Resilience and Cyber Security of T
echnology in the Built Environment
IET Standards
Technical Briefing
IET Standards
Technical Briefing
IET Standards
Resilience and Cyber
Security of Technology in
the Built Environment
Resilience and Cyber Security of Technology
in the Built Environment
In November 2011 the Government launched the UK Cyber Security Strategy: Protecting and promoting the UK in a digital world. The strategy acknowledges the importance of a safe cyber environment for business.
Cyber-crime is today the world’s fastest-growing crime sector. Your cyber security is paramount if you are beginning to trade overseas or expanding your overseas business. The cyber risks include viruses, identity theft (spyware, wifi eavesdropping, hacking) and threats to wealth (fraud, identity theft, spam emails). Of special concern to businesses is cyber-crime connected to intellectual property theft.
This report is the first publication of its kind from IET Standards. Its purpose is to inform professionals involved in the development and operation of intelligent or smart buildings about the resilience and cyber security issues that arise from a convergence of the technical infrastructure and computer-based systems.
IET Standards
Michael Faraday House Six Hills Way
Stevenage Hertfordshire SG1 2AY
Resilience and Cyber Security
of Technology in the
Author: Hugh Boyes CEng FIET CISSP
The IET would like to acknowledge the help and support of CPNI in producing this document.
Published by The Institution of Engineering and Technology, London, United Kingdom
The Institution of Engineering and Technology is registered as a Charity in England & Wales (no. 211014) and Scotland (no. SC038698).
© The Institution of Engineering and Technology 2013 First published 2013
This publication is copyright under the Berne Convention and the Universal Copyright Convention. All rights reserved. Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may be reproduced, stored or transmitted, in any form or by any means, only with the prior permission in writing of the publishers, or in the case of reprographic reproduction in accordance with the terms of licences issued by the Copyright Licensing Agency. Enquiries concerning reproduction outside those terms should be sent to the publisher at this address:
The Institution of Engineering and Technology Michael Faraday House
Six Hills Way, Stevenage Herts, SG1 2AY, United Kingdom www.theiet.org
While the publisher, author and contributors believe that the information and guidance given in this work is correct, all parties must rely upon their own skill and judgement when making use of it. Neither the publisher, nor the author, nor any contributors assume any liability to anyone for any loss or damage caused by any error or omission in the work, whether such error or omission is the result of negligence or any other cause. Any and all such liability is disclaimed.
The moral rights of the author to be identified as author of this work have been asserted by him in accordance with the Copyright, Designs and Patents Act 1988. A list of organisations represented on this committee can be obtained on request to IET standards. This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. Compliance with the contents of this document cannot confer immunity from legal obligations.
It is the constant aim of the IET to improve the quality of our products and services. We should be grateful if anyone finding an inaccuracy or ambiguity while using this document would inform the IET standards development team at [email protected] or The IET, Six Hills Way, Stevenage SG1 2AY, UK. ISBN 978-1-84919-727-4 (paperback)
Participants in the Technical Committee
4
1 Introduction
5
2 Background
7
3
Overview of resilience and cyber security
13
4
Understanding the threat landscape
18
5
Resilience and cyber security during specification phase
23
6
Resilience and cyber security during design phase
27
7
Resilience and cyber security during construction
31
8
Resilience and cyber security during operations
35
9
Managing change – impact on resilience and cyber security
41
10
Resilience and cyber security during decommissioning
43
11
Relevant standards
44
Appendix A – Intelligent building case studies
47
Appendix B – Twenty critical controls
52
Appendix C – Glossary
55
Participants in the Technical Committee
The IET and author wish to acknowledge the support received from representatives of the following organisations in reviewing the drafts of this document.
Arup
Centre for the Protection of National Infrastructure (CPNI) Corporate IT Forum
Defence Science and Technology Laboratory (dstl) ECA Group Ltd
General Dynamics UK Ltd Incoming Thought Ltd Newrisk Ltd
Symantec
CHAPTER 1
Introduction
Creation of intelligent or smart buildings requires greater integration of systems, both the operational and business systems used by the buildings occupants and a wide range of infrastructure systems. This is typically being achieved through the convergence of the technical infrastructure and the widespread use of readily available commercial and open source technologies.
Although the initial focus of the designers of intelligent or smart buildings has been on developing solutions to make them more energy-efficient, there is an increasing focus on the interaction of systems. The drivers for intelligent buildings and thus systems integration arise from the need for new energy-efficient interventions, real-time decision support systems, enhanced building and personnel security, and better management information dashboards that offer easy access to key performance indicators.
The purpose of this technical briefing is to inform professionals involved in the development and operation of intelligent or smart buildings about the resilience and cyber security issues that arise from a convergence of the technical infrastructure and computer-based systems as those systems become interconnected with the global network that comprises cyberspace. This document is not intended to address the physical hardening of buildings to protect against specific physical threats such as earthquakes, weather or blast.
The document examines different sources of threats across the building life cycle from initial concept through to decommissioning. It considers potential threat agents that could cause or contribute to a cyber security incident and identifies some of the measures that may be appropriate to reduce the risks.
The key points that we highlight in this document are as follows: ●
● Economic and environmental factors place increasing pressure on building owners and operators to adopt a converged (i.e. common or shared) IT infrastructure and to achieve integration between multiple electronic systems supporting building management functions and business applications. ●
● Given that systems integration blurs the boundaries between traditional roles and responsibilities in any organisation, it is important to adapt the business practices and governance processes to work effectively across organisational boundaries.
●
● In view of the significant level of systems convergence in intelligent buildings and the consequent higher probability of systems failure, the design of the built environment should take resilience into account.
●
● Sharing of IT infrastructure and the integration of corporate IT and industrial control systems (ICS), including building systems, in an intelligent building poses a number of design and operational challenges if a safe, secure and resilient environment is to be achieved. Thus whenever upgrades or new investment are planned, a strategic review of new or upgraded threats should inform the requirements and design brief.
●
● From a resilience perspective the greatest threat to the building is likely to come from single points of failure, which may be the building fabric or structure, utilities, infrastructure, systems or processes.
●
● When considering the potential threats to a building, the assessment should take into account non-malicious acts, malicious acts (from employees, contractors, visitors and, in open access buildings, from the public) and the potential effects of natural causes.
