CYBERSECURITY, TECHNOLOGY
BREAKING DOWN BUILDING SYSTEM THREATS AND CYBERSECURITY FOR CRE BY: FRED GORDY Building cybersecurity has become a “real thing”. That is good but this too introduces issues. In this article, I will give real-world examples of four incidents that my company has experienced. Two scenarios presented as attacks. Two occurred with with good intentions, but a lack of understanding. These stories are based on actual events with modifications to mask the identity of those affected.
Printer Empties a Building Event Type: Hack Site assessments are a part of our day-to-day routine. This customer had contracted us to assess a sample set of buildings to get an assessment of where they stood. The first site we visited was one of their flagship locations with a couple of highvalue target tenants. The systems to be evaluated were typical systems such as the HVAC, lighting, access control, elevator, etc. During the initial walkthrough, our assessor asked to see the parking system but was informed that it was not connected to any building networks and, therefore, would not be included in the assessment. The assessor asked if there were any policies that they, the building owner, required of the parking vendor. The company rep said no other than the usual. The assessor said, “Who’s name is on the building?” Nothing else was said. A few weeks later, the assessor returned to this site. Between the first visit and this visit, an event had happened related to the parking vendor. The parking system had a network, and someone had added a wireless access point that was open to the web and had default credentials. Someone from the outside had gotten to the network printer and printed, “There is a bomb in the building.” As a result, the building had to be evacuated and called emergency services to locate the bomb. No bomb was found; however, 30 floors of tenants- including two high-value tenants- lost productivity for over 24 hours, in addition to the reputation damage done, the person or persons responsible were never identified.
92 Days to Recover Event Type: Hack A day before this event, a building engineer checked his personal email on the application server. He received an email that appeared to be from a fellow engineer. The building engineer that checked his email thought it was unusual that the employee had sent an email to him to his personal email, but the email had a link to a site that appeared to be something that might have come from this employee. The link did not take the engineer anywhere. It just appeared that the other employee had not copied the link correctly. The building engineer talked to the person that sent it later in the day and told them the link he sent didn’t work, for which the person let him know they had not sent him anything. Additionally, he advised that if he had sent it, the email would have gone to his work email because he didn’t know his personal email. None of these inconsistencies caused the engineer to notify anyone about what happened. They did, however, back up the application server to an external hard drive just in case. The day ended without incident. About mid-morning the following day,, another engineer needed to make setpoint adjustments because tenants on the 10th floor complained that their area was too cold. The engineer went to the application server to make the adjustments and noticed that a window was opened he had never seen. There was a message that said: “Your Important files are encrypted. Many of your documents, photos, videos, databases, and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files but do not waste your time. Nobody can recover your files without our decryption service.” There were also instructions on how to recover and how to pay for the recovery. There was also a countdown timer letting them know that all their files would be lost. The engineer that clicked the link the day before was also in the room at the time and let the other engineer know that he had made a backup the day before and that they should call the vendor and have them reinstall the operating system and the application. The vendor was able to reinstall the operating system and installed the application and the files necessary to get the application up and running. This took a couple of days. Prop Tech & Cybersecurity Guide | June 2022
16
