Hundreds of Back Doors and a Different Breed of Systems Contractor
Even after many years of experience, capable CISOs find they may not be equipped to overcome the cybersecurity concerns that arise from building control contractors.
These contractors increase every company’s cybersecurity vulnerability in ways that other vendors do not. The Harvard Business Review reports that in 2017, 60% of all cybersecurity breaches reported by publicly traded companies “…were launched through the computer systems of suppliers or contractors, up from less than 25% in 2010.”
Building contractors consistently create hundreds, even thousands, of back doors to your computer systems when they install their building controls. They do this unwittingly, without the expertise to correct their own practices, and therefore may be blameless. Nonetheless, cybersecurity concerns about building controls are real, and CISO’s are ill-equipped to address these concerns without serious help.
The hundreds of building controls installed in almost any office, industrial or educational building, connect a company’s internal computer systems to the worldwide web. These building controls devices include physical security, audiovisual, HVAC, lighting, Voice of IP Telephone, elevator dispatch, and even business machines (although these are typically not considered building controls). Hundreds, perhaps thousands of cameras, controllers, sensors, switches are now connected (a.k.a. IoT ) devices. Many, if not most of these IoT devices have connectors; ports; default (even hard-coded) passwords; and stored information Many of these cannot be managed centrally, and nearly all of them can be manipulated to create a pathway, or used as a back door, past your exterior perimeter and then enable further access to interior domains. At which point, the material damage begins.
Importantly, all of this is simply context and may best be summarized as: Building control contractors contribute disproportionately to cybersecurity vulnerability for all organizations that conduct their business today’s smart or smarter buildings and CISO’s are frequently beguiled and thwarted by the complexity of this context and require guidance, help and an effective strategy to close existing back doors and prevent new ones from being left open.
Like any other complex and troubling situation, CISO’s can manage the building controls situation by addressing the component issues, such as:
1. Reliance on standards, such as NIST and ISO 27001, and frameworks, such as GDPR and Center for Internet Security, do not apply well to how building control contractors perform their work.
2. Today’s “best practices,” used by CIOs and CISOs, fall short of addressing building controls systems
3. Facilities managers and procurement managers, not IT, have preemptive relationships with building control contractors
4. Accountability for delivering sufficiently secure building controls is absent in contracts
5. Building control contractors submit proposals with an SOW, schedule, and budget, but no discussion of the security hygiene to be used to close back doors at the time of installation.
6. Individual technicians, engineers and project managers at building controls companies are unprepared to perform their role in accordance with a security hygiene
Clearly, these issues are not the stock in trade of most, if not any, CISO. (Use of the term “CISO”, going forward, will also refer to the CISO’s team or CIO if there is no CISO). While the cost of addressing these issues may not need to be borne by the CISO’s budget, it is the CISO who must be the catalyst for closing existing back doors and preventing ones from being created. Without this, no company can be sufficiently secure.
A Guide to Cyber Defense
Moving beyond simply identifying the context and listing actual issues, let’s discuss the nature of each issue and enable CISOs to manage his or her resources for success.
1. Security Standards and Frameworks Do Not Apply. Apply standards and frameworks to building control contractors is an understandable mistake. The work to create the NIST, ISO, and GDPR guidelines are extremely diligent and useful. However, they focus substantially on the internal operations of a company. In the case of building control contractors, their work is performed outside of their own computing perimeter and inside the perimeter of dozens of different companies in different industries. Even a single contractor will often have customers in banking, general office, manufacturing, and entertainment venues. On the customer’s side, the CISO will not have access to technical details of all the different IoT devices, and each manufacturer of those devices, and where each might stand regarding cybersecurity vulnerabilities. What is useful for us is that the standards and frameworks have 40–60 security controls in common. CISOs must consider how these controls are deployed by the contractors, outside of their own organization, and inside the CISO’s organization, which is foreign territory to the contractor.
2. Today’s “Best Practices” Fall Short.
CISOs commonly deal with building control contractors in three ways: a) They deploy such systems on a subnet; b) They require an IT Security Questionnaire; and, c) They rely on security standards, which falls short for the reasons presented in #1 above. Using a subnet is useful, as one of many layers in a security defense strategy, but it has its own vulnerabilities. Once the IoT device is penetrated, a software implant can be installed to capture credentials of privileged users with access to the subnet and the production network environment or to propagate itself in search of additional vulnerabilities. This makes the subnet a good practice but not enough, which is more than can be said for the use of IT security questionnaires. Such questionnaires do not produce reliable information when used with building control contractors, who have difficulty understanding the questions and, if they do understand, may provide aspirational replies rather than accurate ones. Moreover, IT security questionnaires are useful when needing to assess the quality of information generated by IT. The fall short with security because they provide little or no help in controlling authorized access to information, which is security’s primary objective. These questionnaires have limited, or no, value as a best practice with building control contractors.
3. Facilities and Procurement Management. Building control contractors were construction companies before software started eating their part of the world, and the work experience of substantially all facilities managers are also related to construction. As a result, very few facilities managers are ill-equipped to address network concerns that are more technical than supplying power and basic continuity and cable management. Moreover, Facilities generally selects the two or three building control contractors, for each type of system, who are “accepted vendors” and are invited to respond to an RFP. This generally leaves the CISO out of the picture, which removes an important link in the security chain. The use of cybersecurity hygiene (which is discussed below), enables a CISO to assure Facilities’ effective consideration of security in selecting vendors. In the way, the CISO keeps another link in the important security chain.
