing to make it better and deal with this new attacks service. So alwaysthink about security in terms of this cooperative ecosystem of trustingrather than point products that do one thing really well but don't play nicelytogether well. So when we start looking at the solutions then tell us abouttenable and some of the systems and products that are available to keep abuilding running at efficient at peak efficiency while still mitigating therisk. Certainly well attainable is certainly known for our vulnerabilitymanagement and vulnerability assessment products. That's kind of where we grewup from almost 20 years ago and we do many other things. One of the key areasfor building management systems or for O. T systems in general. Operationaltechnology systems is something called Tenable. OT Tenable. OT provides youwith visibility, security and control across Euro T environment and moreimportantly, as I mentioned, it works...

...in cooperation of everything else. Itgives you the visibility you need. It looks for attack surfaces on thenetwork level at the device level it's able to give you a full asset inventoryof what you actually have running. It allows you to find thesevulnerabilities that are relevant to your system right? Not the 18,300vulnerabilities I gave you before but the ones that are specific for yoursystem and it actually stack ranks them on which vulnerabilities you shoulddeal, with 1st 2nd and 3rd and it also checks to see when changes are made.Sometimes changes are completely normal. H v a c may change from summer towinter settings or you know, a bunch of new people joined the company. I haveto give them access to our access control system. We want those changesto go through fluidly. What we don't want is a malware or ransomware attackto make changes that anybody can go into a high security area or anybodycan turn on the heat 10 degrees hotter than it should be. So tenable. OTreally manages your OT system and does all of the things I just mentioned, butit works in cooperation with things like sim and sore and next generationfirewalls to keep that converge the tax surface safe. If we try to look in yourcrystal ball for what's coming next in um, in building management, securityand technology, what would you say? Where is technology going in the nextyear? If I knew definitively I I would certainly be on a boat somewhere.Exactly. You know, I think there are a couple of things that are that are veryobvious and 11 perhaps the most important thing as I mentioned beforeis that attack surfaces are going to continue to expand because systems aretalking to each other. Attack vectors will increase, right? The hacker isalways going to find the easiest way in. They're always going to find theweakest link in the chain to get in. We're seeing that already. One of theother things that we're seeing that I...

...think is really going to start tobecome more of an issue in terms of building management are cloud baseddeployments. You know, we're doing a lot more in the cloud. There areprobably going to be lots of attacks that happened based on cloud basedapplications that run building management systems. I think we're goingto see that and we're certainly going to see different types of attacks thatleverage IOT, the internet, of things that leverage things like activedirectory of miS configurations and other things like that I think will bewill continue to see different attack factors. Now, can I say definitivelywhat the attacks are going to be like I said, I wish I could. The point is thatyou want to be forward compatible. We knew we know new things are coming out.You know, last year was malware this year. It's ransomware. Next year isgoing to be something else. We want to make sure that whatever we deploy todayhas that scalability because we don't know what's coming next. We know thatsomething is, but we want to make sure that we are fully compatible to dealwith those attacks in a cohesive and secure manner. Well, so if ourlisteners want to find out more about what we talked about today. How canthey reach out? so they can go to www dot tenable dot com. That's a great way.Certainly talking to your channel rep is a great way. We have tons ofinformation. We talked a lot about BMS today building management systems, butO. T. Is a lot more. It's about you know, automobile manufacturing, regularmanufacturing, oil and gas water, you name it. They're actually 16, believeit or not, there are 16 critical environments that the Department ofHomeland Security says leverages. Ot So there are many different areas. So wetalked a lot about building management today, but if you go to tenable dot com,there's a lot of information there on the vertical that is most interestingto you and really provides those use cases on how we can help keep yousecured. Excellent. Well, uh I appreciate all of your insight and uhhope to hope to speak to you again about some more of these uh maybe blindspots that that our listeners might...

...have that you can help help bring tolight. Absolutely, I appreciate the time today and thank you listeners fortuning in and subscribing to be to be tech talk with ingram Micro. If youliked this episode or have a question, please join the discussion on twitterwith the hashtag B two B tech talk until next time I'm Shelby scare hawk.You've been listening to b to B tech talk with ingram Micro hosted by Kerryroberts. This episode was sponsored by ingram Micro Security. B two B TechTalk is a joint production with Sweet Fish Media and ingram Micro. To notmiss an episode. Subscribe today to your favorite podcast platform.

In-Stream Audio Search

NEW

Search across all episodes within this podcast

Episodes (331)