Beware of Growing Cyberthreats

Why cybersecurity risks to industrial facilities are growing

From the systems used to manage the facility’s environment to the operations running within it, technology is increasing the attack areas for cybercriminals in these complex buildings. Today, capital projects and maintenance are as much about technology as they are building material. Yet, despite the growing risks associated with the technologies and the people who use them, insufficient attention is given to technological defenses.

Many factors contribute to the growth of connected technologies in facilities. The Internet of Things (IoT) connects building systems and management services to facility operations, which allows malware to move quickly across facility networks. The cybercriminals who attacked American retail chain Target’s HVAC vendor with a phishing scheme used their access to the HVAC system to reach the company’s payment terminals. Every company gathers vast amounts of high-value data to run sophisticated analyses to improve operations. This data is an attractive target to hackers and a means by which they navigate interconnected data servers and analysis platforms, facilitating access to all systems after one is breached. Open infrastructure, including ethernet and Wi-Fi, provides scalability, speed and remote accessibility that can facilitate malware delivery throughout the entire network just as easily as it delivers emails, data and commands.

Human vulnerabilities can increase the risk of intrusions. Social engineering is becoming more sophisticated, with cybercriminals devising a growing variety of schemes to trick and manipulate users into sharing information or breaking security procedures. There is also a growing shortage of cybersecurity skills and personnel. The ISC2’s Cybersecurity Workforce Study reported that two-thirds of its respondents said their organizations do not have enough cybersecurity staff to prevent or resolve threats. The manufacturing (67 percent), automotive (71 percent) and aerospace (76 percent) industries are all experiencing serious shortages of cybersecurity staff, leaving these facilities vulnerable without outside assistance.

IT management is often absent from facilities or, when present, onsite IT technicians may lack the skills or authority to address a cyber incident or to ensure that the building’s security posture is maintained. The rapid evolution of cyberthreats is outpacing the efforts of facility managers and IT personnel to implement effective defenses, leaving industrial facilities increasingly vulnerable to attacks.

Facility cyberattack vulnerabilities and outcomes

Cybercriminals have several options to exploit vulnerabilities within a facility’s cyberdefenses. Most facilities have a variety of interconnected networks, including public Wi-Fi, that might lack appropriate segregation and traffic control measures. One improperly configured device could let someone use the building’s public Wi-Fi as a gateway to an internal network.

The rise in remote workers and monitoring systems has introduced increased risk. Every remote entry point is a new intrusion vector. Weak authentication measures or a successful social engineering attack could exploit them to gain unauthorized access to sensitive systems.

Someone authorized to be at the facility could also launch a cyberattack. The person could be an employee or vendor who is part of a corporate espionage scheme or is merely disgruntled. Inadequate physical access management could allow them unauthorized access to a server or network room. Once in the room, the cybercriminal can install malicious software or simply rip out cables. It is critical to restrict entry to effective access systems and to enable monitoring for suspicious activity, such as repeated badge usage within a short time frame.

Every company has assets that can attract cybercriminals and be exploited through a ransomware attack. If a hacker can freeze a facility’s operations until a ransom is paid, it becomes a question about how much downtime is the organization willing to risk. German manufacturer Wildeboer Bauteile was the subject of a ransom attack in July 2023. The incident resulted in a severely restricted ability to communicate with suppliers and customers, and the attackers encrypted the company data. The company refused to pay the ransom and was forced to halt production for nearly a month before it operated safely again.

Cybersecurity risk assessment is a critical component of facility cyberdefenses

Every comprehensive and effective cybersecurity program starts with a risk assessment. Facilities that do not conduct a thorough cybersecurity risk assessment leave themselves open to intrusion. A cybersecurity risk assessment aims to identify and prioritize potential threats and to outline specific risk mitigation strategies. Involving internal stakeholders and external cybersecurity experts is essential to ensure a comprehensive assessment. The internal experts are critical to providing details and insights into the facility's operations, while the external cybersecurity experts bring the experience to sort through the vast scope of possible vulnerabilities, threats and mitigation strategies.

There are five phases in well-established cybersecurity risk assessments. Different risk assessment standards or methodologies may label or categorize each phase differently, but they all cover these steps for identifying, evaluating, and mitigating potential cyberthreats.

1. Asset inventory and documentation. This is the foundational phase of cybersecurity risk assessment. Here, all digital assets within a facility, including hardware, software and data, must be identified. Each asset’s characteristics, such as location, function and importance, are documented. With a complete asset inventory, the risk assessment team comprehensively understands the facility’s digital landscape.