In more complex organizations, Procurement often performs a subset of the facilities manager’s responsibilities when purchasing services from building control contractors. As a result, sometimes it is Procurement and not Facilities that leaves the CISO out of the picture. The Cybersecurity Hygiene, discussed below, can help with Procurement in the same manner as it does with Facilities.
4. Accountability and Contracting. CISOs can assure delivery of sufficiently secure building controls (i.e., back doors are closed) through the use of the project contract in combination with the cybersecurity hygiene (See below). The opportunity is to use the contract to reward the contractor with limits on liability in exchange for the contractor being explicit in identifying the security controls that will be deployed under the applicable agreement. This is best managed as an addendum to project contracts. When done well, this can be a mutually gratifying and beneficial for the contractor and the CISO. For example, the contractor can use the explicit set of security controls when talking to prospective customers. The CISO can use the process as a model for demonstrating to Facilities and Procurement how they can help secure their organization. Eventually, the CISO creates this as a standard operating process for the organization with minimal time required in the future.
5. Cybersecurity Hygiene. This should be the cornerstone for the CISO. Cybersecurity hygiene is specific to each contractor. It is a written statement that identifies the security controls that contractor will deploy unless agreed otherwise by the contractor and the CISO. All the other issues, discussed here, become very manageable once the CISO establishes the requirement that building control contractors define their own cybersecurity hygiene.
In short, the hygiene is a “default” list of security controls. There are some differences between contractors, depending on the systems they sell and the markets they serve. For example, a vendor installing A/V conference and collaboration systems to the office market will have different security controls than a contractor that serves the aerospace industry. Examples of security controls that are universally deployed might claim the contractor will use reasonable business efforts at all times to: “Clear devices of malware prior to connecting them to the network”; “Replace default passwords”; “Synchronize the application with the network’s date and time”; and, “Disable anonymous access to the application”. Having such as cybersecurity hygiene would then become a requirement for consideration by both Facilities and Procurement.
Once a project is identified, and the solution is defined, then the highest value can be achieved: The contractor and the CISO discuss refinements on the default list and create cybersecurity hygiene specific to an important project. This collaboration increases the enforceability of the contractor’s performance. The use of cybersecurity hygiene allows the CISO to focus only on security and avoids trespassing on Facilities and Procurement and can also be initiated and managed by them and the contractor. The CISO’s role is limited and, at the same time, assures the implementation of important security controls even if the CISO is not actively involved. CISOs can further leverage their impact by requiring contractors to update and improve their hygiene each year, which is a universal best practice for cybersecurity. When key projects arise, the CISO can exercise the right to modify certain controls, such as clarify the use of a specific factor for two-factor authentication. Or, the CISO might specify a new convention for password construction.
6. Preparedness of Field Personnel. Individual technicians, engineers, and project managers at building controls companies generally are not prepared to know why each specific control is required and when to deploy it. Such personnel do know how to implement the controls or can learn such skills quite readily. This is another area in which the CISO benefits from having help, if for no other reason that there is often a big gap in the level of technical sophistication between the CISO and the field personnel working for a building control contractor.
Vendors Invest in their Own Cybersecurity Hygiene and Preparedness
CISOs are not helpless when they wish to close the back doors to their building control systems. A big first step is simply including building control contractors among their active concerns. In this age of growing cybersecurity concerns, now is the time to gain control over the proliferation of IoT devices, especially those connected to building controls. Another big step is accepting that much of their vulnerability is the generated by vendors who benefit from the work they receive from the CISO’s fellow executives and managers, especially when the CISO realizes that these vendors will invest in themselves in order to retain their relationship with the CISO’s organization. The CISO should not hesitate to request that vendors invest in themselves and, perhaps, line up third-party resources to help those building controls vendors who may be unable to help themselves. The remaining steps are the everyday blocking and tackling to create a plan for a cybersecurity defense for building control contractors.
Finally, CISOs can seal those back doors with two add-on controls to the NeverCry Cyber Defense. One, CISOs can require all administrators of building control systems to use at least two-factor authentication when using their administrative credentials. While solutions such as Duo are good, we recommend those that use existing key cards, such as Access Smart, when an access control system is already in place. Two, CISOs can monitor those privileged accounts with the intent of detecting suspicious activity. The NeverCry Cyber Defense with these two add-on controls represents a “best practice” at minimal cost and effort. Best of all is addresses an overlooked, very large, and rapidly growing vulnerability.
NeverCry Cyber Defense
Many people refer to this plan as the NeverCry Cyber Defense for Building control contractors. This name, of course, is a play on the highly-destructive WannaCry cyberattack, in 2017. This attack gained its initial access through Windows’ SMB ports that share files and messages with such connected devices as surveillance cameras, A/V projectors, HVAC and other internet-connected devices including office machines. These devices were installed by building controls and office systems contractors. Once launched internally, the attacking software propagated itself to more an estimated 200,000 computers in 150 countries where it then exploited a well-known Windows OS vulnerability that enabled the malware to encrypt Microsoft Office files that were then held for ransom. 2 This very aggressive global attack and hundreds of attacks since gain entry through the same set of back doors that enabled the high-profile attacks on Equifax, Target, and Best Buy.2 Until these back doors are closed, our computer systems and valuable assets remain sitting ducks. The good news is that CISOs can solicit the help of their vendors with little or no impact on their work schedule or budget.