●
● A serious challenge with some incidents, particularly those that are cyber security-related, may be identifying the cause of an incident. The task is particularly difficult where there is a lack of logs or system logging and audit.
●
● During the requirements, concept and specification phase of a building project, the resilience and cyber security requirements need to be identified, taking into account the nature and purpose of the construction and the potential threats to the occupants and their business operations. These requirements should include appropriate protection for intellectual property, and commercial or sensitive information.
●
● During the design phase of a building project, appropriate solutions to the resilience and cyber security requirements should be developed. As part of a design assurance exercise, the proposed design should be assessed to ensure that it has not introduced any new or unforeseen risks. Assuring the continuity of intent through the construction phase may require investment in competent resources.
●
● During construction of the building, resilience and cyber security issues need to be addressed while managing the supply chain, monitoring design integrity, maintaining physical security and implementing systems security. ●
● Once the building is in operational use, its resilience should be proactively managed to prevent any unforeseen or emergent loss of resilience and to identify any additional requirements arising from changes in the building’s use.
●
● The building’s IT systems are at risk from the outset. Application of the 20 critical controls1 (see Appendix B) can provide protection by detecting
reconnaissance, preventing unauthorised access or actions, detecting unauthorised access or actions and mitigating cyber security events. ●
● When changes to the building, its infrastructure, systems and use are being planned and implemented, the impact on resilience and cyber security should be assessed and appropriate steps taken to address any new or modified risks. This should include assessment of the impact of any decommissioning.
1 Developed, coordinated and published by the SANS Institute: http://www.sans.org/critical-
CHAPTER 2
Background
2.1 Technology developments in the built environment
Economic and environmental pressures are increasingly affecting the design and operation of the built environment. In a competitive global economy, economic pressures relate to the total cost of ownership, both in terms of capital investment throughout the building’s life cycle and operating costs. These operating costs are not just the costs of facilities management and building maintenance, but also the users’ operational costs that are influenced by the built environment. A building that is operationally inefficient will inevitably have an economic impact on its occupants. Environmental pressures include the need to reduce energy consumption through increased energy efficiency and to reduce waste. To address these pressures a range of innovative IT-enabled solutions are being developed, as summarised in Figure 1.
Intelligent
Buildings
Smart
Grid HomesSmart
Intelligent Transport Smart Cities
A key theme in these solutions is the increased IT-based interaction between physical assets with supporting communications, energy and transport infrastructures. Examples of this integration would include an intelligent building interacting with the smart grid to manage energy demand and ensure the most economic use of supply tariffs. In future it could include interaction with urban transport systems to inform building users of the current local transport situation.
This integration affects both the operational and business systems used by the buildings’ occupants and a wide range of infrastructure systems that maintain a comfortable, safe and secure environment. Historically this integration has been difficult due to the proprietary nature of many building systems. However, the increasing adoption of open standards and commercial ‘off the shelf’ products to
Figure 1 – Intelligent buildings are part of an increasingly integrated built environment
build these systems, for example TCP/IP networking and the use of commercial operating systems, has made the integration much easier.
Unfortunately the use of these technologies can create significant issues from a resilience and security perspective. For example, some software products have ‘remote access’ links inbuilt, connecting them to their suppliers for upgrade and maintenance support by default, and the increasing use of browser-based control interfaces has encouraged some manufacturers to require Internet access to their systems for condition monitoring and diagnostic purposes. If these remote connections are not adequately protected and managed, they create vulnerabilities and adversely affect system security and resilience.
The greatest economic and environmental benefits are likely to be derived from deployment of new automation and control systems that take information from business systems and data from sensor networks and building systems, to automate routine functions, maintain an optimum environment and achieve improved performance.
In an office environment an example of intelligent building technologies could be the management of meeting rooms. If a building management system has access to meeting room booking information, it could be configured to reduce energy use by turning off non-essential equipment in the room and limiting environmental conditioning until the room is required and the first occupants arrive. This would require interaction between building systems and the room-booking service, which may be part of the organisation’s email or operational systems. In a factory environment, similar integration might be used to control the heating and lighting of operational areas based on shift patterns, operational demand and the presence of the workforce in a particular area. Provided that these features work reliably they can offer significant user benefits, but chaos can result when there are system failures or unwanted/unauthorised human intervention. Therefore, the more complex the technology and the greater the reliance on its fault-free operation, the greater the need will be for integrity, availability and confidentiality from a safety, security and reputational perspective.
Any IT system is potentially at risk, regardless of whether it is standalone or part of an integrated system. The increased systems integration required to deliver an intelligent building is therefore not without risk even when carefully managed and monitored. We need to recognise that intelligent buildings are complex systems. This document outlines the key factors that need to be addressed to identify and manage the resilience and cyber security factors, and risks to an intelligent building.
2.2 What is an intelligent building?
The precise definition of an intelligent building varies around the world. Although there is no agreed definition, there is a common theme – the integration of technologies. For the purpose of this document we define an intelligent building as one that provides a responsive, effective and supportive environment within which an organisation can achieve its business objectives. Intelligent buildings may also be referred to as smart buildings.
Some of the systems that may be integrated in an intelligent building are illustrated in Table 1. The fact that a building contains some of the listed systems does not
make it an intelligent building: it is the systems integration to achieve operational efficiencies, energy efficiency, additional functionality or other user benefits that delivers the intelligent element. An issue that potentially increases the operational complexity of managing an intelligent building is the organisational and often contractual boundaries between those responsible for the different elements of infrastructure, building, ICT and business systems. A key principle for an intelligent building is that it needs to be designed and operated so that it provides a safe, secure and resilient environment, and to the extent that is practical, it needs to include a degree of future-proofing.
Infrastructure
Sensors, Structured cabling, IP network, Wireless*,
Plant rooms, Data rooms, Server rooms, Communications rooms, etc.
