The weakest link
Our Operations Manager Paul Djuric looks at the security dangers posed by the IoT
At Urgent Technology, we’ve spent the last quarter of 2017 examining the role of the facilities manager in cyber-security because, as the recent news agenda demonstrates, hackers are increasingly targeting property and facilities-related devices which are connected to the internet. Take Google’s Wharf 7 office in Sydney, for instance. It was hacked via its building management system by two security expert researchers who were able to access the building control panel, showing the layout of water pipes in the third floor at its Australian headquarters.
This isn’t the first time such a breach involving the built environment has happened, of course. The first recorded incident was nearly two centuries ago; France was hit by the world’s first network attack in 1834. At this time, a series of manually operated towers, topped with a system of movable wooden arms, each designed to point to letters, numbers and other characters, served as mechanical telegraph systems. Sequences of letters and numbers flowed from tower to tower, sending messages across the country in a matter of minutes.
The towers were stipulated for government use only, however two bankers decided to take advantage of the structures for their own means. The Le Blanc brothers were bond traders in Bordeaux, far from the Parisian nerve centre, and spotted an opportunity to use the tower network to their advantage. They bribed the telegraph operators to be ‘playful’ with the official messages; not to obscure the content but to communicate market conditions in a way that would be intelligible to those involved with the hack.
My purpose in recounting this event is to remind us that it is often human action that plays the major part in any security breach, not the technology. In this case it wasn’t the towers that were insecure; the operators and processes were the chink in the chain. It also serves as an example that regardless of the invention in question – towers or technology – there will always be those that find a way to prosper from the efforts of others.
The trend towards the utilisation of the Internet of Things and connected devices in properties means that FM is now at the forefront of the fight against cyber-crime; and that’s why we decided to publish our most recent white paper. We want to encourage FMs who are concerned that their systems might be vulnerable to take ownership of the cyber-security process by establishing the ways and means of safeguarding data.
Our paper highlights five ways this can be achieved, including:
- Commissioning a formal risk assessment to identify the possibilities of reducing any unnecessary storage and processing;
- Assessing the likelihood and impact of an attack;
- Formally identifying what an appropriate security baseline should be and establish the extent of any gaps between the existing and target positions;
- Conducting an efficient data risk assessment;
- Carrying out both internal and external penetration tests on the network.
The main takeaway from our report is that FMs and their organisations face significant challenges in the future in combating the cyber-threats posed by the convergence of physical assets within a building with data. This is why a wide-ranging and proactive approach should be taken to ensure that the FM can reap the undoubted benefits of workplace digitisation, while ensuring that facilities are not open to undue risks. In the future, FM and IT must always remain alert to the latest cyber-threats, and must work together with their software supply chain to help reduce the likelihood of data breaches.
For more information on the steps involved in protecting organisations against cyber-crime, download our free white paper.