3 Steps Facility Managers Can Take to Prevent Cyber Attacks on OT Systems

It’s 7am Monday morning. Coffee in hand, you’ve settled into your daily routine and just sat down at your desk to review alarm logs and respond to emails that came in over the weekend. Much to your confusion and shock, the screen that usually lights up to prompt you to login for the day now shows only a glaring red image with a menacing message at the top announcing your entire system has been locked, directing you to transfer $10 million in Bitcoin to a lengthy address. 

So, what do you do? 

If you can’t immediately think of an answer, take this as a sign to build a “cybersecurity incident response” into your safety plan. That’s right – you should start treating cybersecurity as a safety issue. 

Source: Generated via prompts to https://chatgpt.com/g/g-pmuQfob8d-image-generator

Impacts to your operations 

Consider all the negative impact to your operation, beyond just the annoyance of not being able to access your systems: 

1. Safety – if you don’t already, you should start to view cyber attacks as primarily a SAFETY issue, as Lucian Niemeyer shared at IFMA Executive Summit 2024. If your physical access control system (PACS) were to be compromised, a malicious script could, in theory, set all doors to unlock. If bad actors breach your elevator system, they could endanger occupants by overriding car commands and holding doors closed indefinitely. BMS hacks could potentially lock certain physical equipment to positions that would create conditions for catastrophic failure – over pressurized ducts that erupt could pose dangerous conditions for folks in the building.
2. Financial – according to blockchain data company Chainalysis, ransomware payments worldwide reached $1.1 billion USD in 2023, a record high.
3. Reputational – as if the first two outcomes weren’t significantly jarring enough, rest assured there’s a strong chance any hack of your OT system will make the news at some point. As a result, your company’s customers will likely lose a bit of trust in your company’s overall operations especially as it pertains to securing any customer data.  

It’s remarkably easy to break in 

According to the 2023 Microsoft Digital Defense Report, 78% of all IoT devices on networks monitored by Microsoft Defender (a security platform that monitors devices and networks for malware) have known vulnerabilities. This means these devices contain hackable configurations identified by organizations like OWASP (Open Web Application Security Project), originator of the ubiquitous “OWASP Top Ten” in cybersecurity circles. Examples include weak, guessable passwords, lack of device management, and unnecessarily open device ports. What’s worse – of those 78% of devices, 46% run on deprecated (“no longer supported by the manufacturer”) firmware. This means that even if you wanted to update hardware configuration to mitigate vulnerabilities, you physically could not. 

For the moderately experienced hacker familiar with the OWASP Top Ten and other vulnerability lists, executing the five stages of an attack on a poorly-managed (read: “vulnerable”) OT system can be straightforward: 

1. Reconnaissance – find publicly-accessible OT devices and systems by their IP address and/or social engineering. Tools include Shodan and Censys, search engines for devices like those found in BMS, LMS, etc. 
2. Enumeration – once you can connect to a device like a BMS router, scan for open ports, directories, and known vulnerabilities. Tools include nmap, gobuster, and ffuf.  
3. Gain Access – try default credentials or brute force using an automated password cracker with a wordlist of globally-common passwords. Tools include Metasploit, hydra, and John the Ripper.  
4. Privilege Escalation – exploit identified vulnerability to gain administrator access. Tools include various Internet sites and forums dedicated to capture the flag (CTF) competitions and  “reverse shell” generators.  
5. Execute Objective and Lateral Movement – deploy payloads to install ransomware, which encrypt all your files until you pay a ransom, generally in cryptocurrency. Attackers could also traverse the network upon which the OT device sites to find other servers with sensitive information and exfiltrate that data for financial gain. 
6. Cover Tracks – before they depart, they’ll delete access or server logs in an attempt to disguise their activities. 

If you’d like to experience a hands-on walkthrough of how you might intercept MQTT messages to interfere with BMS and LMS operations, check out TryHackMe’s “Day 24: You can’t hurt SOC-mas, Mayor Malware” that deals directly with ICS and OT systems. World-renowned cybersecurity researcher and lecturer, Katie Paxton-Fear, shares a fascinating walkthrough here. 

Lastly, note that every single one of the software tools listed above are absolutely free and easy to find with a few internet searches. 

Related: How Facility Managers Can Defend Operational Technology in Commercial Buildings

Steps you can take immediately 

We recommend taking several actions to better prepare you and your team for the growing risk of cyber attacks on OT systems: 

1. Build a Cyber Response Plan – work with your IT and Chief Information Security Officer (CISO) organizations to adopt their processes for responding to cybersecurity incidents as part of your overall continuity plans.   
2. Add cybersecurity to existing standards – with those same IT and CISCO stakeholders, ensure your OT system installation standards adhere to those of your Enterprise IT organization (if you have one). For example, consider requiring your BMS supervisor software to go through an Information Security (InfoSec) review (i.e. penetration tests, SOC2 evidence reviews, etc) and integration to your company’s single sign-on (SSO) provider before you install it on a virtual machine connect to corporate network. 
3. Develop a Cyber Commissioning Plan – as with any technology standards document you include in vendor contracts; you should also develop and execute a Cyber Commissioning Plan to ensure those standards are met before you accept a new system at turnover. Keep in mind that Cyber Commissioning should extend beyond technology – often times, humans are the weakest link in the entire vulnerable chain. Social engineering can be included in commissioning to vet the effectiveness of your staff training. 

Keep in mind that when it comes to cyber defense, you and your safeguards have to be right 100% of the time. Nefarious actors just have to be right once in order to wreak havoc and cause damage.