Building systems (ICS)† ICT systems Business systems‡
Building management HVAC controls Access control Lighting control Intruder alarm Security/CCTV Fire alarm Water management Waste management Utilities Stand-by generators UPS Office automation (email, data, Internet) Media/multi-media (voice, video, music) Telephony
(voice, fax, video conferencing, SMS, pagers) IP-based applications§ Enterprise resource planning (ERP) Material requirements planning (MRP) Customer relationship management (CRM) Integrated command-and-control centre Integrated service/ helpdesks
* The term ‘wireless’ is used as a generic term to cover communications and data links that do not require a physical connection; technologies employed include WiFi, Bluetooth, ZigBee, radio, NFC, RFID
† ICS – Industrial Control Systems
‡ Only included to the extent that they are integrated with building systems, for example
CRM – Access Control, ERP/MRP – Supply Chain Management
§ Relevant where they interact with building systems or sensors, for example RFID for
track-ing location of material or assets
An innovative aspect of systems integration is the increasing use of sensors within intelligent buildings. This can range from passive infrared motion detectors, to the CCTV motion detection and the use of radio frequency identification (RFID) technologies. By allowing sensors that are usually applied to a single sub-system to be used by other systems, the building can be made more intelligent: for example, the use of RFID tokens to control access to the building or building zones, to provide access to the corporate network and to retrieve documents on communal printers. Another example is the use of building security sensors and CCTV motion detection to operate and control lighting (both internal and external) and in conjunction with environmental monitoring systems to manage heating, shutters, etc.
Appendix A to this document contains some intelligent building case studies, which provide examples of the types of systems integration already occurring and the operational benefits achieved. Currently the ‘intelligence’ is predominantly automation of routine tasks, based on the sharing of information or data, e.g. energy efficiency measures applied to unoccupied rooms.
Table 1 – Systems that may be integrated in an intelligent building
As technology develops it is likely that significant gains will occur when the converged systems become self-aware, with network-based tools learning over time and responding accordingly. For an intelligent building this could represent the development of a ‘self-preservation’ response, with the systems developing an awareness of relationships between events. An example might be that rather than relying on signature-based analysis to detect malware, attacks or system failures, the intelligent building responds to deviations from system and network behavioural norms, seeking to minimise disruption and alerting an operator to the need for an intervention. With this increased integration and interaction there will be a need to avoid the creation of single points of failure.
Economic and environmental factors place increasing pressure on building owners and operators to adopt a converged (i.e. common or shared) IT infrastructure and to achieve integration between multiple electronic systems supporting building management functions and business applications.
2.3 How does this integration affect building operations?
There are three fundamental issues that need to be considered in respect of the operation of an intelligent building:
●
● the organisational responsibilities for integrated technical infrastructure; ●
● the differences in the nature of corporate IT and building systems (ICS); ●
● the processes, practices and governance, including legal and regulatory compliance, required to operate and maintain the intelligent building in a safe, secure and resilient fashion.
In multi-occupancy buildings there will also be the issue of maintaining the privacy of the occupiers, and where appropriate, their information and data, their staff, visitors or customers.
If there is no integration or interconnection between corporate IT and building systems (ICS), the responsibility for these systems will lie with IT management and facilities or operations management respectively. Integration and interconnection creates a shared responsibility across two often culturally and technically different teams, because a malware incident on a corporate computer could have a significant impact across the entire intelligent building, affecting all the systems.
At a generic level, the differences between the building systems (ICS) and corporate IT systems (ICT and business systems) are shown in Table 2. These differences are significant and inevitably lead to differing operational practices. For an intelligent building, the criticality of a system needs to be assessed in terms of business impact on resilience, physical security and personal safety. A failure to recognise these differences and system-criticality assessments, or to take account of them in the design, delivery and operation phases of an intelligent building, will significantly affect resilience and increase cyber security risks. Where some features are at the very least safety or security critical, they must be adequately protected from unauthorised intervention or access from the rest of the system while being part of it.
Characteristic Corporate IT systems Building systems (ICS)
Lifetime 3–5 years 5–20 years
Availability Out-of-hours outages often acceptable
Continuous operation typically required for control systems Time-critical Delays often acceptable May be safety-critical
Patching Frequent, can be daily Rare
User accounts Usually individual users with permissions according to business role
Often shared functional accounts, based on specific roles, e.g. operator, administrator, engineer
Outsourcing Widely used Varies, rare for
production systems
Antivirus Widely used Difficult/impossible to
deploy
Security skills Limited to good Often poor or
non-existent Security awareness General awareness Often poor or
non-existent
Security testing Widely used Rarely used and risk
of damage to control systems
Physical security Generally secure and manned
Generally remote/ unmanned
2
An example of the difference between systems is the practice of allowing users to access removable media (CDs, DVDs, USB drives) from their desktop or laptop computers, which may be acceptable on the corporate IT system, where antivirus and anti-malware is installed, but is best avoided on the building management network where not all computers can be protected in this way. The practices for dealing with a compromise may also differ significantly. The New York Times,3 for example, simply replaced all compromised computers
on its corporate network when faced with a serious threat. Removing a virus or malware from a building management system may be significantly more complex, however, given that some electronic sensors or components will be embedded in many different major components and sub-systems. The problem may be further exacerbated by the potential age of the systems and the need to maintain building operations.
Historically, industrial control systems (ICS), including the subset that comprise building systems, and corporate IT systems have been managed by operations (including estates) teams and IT teams respectively, with different operational processes, practices and governance. The combination of these organisational 2 Adapted from Table 5.1 in Protecting Industrial Control Systems from Electronic Threats,
Joseph Weiss, 2010, 978-1-60650-1979
3 http://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-
computers.html [accessed 24 Apr 2013]
Table 2 – Comparison of corporate IT systems and building systems (ICS)2
boundaries coupled with systems integration and/or interconnection can introduce significant operational complexity and risk into intelligent buildings.
Given that systems integration blurs the boundaries between traditional roles and responsibilities in any organisation, it is important to adapt the business practices and governance processes to work effectively across organisational boundaries.
CHAPTER 3
Overview of resilience and cyber security
3.1 What does resilience mean and why is it an issue?
Resilience is the ability to adapt and respond rapidly to disruptions and maintain continuity of business operations. From a business perspective, resilience is generally about preparing for any potential threat to the delivery of a smooth, steady and reliable service so as to maintain the delivery of critical services. Thus when bad things happen, as they do, the personnel operating the building are expected to minimise disruption to the use of the building. To achieve this goal they should have considered potential causes of disruption, both human and natural, make sure that key systems and processes are maintained to ensure business continuity, and have in place systems and processes to enable timely detection of, and response to, disruptive events.
The concepts of business continuity and disaster recovery are reasonably well understood by organisations in respect of their corporate IT systems and the management of manufacturing or production processes. To ensure the resilience of business operations, the organisation might employ a range of provisions, including: alternate/disaster recovery premises; offsite backups of business-critical data; diverse network and communication routes, etc. This is particularly the case for organisations that are heavily dependent on technology and IT for their business operations.
