NFPA Journal - Spring 2021 - 31

monitoring, said Jessica Chevreaux,
the cybersecurity program manager at
M.C. Dean and a co-author of the FPRF
report. The reverse is also true: few IT
people know much about building systems, she said. Training on both sides
about how to work together to holistically protect a company's digital assets
is essential but is not yet widespread.
" The HVAC and fire systems engineers don't necessarily speak the
same language as the IT people, and
they definitely don't understand each
other's systems and vulnerabilities, "
Chevreaux said. " This is such a new
concept that there isn't necessarily
even a structure in place within companies to handle it. There isn't really
anyone bridging that gap. "

Security fundamentals
With cybersecurity in building systems
still in its infancy, experts hope that
projects like the FPRF's can provide the
framework necessary to put building
security on a solid track.
" Success is going to come down to
getting the fundamentals right from
the beginning, " Robinson said. That
includes providing clear, actionable
guidelines on what's known as " cyber
hygiene, " such as network segmentation, minimum system and security
requirements for wireless or passwords,
authentication mechanisms, and training workforces to better understand the
threat and their responsibilities.
" This educational piece has to
be part of everyone's thinking and

everyone's planning, " said Alkemper, of
FM Global. " We have to start thinking
of this as a threat like any other threat.
Your building can burn down, yes.
Things can get hacked, so be ready. If
you plan for it and anticipate it, this
can be managed. "
Experts also see a need for additional
guidance from codes and standards,
including possibly from NFPA. Currently, there are at least 16 NFPA
standards with cybersecurity references, including NFPA 72®, National
Fire Alarm Signaling Code®, which
includes guidance and requirements to
address cybersecurity for equipment,
software, firmware, tools, and installation methods, as well as the physical
security and access to equipment, data

KNOWLEDGE RACE

GETT Y IMAGES

In the realm of building and systems hacking,
the good guys have to work doubly hard to
stay a step ahead of the bad guys
Examples of hackers infiltrating building systems become more
numerous by the day, and include everything from pranksters
hacking baby cameras to spy on families to nation states seizing
control of and sabotaging a nuclear enrichment plant. Hackers
have targeted smart thermostats to infiltrate a casino database,
hacked parking garage printers to access a residential high-rise,
and even hacked the operational systems of the Australian corporate headquarters for Google.
Perhaps the best-known breach involving a building system
occurred in 2013 when cybercriminals used credentials for the
HVAC system to break into the customer service database of the
retail giant Target. Some 40 million credit card numbers were
stolen, resulting in
Target paying an $18.5
Losses from building systems
million multistate setattacks could be even worse if not
tlement in 2017-the
for the fact that many hackers don't largest ever for a data
yet have the knowledge or foresight breach. More recently,
hackers have targeted
to breach those systems.
medical devices, such
as blood pressure monitors and telemetry monitors, to gain access to hospital networks.
The vulnerabilities have led, in part, to an epidemic of ransomware
attacks on US health care facilities-nearly 800 such attacks were
launched against US hospitals in 2019, according to Emsisoft.
And those are only the ones we know about. " For every successful ransomware attack you read about in the news, there are five
others that you never hear about because companies don't want
it getting out that their facilities were compromised due to a vulnerability or a lapse of judgment, " said Phil Owen, the director of
information assurance and cybersecurity at M.C. Dean.
The security experts I spoke with believe that loss numbers from
building systems attacks could be even worse if not for the fact
that many hackers don't yet have the knowledge or foresight to
breach those systems-the concept of smart sprinklers and alarms

Cybercriminals used HVAC system credentials
to access a customer service database at retail
giant Target in 2013.

is just as new for the hackers as it is for some facility managers.
Last November, M.C. Dean outfitted a two-story office building
with the range of connected infrastructure found in modern buildings-fire systems, elevator controls, IP cameras, Wi-Fi devices,
HVAC, and more-and invited more than 60 teams of hackers from
around the world to try to infiltrate it. One of the most interesting
outcomes, Owen said, was how little attention the attackers paid
to the building's fire safety systems; none of the teams seemed to
view these vulnerable systems as a worthwhile target.
" If they had, they could have owned those systems pretty easily, "
said Ken Donaldson, the information systems security manager at
M.C. Dean.
Owen said that the hacker teams skewed young and most likely
didn't yet have a sufficient understanding of how these fire systems work to mount an attack. " Attacking automation systems is
not a neophyte game; it's the older, more experienced professional
who is going to understand how to do that, " he said.
But it's not going to stay that way for long. With each successful
breach of a large corporation like Target, or with every lucrative
ransomware attack on a hospital, it's a certainty that hackers will
study these methods and devise even more innovative methods
for capitalizing on previously overlooked vulnerabilities.
" I think we're all assuming that the bad side is still on a learning
curve, " said Jens Alkemper, the director of cyberresearch at the
insurance firm FM Global. " But as that's happening, the defense
side has to be working to shorten its learning curve as well. We
have to be ready for this, because it's coming. " -J.R.

N F PA . O R G / J O U R N A L * NFPA JOURNAL

Cybersecurity feature_1Q 2021 SJS APPROVED FINAL.indd 31

| 31

1/29/21 2:20 PM

http://nfpa.org/JOURNAL

NFPA Journal - Spring 2021

Table of Contents for the Digital Edition of NFPA Journal - Spring 2021