Back in 2017, the world changed overnight when the WannaCry ransomware attack went global. And the attack didn’t discriminate – targeting anyone who hadn’t been proactively managing their Windows Operating Systems updates and security patches.

One organization that was targeted was the UK‘s National Healthcare Service. Microsoft had advised the industry previously about the potential for a cyberattack, and despite having the solution readily available, WannaCry proceeded to significantly impact the NHS.

Gordon Hollingsworth JLL.jpg
Gordon J Hollingsworth, executive director – JLL

“The JLL approach is to proactively manage the updating of our client’s Intelligent Building Control Systems (IBCS) to ensure that they have the latest security patches and operational updates,” says Gordon Hollingsworth, executive director at JLL.

In 2020, German police launched their first-ever cyber-related homicide investigation after a woman died during a cyberattack on a hospital. Hackers disabled computer systems at Dusseldorf University Hospital and the patient, who was awaiting life-saving surgery, died while being transferred to another facility. However, local reports suggest the hospital wasn’t the intended target and that the hackers accidentally honed in on the ‘wrong university.’

A dynamically changing landscape

Over the years, the role of the IT department has evolved exponentially, far beyond what any of us could have imagined 20 years ago. Many of us are working from home in today’s world, with multiple devices connected to the internet, video conferencing, banking online and messaging services at our fingertips.

Outside of our own domestic homes, we heavily rely upon critical infrastructure that provides power, water, communications and other services that we take for granted. All these services rely on technology, whether a front-end computer or an intelligent controller sitting remotely in a control panel. If robust cyber protocols are not in place, the infrastructure is vulnerable to attack either externally or internally (malware from service engineer laptops, etc.) even if the equipment is effectively operating in island mode.

A hacker gained access to a Florida water system (located in Oldsmar) and attempted to pump in a dangerous amount of sodium hydroxide. Luckily, an eagle-eyed worker spotted the increase in chemical levels and managed to reverse the action. But what if he hadn’t?

“We have worked to develop operational strategies and procedures that help mitigate the risk of cyber-related incidents impacting intelligent building control systems and providing a client with management visibility of the status of their systems,” reiterates Hollingsworth.

“The way we can manage the processes and procedures to reduce risk from cyber-related incidents depends on the client’s scope of service and on the size of a client’s portfolio and dedicated resources.”

Companies have historically left the management of the building control systems to the engineer in the basement and not had the same level of focus on these technology threats as they would on the corporate IT network and staff PC systems. However, with the dependency on technology within building operations and the potential risks that these could pose operationally for large corporate organizations the legacy approach isn’t really fit for purpose today on a scale to manage an ever-evolving and continuing threat.

In defence of traditional facilities managers, IT security isn’t their core competency, and over the last few years, IT connectivity and management have become increasingly complex. Safely and securely managing these systems is a hefty burden that requires constant attention and expertise that may well go beyond the competency of a typical facilities manager. Therefore, continuous training on cyber risk related to intelligent building control systems (IBCS) is essential where clients are reliant upon the classic facilities manager/engineering management of IBCS.

The proliferation of intelligent building control systems, particularly within mission critical environments like data centers continue to gain traction. However, many operations are still taking a classical approach to operating and maintaining their IBCS, which is generally left to the back of house teams.

Everything from working with vendors to software and firmware updates need to be taken care of. Underpinning this is a laser focus on the investment required to support this moving forward.

Historically, IBCS have been down the priority list for investment, but with the reliance on this technology becoming ever more important, this will need to change. Education of clients and the engineering teams is key to ensuring that IBCS are a high priority for investment so that they are kept up to date to minimise cyber and operational risk.

When teamed with robust IBCS systems, intelligent buildings can be a fantastic environment. Manual processes can be automated and data can be gathered allowing you to make customer focused decisions and deploy resources efficiently to meet their needs. The opportunity is massive, but continuous focus is required; the more sensors you put in place without good controls, the more potential risks are created.

How risky is a fish tank?

“When deploying IoT technologies in the built environment, ensure that these are not connected to the core business IT network, but are on their own segregated backbone infrastructure”, advises Hollingsworth.

Back in 2017, a North American casino fell foul of this when hackers managed to get into the wider network via a fish tank. This seemingly innocuous fish tank had connected sensors to regulate the tank’s temperature, food and cleanliness, which for the guy just trying to care for the fish, was all well and good. Unfortunately, because it was attached to the core business network, hackers used it as a gateway into the client’s network, stealing about 10GB of casino data, which was subsequently sent to a device in Finland.

Although it may seem obvious not to compromise your core business function with IoT sensors, unfortunately, this does happen and is driven by the needs and expediency of connecting to an existing IT infrastructure.

“Historically, IT competence doesn’t normally exist in the facilities management world, yet all these IBCS, networks and connectivity do,” says Hollingsworth. “If you think about cyber training in a general organization, it usually encompasses information security training on your PC, password management, internet and email.”

“That doesn’t cover operational training about the firmware updates, BIOS updates, malware updates, what vendor software you’re putting on your IBCS or how you should patch your windows operating system. The typical training doesn’t cover best management approaches or operation and maintenance of IBCS and IoT environments.”

Increasing the stakes from the casino fish tank incident, in November 2019, a nuclear power plant in India was hit with a malware attack, which was later attributed to North Korea’s Lazarus Group. The mistake made here was that those running the plant assumed it was safe because it wasn’t directly connected to the internet.

“Air gapping or operating in island mode may protect you from being hacked directly from the outside world, but it doesn’t prevent someone connecting with a laptop directly to the system that is infected.

“In this instance, a vendor connected with a laptop that had malware, which identified devices and potentially would communicate system configuration when the laptop was next connected to the internet. This then creates a risk of a more sophisticated attack at a later date.

“This is why we have management processes in place that ensure before any vendor connects a laptop to any system, that it is scanned, and if an issue is found, that the work is stopped immediately prior to being connected to any equipment,” says Hollingsworth.

Education, education, education

JLL is working with the industry to develop technical training for facilities managers to keep client operations safe.

JLL has created an inspection and assurance programme that features management oversight. This programme carries out a focused review of assets within a built environment, to ensure the firmware, malware, anti-virus, operating systems, etc., are all current.

“We have developed our CMMS system to create a capability where we can track not only engineering assets, but track assets that are software and firmware based, so we can monitor revisions and compliances to make sure we do mandatory updates.

“Some years ago, we also introduced a software/firmware permit to work. This is an authorization to perform software and firmware updating on IBCS systems,” says Hollingsworth.

Dave Barrett, JLL’s global intelligent systems manager, has created standards on cyber security requirements for IBCS.

“We help our clients make sure they don’t have IBCS on their core networks and provide assurance, management oversight and accountability, and we’re offering investment planning advice via our investment planning tool. It has a category for cybersecurity investment so we can identify that as a specific high-risk investment need, and the organization can focus and prioritize their investment.”

The information you obtain is only as useful as it is accurate, which is why JLL consistently ensures its advice remains relevant and up to date via the tracking of current compliance issues, published vulnerabilities, as well as operator knowledge and lessons learned. The company is arranging a panel of OEM experts to discuss cybersecurity in the industry with one of its major clients and wants to engage with OEMs to help drive and adopt improving standards and security protocols.

JLL offers best-in-class service to its clients, encouraging them to apply enhanced management of their intelligent building control systems, elevating them from a reactive approach to cybersecurity proactive best practice management.