From a resilience perspective, the threat to business-critical corporate IT systems is generally mitigated and managed through disaster recovery, incident response and business continuity plans. The nature of these plans and the specific measures required to maintain business operations should be determined by the nature of the business, regulatory and legal requirements, and a business impact analysis. Where there is a critical business need to maintain continuity of IT operations, the solution may be to increase redundancy, such as through the provision of duplicate IT systems in geographically separate high-availability data centres.
The resilience of systems, whether they are IT or building systems (for example HVAC), is generally considered in terms of redundancy and their availability under both fault and maintenance conditions. Table 3 illustrates a classification mechanism used for data centres and industrial plants. A building or plant classified as Tier 1 will have minimal resilience, with single points of failure in critical systems. This type of accommodation is likely to be used by organisations that can tolerate some loss of IT or building systems. In contrast, a building or plant classified as Tier 4 will have a high degree of fault tolerance and might be used by an organisation delivering critical national infrastructure services. A Tier 4 site should be able to accommodate varying levels of scheduled maintenance and systems failure without losing capacity.
Tier Description Performance
1 Basic infrastructure Non-redundant capacity components and single non-redundant connection/ distribution paths
2 Redundant capacity components infrastructure
Redundant capacity components and single non-redundant connection/ distribution paths
3 Concurrently maintainable infrastructure
Redundant capacity components and multiple distribution paths
4 Fault-tolerant infrastructure Fault-tolerant architecture with redundant capacity systems and multiple distribution paths
4
In the built environment, the need for building systems to be resilient will generally be determined by the operational use of the accommodation. Thus for example data centres and acute health care facilities will have requirements for the continuity of critical building services, whereas a retail outlet or warehouse may only require the provision of emergency lighting to allow safe evacuation of the premises. In an intelligent building, resilience and cyber security are inextricably linked, because the failure of a building system could have a significant impact on the cyber security of the building.
In view of the significant level of systems convergence in intelligent buildings and the consequent higher probability of systems failure, the design of the built environment should take resilience into account.
3.2 What does cyber security mean?
Cyber security is a broad subject – it is not just about the technology, but has to address a wide range of factors: people, process and governance issues, and their interrelationships. These factors are management issues and are as important in cyber security as the deployment of technical solutions such as firewalls and antivirus software.
One internationally agreed definition for cyber security is ‘the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets’.5 The
aim is that they remain under the control of legitimate users.
4 Adapted from ‘Site Infrastructure White Paper – Tier classifications define site
infrastruc-ture performance’, W. Pitt Turner IV, John N. Seader and Kenneth G. Brill, 2008, The Up-time Institute; available from http://www.greenserverroom.org/Tier%20Classifications%20 Define%20Site%20Infrastructure.pdf [accessed 24 Apr 2013]
5 From ITU-T X.1205: http://www.itu.int/en/ITU-T/studygroups/com17/Pages/cybersecurity.
aspx [accessed 24 Apr 2013]
Table 3 – Tier classifications for site infrastructure performance4
This definition refers to a couple of terms that perhaps need clarifying: ●
● the ‘cyber environment’ (also sometimes called ‘cyberspace’) effectively comprises the interconnected networks of electronic, computer-based and wireless systems;
●
● the ‘organization and user’s assets’ includes connected computing devices, personnel, infrastructure, applications, services, telecommunication systems, and the totality of transmitted, processed and/or stored data and information in the cyber environment.
The cyber environment therefore encompasses the Internet, telecommunication networks, computer systems, embedded processors and controllers, and a wide range of sensors, storage and control devices. Although this definition of cyber environment only makes reference to systems, it also includes the information, services, social and business functions that exist only in cyberspace. Experience shows that even standalone systems and isolated networks are at risk from attacks by malicious users and from the introduction of malicious software via removable media.
Cyber security strives to ensure the attainment and maintenance of the security objectives of the organisation and user’s assets against relevant security risks in the cyber environment. The general security objectives comprise the following:
●
● Confidentiality, including the control and authorisation of access to information or data, for example to protect personally identifiable information, intellectual property and commercially sensitive data such as financial transactions, energy-metering data and production records.
●
● Integrity, which may include the trustworthy and safe operation of electronic and computer-based systems, their software and associated business processes, the assurance and authenticity of data or information, and the validity and retention of transactions including their authentication and non-repudiation.
●
● Availability of the building in general, and in particular the systems and processes required for its safe, secure and reliable operation. The availability needs to take into account the impact of failure on the ‘system of systems’ arising from the failure of a single system, i.e. is there a cascading or domino effect.
●
● Privacy, as, although this is often treated as part of the confidentiality objective, the convergence of systems creates additional risks. It is important that personal data remains ‘private’ and that in any system where there is an aggregation of data, that personal data is given appropriate protection as required by regulation and/or legislation. An example of this aggregation in a transport terminal is the aggregation of data relating to individual travellers as ‘passenger data’.
3.3 Why is cyber security an issue?
For both safety and security reasons it is important that an intelligent building meets the general security objectives of its owners, operators and occupiers, thus maintaining the required level of confidentiality, integrity and availability. From legal and regulatory perspectives (e.g. under EU and UK data protection and privacy legislation) there are also requirements to protect personal data. The interconnection and integration of systems from the three categories (i.e. building, ICT and business
systems) creates additional risks. Without careful planning, testing and monitoring, the more technology that is added to a building, the more the ‘Law of Unintended Consequences’6 may apply to the ‘system of systems’.
From a cyber security perspective it is important that the intelligent building is designed and operated so as to minimise and manage the risks to confidentiality, integrity and availability. The nature of potential threats to intelligent building systems will vary widely and will in part depend on the nature of the building and its occupants or users. Threats to systems include deliberate attacks, unintentional disruption and natural factors.
A key difference between the cyber security of corporate IT systems and buildings systems (ICS) is the focus of protective measures, as illustrated in Figure 2. In part this arises from the differences between the systems that were outlined in Table 2, but it is also influenced by the differing operational priorities.