2. Threat identification. It is vital to analyze potential cybersecurity threats that could target facility assets. The risk assessment team assesses various threat sources, from hackers to insider threats. By understanding potential attack vectors and their motivations, company stakeholders can prioritize protective measures and allocate resources efficiently. This ensures that critical areas receive sufficient attention while avoiding unnecessary expenditures on less probable or lower-impact threats.

3. Vulnerability assessment. During this phase, the risk assessment team systematically identifies weaknesses in the facility's cybersecurity defenses. By uncovering these weaknesses, managers can prioritize immediate steps to strengthen defenses, reducing the risk of exploitation by cyberthreats.

4. Risk analysis. Risk analysis involves assigning values to assets, threats and vulnerabilities to calculate the overall risk level. Companies may have existing corporate risk assessment policies or standards to categorize assets. Risks are weighted by factors such as the criticality of assets, the effectiveness of existing controls and the likelihood of exploitation. This analysis enables a nuanced prioritization of mitigation efforts, targeting vulnerabilities that pose the greatest risk to the facility’s operations and assets.

5. Risk mitigation recommendations. These recommendations provide specific strategies and controls that the cybersecurity experts recommend addressing the identified cybersecurity risks within the facility. The recommendations section will give detailed lists of actions and safeguards to take, including specifying technical solutions, policy and workflow enhancements and employee training initiatives. Generally, when working with systems integrators to conduct the risk assessment, systems integrators will also assist in implementing the technical defenses.

When to conduct a cybersecurity risk assessment

As threats and facility systems constantly evolve, it is imperative that cybersecurity risk assessments are revisited and repeated to reflect changed circumstances. For example, any capital project should trigger a risk assessment. One effective method to integrate a cybersecurity risk assessment into capital project planning is to make it a part of the 30/60/90 design review process. The cybersecurity risk assessment is conducted before the 30 percent stage review. It includes the systems integrator’s specific cybersecurity recommendations based on the equipment needed for the capital project, minimizing costly change requests in the future. At the 60 percent review stage, the cybersecurity experts verify that all equipment selected and ordered meets the needs approved at the 30 percent stage. At the 90 percent review, the systems integrator validates the overall design and its alignment with risk assessment objectives.

FMs have a role in the initial and final meetings of the risk assessment process and during each 30/60/90 design review. They can offer a holistic perspective on facility operations, systems and people. While not deeply involved in the technical aspects, their awareness and insight ensure that cybersecurity considerations conform to operational needs.

Cybersecurity risk assessments are also a part of ongoing building maintenance, especially when any systems changes involve new devices attached to the facility networks. Another aspect of facility cybersecurity maintenance is coordinating with IT teams and cybersecurity experts to run cybersecurity drills that test and validate the facility’s defenses. These drills can be technical, such as penetration testing, and more comprehensive, such as simulation incident response tests to measure an employee’s ability to detect and report a potential incident.

Steps to immediately improve cybersecurity

While conducting a cybersecurity risk assessment is necessary to develop a complete cybersecurity program, FMs can take certain steps that will immediately improve their facility’s defenses. They can get a head start on a formal cybersecurity risk assessment process by documenting all connected devices in their facility in a spreadsheet or database. FMs can work with the IT department to set up supplier and remote access standards, for example, by assigning standardized IP addresses. With specified IP address ranges for internal, external and OT networks, FMs and IT teams can better control access and communication between systems. This approach also streamlines troubleshooting and removes the risks of falling back into default settings when a new device is connected to a facility network.

Reviewing documented workflows and continuity plans to identify redundancy gaps in systems will help improve operational resilience. An often-overlooked aspect of redundancy is ensuring that critical institutional knowledge is documented. Passwords and procedures known only to a few employees put operations at risk if those people become unavailable when needed.

It is also essential to improve password hygiene in building systems. Using system default passwords or overusing passwords makes it easy for malware to propagate quickly across networks. Setting strong password requirements for employees also improves defenses. Additionally, training employees to defend themselves against social engineering attacks and promoting other cybersecurity-safe behaviors. Finally, starting conversations with senior management, operations managers and IT personnel to initiate a formal risk assessment to harden facility defenses and decide how ongoing assessments should be incorporated into building maintenance plans.

Making smart buildings safe buildings

As buildings get “smarter,” they become more vulnerable. The Dragos report noted that 80 percent of OT vulnerabilities are found within industrial control systems. Given the parity of technology and physical infrastructure importance, integrating cybersecurity risk assessments and drill testing as standard in new project planning and ongoing maintenance procedures is a prudent course. In complex networked environments, where facility and operational systems intersect, these assessments serve as a critical safeguard, regularly improving facility security and resiliency against growing cyberthreats.