Your Building: the On-Ramp to Your Network for Cyber Criminals


Two things building owners and property managers need to know.

  1. Never underestimate your building control system as a vehicle of breach for hackers.
  2. Cyber security is a problem that will never be solved.

This second statement is one that I heard recently at a meeting that included primarily litigation professionals and cyber security experts.  If that makes you uncomfortable, I have some more statistics that will add to your level of discomfort…


According to a FireEye/Mandiant Study entitled Cybersecurity’s Maginot Line: A Real-World Assessment of the Defense-in-Depth Model this year, nearly 97 percent of organizations has been breached, meaning at least one attacker had bypassed all layers of their defense-in depth architecture. Three-fourths of organizations had active command-and-control communications, indicating that attackers had control of the breached systems and these systems weren’t just compromised; they were being actively used by an attacker for activities that could include exfiltrating data.


Mandiant also published these statistics:                                                           

  • 100% of victims have up-to-date anti-virus software
  • 63% of breaches are reported by third parties
  • 243 the median number of days advanced attackers are on the network before being detected
  • 100% of the breaches involved stolen credentials

The Ponemon Institute has issued its annual report entitled “Cost of Data Breach Study,”, a study on the economic impact of data breaches. The Cost of Data Breach Study is sponsored by IBM, its results show an increase of the average data breach cost per victim, it is nearly $145 per compromised record.


According to the Norton Cybercrime index for 2013

  • There were 253 data breach incidents and a total of 552,018,539 identities exposed as a result
  • The average number of identities exposed per incident was 2,181,891 compared with 604,826 in 2012 (this is an increase of more than 2.6 times)


According to Identity Theft Resource Center

  • This week’s total shows that there has been 666 breaches to date and this represents a 25.6 percent increase over the same time period last year which was 529 breaches


These attacks are no longer being performed by high functioning programmers.  Today unsophisticated hackers are wreaking havoc. Hacking no longer requires you to learn sophisticated hacking techniques.  There are tools, which have been sold via PayPal for as little as $40. “Blackshades was a tool created and marketed principally for buyers who wouldn’t know how to hack their way out of a paper bag,” wrote Brian Krebs of Krebs on Security. “The product was sold via well-traveled and fairly open hacker forums, and even included an active user forum where customers could get help configuring and wielding the powerful surveillance tool.”


Some questions to ask yourself and your team…

  • Do you know who gets involved in breach investigations?
    • More and more it is the secret service.
    • How is your network configured?
      • Building Control networks have and are being set up with un-managed switches, exposed to the web with little or no protection and then are bridged to corporate networks.
        Hackers see these networks as an on-ramp to your corporate network.
      • Do you have common username and password for not only the building staff, but for the solution provider as well?
      • Who owns the responsibility for administering your username and passwords?
        • Does Dell administer your user when you buy a server? No… and neither should your BMS vendor.
          In most cases the BMS vendor does this and is expected to take care of it.
        • When an employee leaves or a vendor is replaced, what measures do you take to remove their access to the control system?
          • Fired employees are more likely to retaliate within a few days of termination so how quickly they are removed may prevent damage.
            Don’t forget they are also prime targets for hackers to purchase their log in info.
          • Is your building controls PC/servers locked away and are only used for serving up the webpage to users or are they in a building engineer’s office accessible by anyone to use to surf the web and check their social media?
          • Do you have breach response and recovery plan for inside your organization as well as for outside of your organization?
            • In other words, a public response.
            • Do you have cyber liability insurance?
              • If you do not, are you planning on acquiring in the near future?
  • Whose responsibility to keep your building safe?  Vendors and integrators have a share of the responsibility, but the building has to shoulder part of the responsibility too.  It is hard to predict what the attack vectors will be but it is incumbent on vendors, integrators, and building owners to work together to secure the control system.


Have a question for our experts? Leave you comment below or contact them directly at


About Fred Gordy


Email Address:

Fred Gordy is the operational technology manager for the McKenney's Enterprise Intelligence Group and is responsible for the technology strategy for the Automation & Control Solutions team. Fred has focused on control system cybersecurity for the past few years and has built a network of cybersecurity professionals to grow knowledge for the control system at large. He is also the current chair for InsideIQ's cybersecurity committee. Fred's portfolio includes projects with Chevron Energy Services at Eglin Air Force Base to reduce operating expense through real-time analysis as well as developing secure power monitoring systems for a national IDC, a national retail chain, and an international media company.

Leave a Reply

Your email address will not be published. Required fields are marked *