Corporate IT
systems systems (ICS)Building
Financial
integrity Denial ofservice informationLoss of Loss ofview
Impact on systems
Loss of control
Financial and reputational risk
Safety and operational risk
In protecting corporate IT systems the emphasis is typically on the prevention of data loss and the threats to the financial integrity of the business, for example loss of intellectual property or customer data, fraudulent transactions and the continuity of business operations. The focus of technical solutions is therefore generally on the protection and control of information, with solutions deployed to address known attack vectors, for example network security, access control, advanced persistent threat (APT) detection and prevention and encryption.
In building systems (ICS), prevention of loss of control (i.e. the ability to control the process and physical assets) or loss of view (i.e. the ability of an operator or manager to see what is actually happening in the process or systems) are the primary requirements. Prevention of information or data loss is potentially accorded a much lower priority for these systems. The reason for this difference in emphasis is that the loss of control or view can lead to significant safety and operational risks: the former could lead to death or serious injury and physical damage to equipment; the latter may ultimately have financial or reputational consequences. Therefore system availability and integrity are generally afforded the greatest protection, with for example mechanisms such as verification of message integrity and the authentication of devices being given a higher priority than encryption of data.
6 http://www.econlib.org/library/Enc/UnintendedConsequences.html [accessed 24 Apr
2013]
Figure 2 – Risks arising from compromised systems
Solutions that afford protection to a corporate IT system may not be an appropriate or optimum solution for building systems (ICS). Thus in an intelligent building, infrastructure convergence and systems integration may impose technical and operational constraints on the protective measures employed.
Sharing of IT infrastructure and the integration of corporate IT and industrial control systems (ICS), including building systems, in an intelligent building poses a number of design and operational challenges if a safe, secure and resilient environment is to be achieved. Thus whenever upgrades or new investment are planned, a strategic review of new or upgraded threats should inform the requirements and design brief.
CHAPTER 4
Understanding the threat landscape
4.1 Who or what might cause an incident?
This section examines different sources of threats in terms of who (or what) might cause an incident. It considers the potential threat agents, which can be individual(s) whose actions or inactions will cause or potentially cause a cyber security incident, or natural factors. For those threat agents with a malicious intent, it then considers the nature of the groups to which the threat agents may belong, because this may influence the potential severity and sophistication of the threat.
From a resilience perspective the greatest threat to the building is likely to come from single points of failure, which may be the building fabric or structure, utilities, infrastructure, systems or processes.
4.1.1 Potential threat agents
The potential threat agents that initiate a cyber security incident are as follows: ●
● Malicious outsiders: This is a person or persons unconnected with the building owner, the building occupier or supporting contractors; in essence, a person who does not have privileged access to the building or its systems. A malicious outsider could be a hacker, a cyber criminal, activist, terrorist or state-supported attacker – in all cases the intent is to cause harm or disruption. The attack may be targeted at the intelligent building and/or its occupants or be indiscriminate, for example malware or viruses.
●
● Malicious insiders: This is a person (or persons) connected with the building owner, the building occupier or supporting contractors; in essence a person who has some level of authorised or privileged access to the building or its systems and puts that privileged access to a use not intended or allowed.
●
● Non-malicious insiders: This is a person (or persons) connected with the building owner, the building occupier or supporting contractors, who through error, omission, ignorance or negligence causes a cyber security incident.
●
● Nature: This could be solar, weather, animal or insect related and result in a failure or significant impairment of one or more of the utility supplies or building systems, with a knock-on effect on systems that enable the correct operation of the intelligent building.
When considering the potential threats to a building the assessment should take into account non-malicious acts, malicious acts (from employees, contractors, visitors and, in open access buildings, from the public) and the potential effects of natural causes.
4.1.2 Potential threat agent groups
Malicious threat agents will belong to one of the following groups, which are listed in order of increasing sophistication and capacity to cause damage and disruption:
●
● Sole activists: This could be a disaffected employee or an activist in an organised group who decides to take his or her own action. The severity and sophistication of the threat will be determined by the individual’s capabilities. Unfortunately, the ready availability of hacking and denial-of-service tools on the Internet (and in some cases distributed with technical magazines) means that the level of technical understanding required to launch an attack has been significantly reduced.
●
● Activist groups: The recent activities of some groups demonstrate that when a team of determined activists work together the threat increases, e.g. when they have persuaded naïve third parties to allow installation of software on their computers, thus magnifying the effect of distributed denial of service (DDoS) attacks.
●
● Competitors: These groups are likely to work through third parties, with the aim of harming a rival by stealing intellectual property or disrupting operations to cause financial or reputational loss.
●
● Organised crime: These groups are well organised and motivated by financial gain, through fraud, theft of intellectual property, attacks on e-commerce and banking systems, and blackmail or extortion. The sophistication of the malware used by these groups is increasing and there is evidence that they operate on a commercial basis, making their tools available to third parties. ●
● Terrorist: These groups have demonstrated that they are increasingly IT aware, making use of the Internet to distribute propaganda and for communications purposes. Well-funded groups could take advantage of the services offered by organised crime, seek support from a nation state or encourage internal members to adopt these attack methods. Again these groups could rely on the various toolkits available for download.
●
● Proxy terror threat agent with nation state support: In effect, this is state-sponsored terrorism, where the proxy party is used to provide deniability. This type of group effectively has the capacity and sophisticated technical support available to a nation state made available by the sponsoring nation. ●
● Nation states: It is alleged that some nation states are actively involved in cyber attacks on a wide range of organisations to acquire state secrets or sensitive commercial information and intellectual property. During periods of heightened international tension and conflict, these activities may include more widespread attacks as evidenced by malware such as Stuxnet, Duqu and Flame.
4.2 What harm might an incident cause?
Depending on the nature of the incident, where it occurs during the building life cycle and whether it is deliberate (the motivation of the threat agents), the building owner, operator, occupants and user may suffer significant inconvenience or losses. It is important that the losses below are not considered in isolation and there may be significant interdependencies.
●
● Commercial losses: These could be consequential losses due to the building being uninhabitable or inoperable, or they could arise from loss of commercial opportunities, e.g. due to commercial espionage during a tender exercise.
●
● Reputation loss: The higher the profile of the building and its occupants, the greater the potential for loss of reputation. These losses are likely to arise from incidents that cause major disruption or malfunction of the building, loss of personal or sensitive data, or widespread negative publicity.
●
● Theft or loss of intellectual property: This is of the greatest sensitivity during the specification, design and construction phases of the intelligent building where particularly innovative techniques or commercially sensitive options are being examined. However, even during the operations phase, including any significant changes or refurbishments, there may be significant volumes of commercially sensitive or proprietary information being handled by the building owner, building operators and support staff.
