Facility Cybersecurity: Looking Beyond Computer Systems for Maximum Facility Safety

System control data and information security is one of the keys to successful facility operation and management. The access, process, transmission and storage of critical facility control system data and information must be protected.

Companies seek ways to strengthen cybersecurity measures to protect their critical data from theft and attacks, and WSP is offering solutions that help them lock down often overlooked facility-related control systems (FRCS) vulnerabilities that exist outside the traditional enterprise information systems and networks.

WSP works with facility managers and control system engineers to provide cybersecurity planning and design services for facility related control systems (FRCS) – the technology systems used to monitor and control electrical, mechanical, lighting control, fire life safety, electronic security systems and other facility control systems within a building or a campus.

“The facility technology cybersecurity services provided by WSP focuses on electronic security systems, building utility management and control systems, and fire and life safety systems,” said Jaco Cronje, solution architect for Building Technology Systems at WSP. “This differs from traditional IT or enterprise cybersecurity, which handles internal computer systems, such as firewalls, email blocking, password management, people directories, operating system updates and malware protection.”

Cyber attackers have successfully accessed classified company data using HVAC systems, electronic security system, and in one case, a cloud-connected fish tank sensor as entry points into the network.

A security breach in an insufficiently protected facility could cause an elevator to shut down between floors, override lighting and air conditioning unit controls, falsify security camera footage, steal personal data, lock or unlock access-controlled doors, or completely shut down a building’s electrical supply.

“Cybercriminals actively scan and explore to find the weakest point to hack into a corporation,” Cronje said. “A sophisticated cyber attack on a facility’s vulnerable control systems could allow unauthorized entry into the enterprise network, or cause a multitude of major disruptions that would impact productivity or create panic that could lead to injury, data theft or extortion.”

Cloud connected building systems are becoming the standard for modern building design, but with rapid advancements in technology comes the parallel threat of cyber-crime. This places these systems increasingly at risk of attack resulting in operational downtime, economic losses, reputational damages and data breaches.

For operational technology (OT) platform networks, WSP provides engineering technical specifications for the U.S. in CSI Division 25, which outlines the measures vendors need to take to increase the cyber resilience of their solutions, including password rules, device hardening, developing approved vendor lists and approved connectivity channels.

Cyber resilience evaluates measures taken by relevant design and operating authorities to improve a building’s virtual or network protection so the facility can remain operational in the wake of online or cyber-attacks.

“Smart buildings focus on integration between all building systems over a converged building network, which means the opportunity to reach any system by accessing one weak system is significantly greater,” Cronje said. “OT cybersecurity is traditionally not prioritized and is not a core focus by enterprise IT departments, which leads to the door being left open.”

Smart buildings work on the premise of connecting to some form of enterprise data set, which inherently means there is a connection to the enterprise IT network. “This creates a channel that can lure hackers to use the OT network as an entry into the IT network,” Cronje added.

WSP provides its clients with “resilient cybersecure design” in order to offset these threats. Cyber resilience focuses on improving the building’s sub-systems to remain operational and withstand attacks through cyber-related channels such as internet, WiFi or software applications.

Following security best practices in order to maintain a resilient environment for cyber-attacks, mitigations facility owners can take include:

• creating and maintaining inventories of all production systems;
• standardizing production systems to the same software versions to minimize maintenance requirements;
• creating and maintaining inventories of all security controls, such as routers and firewalls;
• comparing reported vulnerabilities against inventory lists; and
• keeping operating systems patched to the latest releases.

WSP collaborates with a facility’s IT provider to create a plan designed to protect the facility and its control systems from external access.

When working on a FRCS plan, WSP uses a Day-Zero cybersecurity readiness approach, which protects building data, maintains system integrity, ensures compliance with federal government and industry guidelines and increases awareness.

“To ensure a building’s readiness for Day-Zero, WSP brings together its expertise in analysis, evaluation and design of cybersecurity measures in order to minimize the risks of breaches to an FRCS in buildings from the onset,” Cronje said. “This approach ensures that cyber resilience is woven through the entire design of the building.”

Understanding the unique needs each organization requires is also critical to maintaining a successful, resilient facility cybersecurity system.

“The needs of a medical facility will be different to the regulatory requirements from the requirements in a commercial office building, sports center or transit hub,” Cronje said.

Transportation facilities, for example provide numerous control system risks, such as automated bus and rail doors, train signaling systems, water leak sensors, HVAC systems and interception of financial records that could lead to the cloning of tickets or credit card information and made available onwards on the dark web.

“The technology we have at our fingertips today is very exciting and helpful, but in the wrong hands it can be catastrophic for facilities,” Cronje said. “For anyone responsible for the protection of a facility and its clients from these threats, there is peace of mind when factoring the facility control systems into the entire cybersecurity plan.”

For more information about WSP's facility cybersecurity services, visit: https://www.wsp.com/en-US/services/building-cybersecurity 

[To subscribe to Insights, contact the editorial staff at [email protected].]