Delivering cybersecurity protection to commercial facilities sector becoming indispensable with rising threat level

Rising cybersecurity threats to the commercial facilities sector have underscored the need to focus on building and safeguarding existing security mechanisms at such installations. Most of these facilities are privately owned and operated with minimal interaction with the federal government and other regulatory entities. In addition, the commercial facilities sector largely operates on the principle of open public access, meaning that the general public can move freely throughout these facilities without the deterrent of obvious security barriers, thereby raising the threat of adversarial attacks on their environment. 

Threats to such installations are rising as nation-state actors and adversaries target them using ransomware or malware, or breach hardware vulnerabilities present in their infrastructure. Furthermore, as commercial facilities continue to adopt Internet of Things (IoT) tools into their enterprises, the supply chain needs to be built more securely, while implementing greater security practices that bolster the overall cybersecurity posture of the sector.   

Earlier this month, industrial cybersecurity company Nozomi Networks said in its latest OT/IoT security report that wiper malware, IoT botnet activity, and the Russian invasion of Ukraine impacted the threat landscape in the first six months of this year. The data also disclosed that manufacturing and energy remain the most vulnerable industries, followed by healthcare and commercial facilities. In March, the FBI reported that it received 56 complaints of ransomware attacks targeting the commercial facilities sector. Additionally, the Conti ransomware most frequently victimized the critical manufacturing, commercial facilities, and food and agriculture sectors. 

The commercial facilities sector comprises eight sub-sectors comprising retail, entertainment and media, lodging, and public assembly organizations. The industry largely depends upon IoT devices to run its facilities by streamlining industrial control systems (ICS) and customer interactions. With the convergence of the digital and physical worlds, the security risks and potential cyberattacks could impact the physical and digital environment of commercial facilities.

The commercial facilities sector aligns its Sector-Specific Plan (SSP) with the national planning framework for security and resilience in the National Infrastructure Protection Plan 2013 (NIPP 2013). It analyzes how the commercial facilities sector manages risks and contributes to national critical infrastructure security and resilience, as set forth in Presidential Policy Directive 21 (PPD-21). As a result, progress toward sector goals, priorities, and activities contributes directly to national achievements under the NIPP 2013. Furthermore, as an annex to the protection plan, the SSP tailors the NIPP’s strategic guidance to the commercial facilities sector’s unique operating conditions and risk landscape.

The federal government indirectly works on safeguarding the sector by providing timely threat indications and warnings and working with organizations to develop standards and guidance for facility construction, operations, and security. The federal government and the commercial facilities sector need to align together and ensure the protection of prominent business centers and gathering places, given the national-level visibility and potential human and economic consequences of commercial facilities.

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) works to reduce risks within and across critical infrastructure sectors by partnering with law enforcement agencies and the intelligence community and coordinating efforts. Also primarily available is the Department of Homeland Security’s (DHS) Cybersecurity Evaluation Tool (CSET), which assists organizations in protecting their critical national cyber assets. Developed under the direction of the ICS-CERT by cybersecurity experts, the tool gives users a systematic and repeatable approach to assessing the security posture of their cyber systems and networks. It also includes high-level and detailed questions about industrial control and IT systems. 

The Commercial Facilities SSP sets the strategic direction for voluntary, collaborative efforts to improve security and resilience in the sector and details how the NIPP 2013 risk management framework is implemented within the context of the industry’s unique characteristics and risk landscape. 

Industrial Cyber contacted executives working across the commercial facilities sector to define the unique challenges that the industry faces in terms of its efforts to secure and safeguard its OT/ICS environments.

“Some Commercial Facilities have hundreds, perhaps thousands, of OT assets, many of which may be decades old,” Paul Griswold, chief product officer for connected cybersecurity at Honeywell, told Industrial Cyber. “These legacy devices can be highly vulnerable to attack due to outdated/end-of-support software, firmware, and hardware, and require both compensating controls and appropriate monitoring to reduce attack surfaces. It can only take one device breach to potentially be at risk of a serious intrusion that facilitates loss of access or control.”