●
● Regulatory action: Depending on the use of the intelligent building, the failure or malfunction of systems as a result of an incident could lead to regulatory action. For example, a significant loss of personal data could trigger action by the data protection regulator, and incidents involving serious injury or death could trigger action by health and safety officials. ●
● IT incidents: Following an incident, there may be significant work required by IT and operations teams to identify, clean or restore affected systems and make appropriate changes to prevent a repetition of the incident. Depending on the nature of the incident, there may also be significant damage to the fabric of the building, the technical infrastructure and to non-IT systems. This damage may need to be repaired before the building can be restored for operational use. This represents an opportunity cost, because the resources could presumably have been deployed on other tasks.
●
● Contract and service delivery costs: The impact of dealing with an incident may include making changes to contracts and service level agreements, with a consequential impact on their costs.
●
● Disruption and recovery costs: If the incident causes physical damage to the building there may be significant costs associated with the repair and cleaning of affected facilities or assets and their restoration into fully serviceable condition.
●
● Investigation costs: Depending on the nature of the incident, there may be significant investigation costs associated with the use of digital forensic and engineering specialists to establish the chain of events. This will particularly be the case where there is a need to involve law enforcement agencies or insurers, who will both want evidence of the cause of the incident.
●
● Mitigation costs: If the incident leads to loss of availability of the intelligent building or the need to invoke business continuity measures, there are likely to be a range of mitigation costs, e.g. the temporary provision of alternative accommodation, the refund of tickets or the rescheduling of events.
A serious challenge with some incidents, particularly for those that are cyber security related, may be identifying the cause of an incident. The task is particularly difficult where there is a lack of logs or system logging and audit.
4.3 How do you assess vulnerability?
The evaluation of vulnerabilities is typically based on a risk management cycle, as illustrated in Figure 3. The assessment generally starts with the identification of a threat agent; examples of these were discussed in section 4.1. For a particular threat agent the threat types can be identified based on the vulnerabilities they exploit. The existence of a specific vulnerability creates a risk that may damage or
impair an asset. Having identified the asset at risk, the exposure can be assessed; this may be financial and reputational loss. The potential exposure is mitigated by putting an appropriate safeguard in place, which should limit the ability of the threat agent to cause a problem. In undertaking the threat assessment, it is normal to assess the likelihood of the risk event occurring, the value of the exposure and the cost of implementing the safeguard.
Threat Agent Causes Affects Mitigated by Causes Damages Creates Exploits Threat Type Vulnerability Risk Asset Exposure Safeguard
In considering proportionate safeguards, four options are typically considered: ●
● Avoidance, e.g. by deciding not to start or continue with the activity that gives rise to the risk.
●
● Reduction, i.e. taking steps to reduce the impact or reduce the likelihood of the risk occurring, e.g. through controls and protective measures.
●
● Sharing the risk with another party or parties, e.g. through contracts, outsourcing or insurance.
●
● Retention, i.e. accepting the risk, and taking appropriate steps to manage the consequences, e.g. budgetary provision or business continuity measures. To illustrate this process in an intelligent building, an example might be a review of a proposal to replace a number of physically cabled building security cameras with new wireless CCTV cameras. The building contains a number of pieces of expensive equipment and the assessment might consider the following scenario:
●
● Threat agent – thief wants to break into the building to steal equipment. ●
● Threat type – wants to disrupt CCTV recording to prevent identification following break-in.
●
● Vulnerability – has ability to jam WiFi signals used by CCTV cameras. ●
● Risk – that jamming may be successful, preventing recording of security events and hindering the investigation of the subsequent criminal activity. ●
● Asset – thief to break into premises and steal equipment. ●
● Exposure – loss of equipment, creates financial loss through the cost of replacing and any consequential losses until missing equipment is replaced.
Figure 3 – Typical risk management cycle
●
● Safeguard – use wired CCTV cameras to cover all points of entry to and exit from the building and adopt a policy to permit the use of wireless CCTV only in internal areas where there is limited ability to jam or disrupt the network connection from outside the building.
Examples of increased vulnerability for an intelligent building include: ●
● The potential for deliberate disruption of the systems due to the increased connectivity between systems, particularly where some of the systems connect to networks outside the building, e.g. network connectivity or remote monitoring functionality.
●
● The potential for accidental disruption of systems due to the failure of a system or of the building’s infrastructure.
●
● The possibility that unforeseen consequences will arise from unintentional system interactions, e.g. the potential for one system to interfere with the operation of another, under both normal and abnormal operating conditions. ●
● The potential for unintentional increased vulnerability of one system arising from its connection to or access from another system, e.g. arising from systems operating with different security rules and levels of trust.
●
● The need to manage access of staff, suppliers, contractors, and building occupants or users to the intelligent buildings systems so as to prevent unauthorised access to sensitive information and prevent unauthorised changes to systems or information.
●
● The need to understand the consequences of natural phenomena, such as extreme weather, earthquakes, flooding, solar storms, etc. for the operation and integrity of the building systems.
To illustrate the impact of the last bullet point above, an interesting example of the vulnerability of a complex building was the flooding in October 2012 of a Verizon office in New York by Hurricane Sandy.7 When the storm surge flooded Verizon’s
Manhattan office, the underground 90,000 cubic foot cable vault suffered a ‘catastrophic failure’, rendering miles of copper wiring useless and causing severe disruption to north-eastern US telecommunications services while the damage was repaired. In this example the threat actor is nature (the hurricane-induced storm surge) and the vulnerabilities are the failure to maintain a watertight underground cable vault or to predict the possibility of the event and prevent its occurrence by relocating the core function away from the flood risk.
7 http://www.theverge.com/2012/11/17/3655442/restoring-verizon-service-manhattan-
CHAPTER 5
Resilience and cyber security during specification phase
5.1 Resilience and cyber security requirements
During the specification phase the project team will develop a specification or design brief for the proposed building, setting out constraints and parameters for the design and outlining the project’s objectives, including proposed use and key functional requirements. Work on this initial project brief potentially encompasses three workstreams related to resilience and cyber security of the planned building:
●
● establishing resilience requirements of the building and its systems; ●
● establishing cyber security requirements for the building systems; and ●
● protecting intellectual property and commercial data.
