When we think about or discuss the cyber threats facing government organizations and the United States military, we think about direct attacks on agency network infrastructure, ransomware attacks against schools or local governments, insider threats from malicious actors within the government workforce or direct attacks against connected weapon systems or platforms. But there is another vulnerability that could leave government agencies and military organizations susceptible to cyberattack that doesn’t nearly get as much attention or consideration – an attack against their commercial and industrial equipment and devices.
A recent eBook developed by the Modern Equipment Manufacturer looks at the state of today’s commercial and industrial devices and equipment and discusses how the next generation of these devices could cause a massive cybersecurity problem for their users. And the government purchases a lot of commercial and industrial equipment.
What kind of equipment and devices are we talking about? HVAC equipment, such as air conditions, boilers and industrial fans. Wastewater and water quality equipment and devices, such as centrifuges and pumps. Fire protection equipment, such as fire panels and notification systems. Even devices like elevators, escalators and commercial lighting systems. All of these devices could become an attack surface in which malicious actors could compromise government networks. But how?
A new generation of connected devices
In the past, commercial and industrial devices were standalone units – each operating independently. If they needed to be maintained, monitored or managed, they needed to be interacted with in-person, individually.
Building owners and facility managers began demanding that these devices operated as systems so that they could more easily be monitored and managed together. Manufacturers met that demand by making their devices connect to each other. Then, they began making their devices capable of connecting to building management systems (BMS) and building automation systems (BAS) so that all of these devices and systems could be managed via a single pane of glass and automated.
But equipment owners wanted even more capability and connectivity – and device manufacturers have once again stepped up to meet that demand.
Today’s modern equipment and devices are being built to connect to the cloud. They’re a part of the Industrial Internet of Things (IIoT). This cloud connectivity makes it possible to monitor devices from anywhere with an active Internet connection and via practically any connected device. It makes it possible to aggregate and analyze device data to increase efficiency, maximize uptime and identify problems before they cause a device to fail. It even enables the manufacturer to remotely monitor their installed devices and optimize them for peak operational effectiveness and longevity.
And while IIoT devices deliver immense benefits to the equipment owners, they also are connected to and accessible via the Internet – and that makes them vulnerable in ways they never were when they were disconnected, individual devices.
Worse, many of the companies that manufacture these devices are equipment manufacturers with very little cybersecurity knowledge. These are companies that are incredibly effective at making the most efficient boiler, or the most reliable elevator that you can buy – but not necessarily companies that know how to keep their equipment from being attacked by hackers.
This means that equipment manufacturers are making their devices smarter and more connected, but not necessarily doing so with cybersecurity in mind – leaving these devices vulnerable to malicious actors. But why would anyone want to hack a boiler?
Shutting it down digitally
We’ve seen numerous news articles about effective ransomware attacks that have impacted schools, libraries and other state and local government agencies. In these instances, necessary systems are compromised and held for ransom until the perpetrators are paid for their return. This is something that could easily be replicated with commercial and industrial equipment.
By hacking a connected HVAC device, fire panel or lighting system, malicious actors could simply turn them off and demand ransom to turn them back on. Or, they could otherwise manipulate them to make working or learning conditions within a building or across a campus untenable.
For example, what would happen if someone were to hack the HVAC systems of a college or university campus in Arizona on a hot summer day and shut them all down? Chances are, with temperatures topping out at 120 degrees, those school buildings would become pretty uninhabitable pretty quickly. That college or university would literally sweat it out until a ransom was paid to turn them back on.
Or, what if a malicious actor were to hack a fire panel and turned on the alarm in a federal building? The entire building would be evacuated and most likely kept that way until the alarm was turned off – destroying productivity and keeping government employees from doing mission-critical work.
Then there’s the problem of lateral movement. Often, once a network is compromised in one place, the perpetrators then begin to move laterally through the network looking for data that can be compromised or other systems that can be exploited. Connected commercial and industrial equipment could serve as a vulnerability in which malicious actors enter the network and then move laterally to access valuable data or sensitive information.
The next generation of commercial and industrial equipment is smarter and more connected – but it’s also a massive cybersecurity vulnerability for the government and military. One of the things that cybersecurity vendors stress when helping organizations – including government entities – secure their networks is to take stock of everything that connects to the network and how vulnerable it is to attack. It’s clear that IIoT devices need to be a part of that inventory and need to be a part of cybersecurity planning and defense strategies moving forward.
For more information on how modern commercial and industrial equipment can be a cybersecurity vulnerability for government agencies, click HERE.
