Cyber Security Unawareness; It is No Longer an Option
In 2012 I began talking about cyber security related to our building control and facility systems and how this was one of the most important issues facing our industry. Since then we have seen cyber security incidents and vulnerabilities continue to be common and pose a global threat – no region or company is immune.
News of a cyber incident is nearly an everyday occurrence, while the scope and long-term damage associated with cyber incidents are escalating and at times, appear to not end. Take Target for example, we all know about the cyber incident that took place, yet the company is still dealing with ramifications---paying $67 million to Visa; $19 million to Mastercard; several on-going lawsuits; still trying to recover from a major hit to its brand and a loss in customer confidence.
While cyber incidents that result in the theft of millions of pieces of personal data get big headlines, cyber incidents with operational technologies such as SCADA and building control systems is one of the biggest untold stories because such attacks are not reported as much or do not make main stream news as do the many cyber stories we all are familiar with. The fact is building automation and management systems are now firmly integrated within network infrastructures and while these systems provide significant benefits, they also expose companies to greater cyber security risks.
According to Marina Krotofil, a researcher at Hamburg University of Technology, hackers have been penetrating control systems since 2006. When it comes to control systems, a report by Dell Security, shows cyber-attacks on control systems doubled last year – increasing 600% since 2012.
A recent survey by the SANS Institute reveled that one-third of the respondents who actively maintain, operate or provide services to facilities maintaining control systems said their organization’s system had experienced a cyber incident. Of those, 17% acknowledged six or more breaches had occurred so far this year, up from 9% in all of 2014 with another 11% saying they had suffered between six and ten breaches. Even more chilling, 3.8 %thought they could have been breached up to 50 times.
And if you think cyber incidents just happens at large organizations, think again. A recent survey of small businesses by the Ponemon Institute, found that 55% of the respondents experienced a breach in 2013 with 53% of those experienced more than one breach in the same year.
And now, companies that fail to protect user data can now be pursued by the Federal Trades Commission (FTC).A panel of judges for the Third U.S. Circuit Court of Appeals unanimously ruled the FTC has the legal right to sue companies that fail to protect their customers’ data with proper cyber security measures. This ruling says loud and clear to companies "If you are not taking reasonable steps to protect against a breach, you will be held accountable."
Cyber security is hard, no one will deny that, but what is even harder is recovering from an incident. When it comes to cyber security, the fundamentals have changed. Threats and vulnerabilities to building systems can be entry points into the company’s network and become a pivot point that can bypass many existing network defenses.
From a business perspective, the negative consequences that cyber incidents can cause are disruptive and potentially catastrophic. The value of taking additional measures to increase the cyber security posture of our control systems, far outweigh the risk of not making them secure. Given the evolving landscape of cyber security incidents, we must be prepared if a cyber security breach occurs by setting forth strategies, plans and defenses to combat the operational, reputational and financial harm caused by an incident. It’s more important now than ever before to be aware, understand the principles of cyber security and take additional measures. There's probably no issue facing our control systems that has become more crucial, more rapidly than proactive cyber security vigilance. Cyber security has evolved into a strategic, business-critical priority. Cyber security unawareness is not an option.