These workstreams should take into account the nature of the building, its profile, proposed use and potential threats. Thus, for example, potential threats to a new high profile building in a prime city location or a new maximum security prison are likely to be different to those faced by a new environmentally controlled warehouse in an out-of-town industrial park. The cyber security requirements will need to take account of the increasing practice of running physical security systems over the IT infrastructure.8
5.1.1 Establishing resilience requirements
Key to achieving a resilient building is the design of building structures that are durable, and resistant to fire, flood, seismic events, severe weather events and other potential disasters. Failure to address resilience requirements at the specification stage can lead to significant cost increases or delays during design and construction, or expensive and disruptive changes when occupied or in operation; in some cases it may not be possible to address the threats adequately, thus increasing the risks to building owners and occupiers.
Resilience requirements should be determined by the building owner or investor based on location factors, proposed type and use of the building, and anticipated needs of the occupants. The extent to which resilience requirements and associated level of availability are affordable should be determined by the business case for construction or modification of the building. Financial pressures may be used during cost reduction or value management exercises to justify reducing or removing resilience or cyber security requirements. This can be a short-sighted decision because the costs of taking remedial or recovery action may be significantly greater than the savings, and the reputational damage may be irrecoverable.
Resilience requirements should take into account a wide range of factors including: ●
● Physical location and environment of the building, in particular any need to assure access, prevent flooding, handle severe weather events, prevent 8 CPNI is publishing guidance on ‘Physical Security over Information Technology’; see http://
forced entry, etc. These requirements should also address utility supplies and communications, including any need for diversely routed supplies, the quality and reliability of these supplies and potential for single points of failure. ●
● Physical design of the building, including susceptibility of the design to physical damage from natural events (e.g. seismic activity), durability of materials used, robustness of construction, ease of maintenance and repair, and the ability to adapt the building for future reuse for new ownership or occupancies.
●
● Overall systems availability requirements and the functional criticality of each system, or technical service, in relation to correct operation of the building. In addition to the functional assessment, the consequences of system failure for the safety and security of the building occupants and assets should be assessed. When considering the building systems, both physical location and environment of the building and its proposed physical design should be taken into account. For example, for a high availability building such as a data centre,9 the supply of power to the site is critical,
and the reliability of its supply influences the nature of any onsite generation required to provide resilience and continuity of supply.
●
● Any consequences of integrating building systems with corporate and operational IT systems, including any issues arising from convergence of the technical infrastructure used by these systems.
5.1.2 Establishing cyber security requirements
Cyber security requirements need to be considered in conjunction with the resilience requirements because there will be some dependencies between these requirement sets. It is important that relationships between these sets are taken into account, as failure to address a critical resilience issue could have a significant effect on the cyber security of the building and vice versa. The building specification should cover both cyber security requirements and their assurance across the building life cycle. Cyber security requirements of all building systems should be determined by the building owner or investor, based on proposed type and use of the building, proposed design of the building systems and their convergence or connectivity with systems outside the control of the building owner, and any anticipated needs of the occupants. The extent to which cyber security requirements are affordable should be determined by the business case for the construction or modification of the building and its intended or subsequent use and occupation.
By identifying and incorporating appropriate cyber security requirements in the building specification, appropriate measures can be considered during design and implemented as part of construction and commissioning. These measures should take into account the level of system integration both between individual building systems and between the building systems and any corporate and operational systems used by the building occupants. If the building is being constructed on a speculative basis, i.e. without known occupants or tenants, any cyber security requirements will need to be reviewed and potentially updated as the building occupancy is established.
5.1.3 Protecting intellectual property and commercial data
Widespread use of the Internet and email has revolutionised the way that organisations work. The construction industry makes extensive use of these technologies to support collaboration and data exchange on projects. When planning a major 9 CPNI Viewpoint 02/2010 – Protection of Data Centres: http://www.cpni.gov.uk/Documents/
construction project, whether new build or refurbishment, steps need to be taken to ensure that adequate cyber security measures are in place.
In September 2012, CESG, CPNI, BIS and the Cabinet Office launched Cyber Security Guidance for Business, a guide aimed at industry Chief Executives and board members. The guide draws upon the technical foundations of the 20 critical controls (see Appendix B), and the executive summary indicates that the Government has seen determined and successful efforts to:10
●
● steal intellectual property; ●
● take commercially sensitive data, such as key negotiating positions; ●
● exploit information security weaknesses through the targeting of partners, subsidiaries and supply chains at home and abroad.
As part of this guidance there are ten advice sheets,11 which outline actions and
measures representing a good foundation for improving cyber security. These advice sheets for ten steps to cyber security cover:
●
● information risk management regime; ●
● network security; ●
● user education and awareness; ●
● malware prevention; ●
● removable media controls; ●
● secure configuration; ●
● managing user privileges; ●
● incident management; ●
● monitoring; and ●
● home and mobile working.
Although the degree of implementation of these steps will inevitably vary between organisations depending on the specific risks faced, they do represent common key measures that may be used to protect the confidentiality, integrity and availability of corporate IT systems used during the specification phase.
Protection of key information assets, e.g. plans, business cases, designs, tender specifications, financial models and contracts, is essential to maintain a sustainable and competitive business. This is an issue not only for the building owner or investor, but also for all professionals involved in the specification phase of a project, i.e. architects, lawyers, financial advisers, engineers and lead suppliers. This protection needs to encompass all aspects of confidentiality, integrity and availability. It could be as financially damaging to lose an opportunity through theft of sensitive data as it would be if critical documents were destroyed or corrupted prior to submission of a bid. Protecting commercially sensitive data is likely to become more complex with the increasing electronic integration of the design and construction supply chains. For example, the introduction of Building Information Modelling (BIM) will enable and require tighter integration of the architecture, engineering and construction industries.12
10 Cyber Security Guidance for Business, published by CESG, BIS, CPNI and Cabinet Office 11 10 Steps to Cyber Security Guidance Sheets, published by CESG, BIS, CPNI and Cabinet
Office
12 ‘Building Information Modelling is digital representation of physical and functional
charac-teristics of a facility creating a shared knowledge resource for information about it forming a reliable basis for decisions made during its lifecycle from earliest conception to demolition’: http://www.cpic.org.uk/en/bim/building-information-modelling.cfm [accessed 24 Apr 2013]
This tighter electronic collaboration has the potential to speed up the design, reduce cost and improve competitiveness. However, it will also affect working practices, sharing of and access to information, intellectual ownership of designs, and the whole digital environment in the construction industry. There is a need for better cyber security during design and construction, as well as during subsequent operation. Unauthorised access to BIM data could jeopardise security of sensitive facilities, such as banks, courts, prisons and defence establishments, and in fact most of the Critical National Infrastructure.