Griswold said that a second unique challenge is that some smaller commercial facilities may have lean teams with limited cybersecurity expertise and technologies, particularly in the ICS environment. “These organizations must understand their level of risk and conduct cybersecurity assessments to understand their most urgent weaknesses. If they don’t have the right resources to address identified risks on an ongoing basis, they can contract with security solution providers for professional and managed security services to bolster their detection and response capabilities to cybersecurity threats,” he added.

“For over 40 years, the commercial real estate building control industry has been left to tend to itself,” Fred Gordy, director of cybersecurity at Intelligent Buildings, told Industrial Cyber. “The systems were designed with accessibility as the number one priority. These two factors are not the only areas for improvement. They, however,  require an overhaul of the culture by educating the people responsible for these systems to understand and embrace the importance of building control cybersecurity,” he added.

Chalking out the approach and strategy that must be implemented to secure data, servers, and intellectual property from cyber-attacks, Griswold said that commercial facilities must assess the risks across their entire organizations, and this includes all IT and OT assets. “Many organizations have strategies in place to monitor and respond to IT threats to data, servers, and intellectual property, but threats are increasingly targeting OT assets and operations, where systems are rarely monitored at the same level as their IT counterparts,” he added.

“From an OT perspective, Honeywell advises organizations to establish a regular review (at least annually) of cybersecurity strategy, policies, and tools in order to better respond to threats,” Griswold said. “Second, organizations should implement a comprehensive strategy that layers in OT-specific cybersecurity tools and policies for both compliance and threat detection. Lastly, because USB-borne threats are a significant intrusion vector, organizations should ensure that they review the vulnerabilities of USB devices, ports, and their control. Companies can ensure their operations are cyber-resilient by focusing on these three approaches to reduce their risks,” he added.

Looking into the specific measures that the commercial facilities sector takes to safeguard control system field devices within the operational environment, Griswold said that it is essential that commercial facilities start by establishing a strategy to evaluate OT cybersecurity risk regularly, including annual risk assessments. “They also should work toward securing their OT environment by establishing three key capabilities – secure remote access, a continuous asset monitoring program for risk and compliance, and a detection/response program to address threats,” he added.

“Secure remote access can provide commercial facilities with visibility into all these assets accessing their OT network while also enforcing enterprise-wide security policies and compliance,” Griswold said. “Continuous asset monitoring can help organizations understand their cybersecurity posture, and 24/7 threat monitoring and detection program can provide notifications to threats that may require incident response actions.”

Gordy said that at the foundation of any cybersecurity program, “you have to know what you have in order to protect your assets. The culture accepted that it was not necessary to maintain an accurate, up-to-date asset inventory. Also, most building control systems are not monitored, and what and how things are connected is unknown.”

“To safeguard the devices and systems, it is imperative that asset inventory management become a priority, along with monitoring the building’s control systems,” Gordy added.

McKinsey’s research shows that IoT offers significant economic value potential, particularly in standardized production settings, but companies must achieve scale to capture it. The potential economic value that the IoT could unlock is large and growing. By 2030, the analyst firm estimates it could enable US$5.5 trillion to $12.6 trillion in value globally, including the value captured by consumers and customers of IoT products and services.

Addressing the effect of digitization and industrial IoT (IIoT) technologies on the cybersecurity issues faced by the commercial facilities sector, and the role that such adoption has played in enhancing or changing the industry’s cybersecurity posture, Griswold said that the expansion of IIoT capabilities has, in some cases, increased the exposure to evolving cybersecurity threats. “Air gapping OT assets from networks is increasingly more challenging as IIoT connections expand in operations, manufacturing, supply chains, and warehouses. Further, the sheer quantity of devices in many IIoT environments can make device detection and management very difficult with solutions that only function with an on-premise deployment model,” he added.

“However, organizations are starting to understand the risks and have begun implementing enhanced cybersecurity policies to harden assets that are increasingly more connected,” according to Griswold. “Increased digitalization and connected enterprises are forcing organizations to become more open to cloud-based cybersecurity solutions for asset management, continuous monitoring, and secure remote access. Leading companies that invest in connected operations recognize that they must also enhance cybersecurity of their dependent OT assets as a key step in digitalization,” he added.

Gordy said that the reality is that devices are being connected at an ever-increasing rate. “This is expanding the attack surface of all buildings. Especially if they are being set up insecurely. This is a challenge that building owners can no longer ignore,” he concluded.