Securing Integrated Communications Networks in an Increasingly Connected World
Frazer Holmes, global market leader for security with our High Performance Buildings Group in Melbourne, Australia, discusses the high probability of cyberattacks and shares several standards and guidelines that provide best practices and direction for organizations.
In our recent article discussing security in High Performance Buildings, we mentioned a four pillar-approach that is needed to effectively secure such assets.
One of those pillars relates to cybersecurity protection methodologies that can be defined as a collection of technologies, procedures, and practices designed for the protection of Integrated Communications Networks (ICN) and associated systems from an attack.
The importance of cybersecurity is evident in many markets as a board level issue and one that has the interest of many senior C-suite executives (McKinsey & Company). However, many building ICNs are still relatively poorly equipped to deal with advanced threats and only have limited security controls in place which operate independently from each other.
One such market relates to commercial buildings and the technology that supports their operation. Traditionally, the networks and systems that monitor and run buildings have been isolated from each other and with limited connectivity with the outside world. However, in recent years, an increasing number of buildings, processes, utilities, and systems have become interconnected with each other and their enterprise-wide WANs and LANs. As a result, many high performance and intelligent buildings look to install ICNs, in the hope of increasing efficiency, driving cost savings, improving decision making capability, and enhancing competitiveness.
The exponential growth of internet, cloud, and IP-based communications has fueled the desire to share information and connect everyone and everything. Buildings utilizing ICN architectures are now exposed to risks that may not have been considered in their original designs. Cybersecurity threats are some of the most complex and damaging risks facing organizations with the digital exposure created by ICNs and integrated platforms. In general terms, the more accessible a building and the interconnected systems become, the higher the corresponding increase in security vulnerabilities. These vulnerabilities represent a growing risk to building owners, managers, and occupants alike.
As cybercrimes continue to rise, it is important to have an understanding where the major and realistic threats will come from. It is interesting to note the common presumption that insider attacks are the highest source of threat is not as accurate as one may think. According to Verizon Enterprises’ most recent Data Breach Investigations Report, 70 percent of breaches were caused by outsiders. Furthermore, 86 percent of threats were financially motivated and 43 percent of breaches were from attacks on web applications, all of which is more than double the results of 2019.
Malware represents a significant threat and one that must be considered in the security architecture and design of an ICN. Many organizations have accepted that malware now has the ability to touch and connect to almost any network-connected element in the world. Despite all the cybersecurity precautions one may have in place, the reality is that if someone who is trained, resourced, and motivated wants to perpetrate a successful cyberattack against an ICN, it is probable they may succeed. It is only dependent upon how much time they have to do it and the amount of resources they have to apply to the task. If the ability and motivation is high, they will generally find a way.
The risk to ICNs and their exposure to cyberattacks has prompted several standards and guidelines to be developed that provide guidance and direction for organizations. While the following were developed for critical infrastructure and industrial industries, they provide recommendations and guidance that are quite similar and transferrable across market sectors:
- American Standards Institute [ANSI]/ISA-62443 series
- Nuclear Energy Institute (NEI) 08-09, International Standards Organization (ISO) 27000 series
- North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP)
- National Institute of Standards and Technology (NIST) Special Publications
The main recommendations are summarized as follows:
- Understand what assets and systems exist and determine which components need to be protected, and their relative importance with respect to an organization's business process
- Determine which assets are critical and which are non-critical
- Breakdown the structure of the systems into logical and functional groups
- Create a layered approach and rings of defense around each functional group and the critical systems identified
- Control access of people, data, and commands that flow from one group to another
- Establish ongoing periodic checks and assessment to make sure that security provisions remain as effective as possible
It is therefore essential that a pragmatic and unbiased approach be taken to develop a resilient cybersecurity culture that focuses on designing ICNs to include an architecture and supporting systems and processes which foster the ability to effectively monitor, identify, block, respond, manage, and recover from incidents. The reality is not if an attack will occur, but when, and as such organizations should prepare now to ensure that their digital vulnerabilities are well protected in the future. In my next post, I’ll discuss in more detail how to practically manage your cybersecurity risk, including prioritizing resources for a strong cyber defense, and making sure you can stop an attack quickly should one occur.