5.2 Specifying appropriate resilience and cyber security
The degree of resilience and level of cyber security protection required by a building should be determined by a number of factors, including:
●
● location;
●
● physical environment; ●
● profile and attractiveness as a target; ●
● planned use/function, including particular safety or physical security requirements;
●
● nature of occupiers/users; ●
● any legal or regulatory requirements; ●
● whether it is a single or multi occupancy building; ●
● construction materials and overall design; ●
● complexity and criticality of building systems; ●
● degree/level of systems integration and convergence; ●
● degree of connectivity to systems outside the building.
A project team that is developing a requirements document and business case during the specification phase needs to conduct an initial threat assessment taking into account these factors to identify any safeguards that may be required as part of the design and implementation. A decision to require implementation of a specific safeguard should be reflected in the specification by adding appropriate requirements. During the specification process, decisions should be made as to the acceptable degree of risks from individual threats. These decisions and any supporting analysis should be recorded, because subsequent design decisions may require individual threats to be reassessed. This audit trail will also support assumptions in the business case regarding any residual financial risk associated with individual mitigated resilience or cyber security risks and their ‘cost–risk balance’. Owners and occupiers need to understand the nature of any residual risks and level of financial exposure so that they can make informed decisions about the degree to which insurance cover may be required to protect against specific risks.
During the requirements, concept and specification phase of a building project, the resilience and cyber security requirements need to be identified, taking into account the nature and purpose of the construction and the potential threats to the occupants and their business operations. The requirements should include appropriate protection for intellectual property, and commercial or sensitive information.
CHAPTER 6
Resilience and cyber security during design phase
6.1 Designing a resilient and cyber secure building
6.1.1 The design process
As the building project moves through this phase, all aspects of the design will progress through a number of iterations as it evolves from an initial concept design to a detailed technical design. The latter often includes a substantial amount of work by specialist sub-contractors and suppliers. Throughout this phase, building requirements should be analysed, interpreted and elaborated by the project team, with design decisions progressing from an early strategic level to increasingly detailed technical decisions. Given this progressive evolution of a final design and a need to address resilience and cyber security requirements throughout, workstreams are required to:
●
● interpret resilience requirements and ensure that appropriate measures are designed in; and
●
● interpret the cyber security requirements and ensure that appropriate measures are designed in.
As the design evolves, with key decisions being made and more detail becoming available, it is necessary to consider how well specific design options meet resilience and cyber security requirements. It is important that these requirements are addressed in the contractual frameworks as they develop.
There will inevitably be tensions arising from the cost of additional space, systems and protective measures required to fulfil these requirements, particularly if these requirements are not well understood. For example, to deliver mechanical and electrical systems that meet Tier 3 requirements rather than Tier 1 (see Table 3 in Chapter 3), the additional systems cost and complexity may appear unnecessary to a designer. This is often the case where a project team is struggling to stay within a space and cost budget. However, achieving this level of resilience may be an essential feature of the delivered accommodation and is likely to be difficult and expensive to retrofit.
Throughout this phase there is a need to review and update the threat assessments that were used to inform the development of the original resilience and cyber security requirements. As design work progresses, it should be possible to verify, through design assurance, that the proposed technical solutions continue to meet the requirements (see section 6.2).
The design process needs to address the change management of requirements and ensure that there are mechanisms in place to prevent compromise of resilience and cyber security requirements. For example, a shift from single occupancy to multi-occupancy use, or change of use for part of the accommodation, could have significant implications depending on the planned use of the building.
Some technical proposals may require further threat assessments to be conducted, such as where the solution introduces a feature that was not taken into account during the original assessment. An example of this might be the proposed supplier of a major building systems component requiring remote electronic access to a system in order to monitor performance and provide remote diagnostics. If this aspect had not been considered at the specification stage it may require the cyber security requirements to be revisited.
6.1.2 Design considerations
During the design of any complex building there will be a number of strategic choices that need to be taken at an early stage. These choices are often about the overall architecture, both at the physical level and for an intelligent building at the infrastructure and systems levels.
Examples of architectures the systems design authority may have to consider for the building infrastructure include the following:
●
● truly converged networks, with logical partitions (VLANs) for functional separation of applications/data traffic;
●
● multiple physical IP networks for estate/premises management, electronic security, building controls, metering and business productivity applications (the networks may be converged in the same physical spaces or managed in separate (or caged) spaces);
●
● bespoke data communications for building automation/controls, electronic security and metering applications, rather than IP networks;
●
● use of physical (cable or fibre) versus wireless networking infrastructures. The decisions about the most appropriate technology to use should not be made solely from a cost and performance perspective, but also need to take into account factors such as the safeguards required when IT infrastructure, telecoms and IT applications are partially or fully outsourced.
As part of an integrated design there may be requirements to interconnect systems with differing criticalities or security requirements. The standard ANSI/ISA-99 (Security for Industrial Automation and Control Systems) introduces the concept of Security Zones and Conduits to control access between Zones. The standard defines a Zone as a grouping of logical or physical assets that share common security requirements. Each Zone will require a Security Level Target (SLT) based on factors such as equipment criticality and consequence of loss or failure. Equipment in a Zone has a Security Level Capability (SLC) only if that capability is not equal to or higher than the SLT, in which case extra security measures, such as additional security technologies or policies, must be provided.
The Conduits between Zones should provide protection by resisting denial-of-service (DoS) attacks, preventing transfer of malware, shielding equipment in the Zone and by protecting the integrity and confidentiality of network traffic. Any communications between Zones must be via a Conduit. The use of Conduits can increase the SLC for all equipment in the connected Zone.
Figure 4 illustrates an approach using Zones and Conduits to allow data from the building systems local site computer to the business systems. In this illustration a data diode (a one-way traffic regulator) is used to create a one-way flow of data from the local site computer to ICT systems in a DMZ (‘demilitarised zone’) protected by a firewall. The business systems are able to communicate via the firewall to collect