OT is Different From IT and Needs to be Treated as Such

Figure: OT and IT convergence (Source: Building Cyber Security)

OT systems pose other threats than losing access to websites, files, or networks in IT systems. OT systems monitor or control equipment, assets and processes. These systems can shut down plants or compromise industrial environments, leading to risks to human life. Gartner predicts that by 2025 “cyber attackers will have weaponized operational technology environments to harm or kill humans successfully” (Gartner, 2021).

In the built environment, OT systems control physical systems like HVAC, lighting, access control, parking and video surveillance (for an overview of OT systems impacting the built environment, see Figure left).

OT and IT systems are converging in systems like building management, building automation, IoT and sensors. IT systems control things like SharePoint, databases, property management, billing and work order systems (Niemeyer, 2023).

DID YOU KNOW?

OT systems are often old and sensitive. Many operate complex and segregated technology, machinery and equipment that were not designed to interface with broader networks and several external devices. Pushing greater interactivity with broader networks and the Internet of Things has increased vulnerabilities and security gaps in these systems.

OT systems usually do not have monitoring systems in place. While passive monitoring is common in the IT space, it often does not occur in the OT space. Maintenance schedules typically do not include security updates that add layers of security, as this requires updating vendor contracts to include security requirements. Breaches, therefore, are often overlooked.

OT hackers exploit these failures and penetrate systems by bypassing security protocols or phishing emails. Once their malware is in place, they can manipulate BCS or industrial control systems (ICS) to impact pressure sensors, valves, motors and other equipment (see One wrong click can lead to a 92-day to recovery section for just such a case) (Moody, 2021).

If something breaks due to these activities, workers often assume the problem is caused by equipment failure or maintenance issues. Hackers often continue their attacks even after identifying damage (Moody, 2021). A real-life example of such an oversight includes a Triton/Trisis attack on a Saudi Arabian oil and gas operation. In this case, hackers were on the ICS system for several months; some experts think they were on the system for years (Higgins, 2019).

Figure 6 The range of vulnerable built environments (Source: PArn, 2023)

The following building systems are examples of the many OT systems that FMs use to manage buildings that are rapidly converging with IT systems:

Fire Systems

◆ Fire Detection Systems (alarms)

◆ Fire Protection Systems (sprinklers)

HVAC Systems

◆ Ventilation, Chillers, Air Handling, Purification

◆ Air Quality, Health

People Transport Systems

◆ Elevators

◆ Escalators

◆ Moving walkways

Lighting Systems

◆ Standard lighting and shades

◆ Emergency lighting

Utility Systems

◆ Gas

◆ Water, Boilers, Filtration

◆ Electric (including Backup Generators, UPS, Solar, Wind)

Physical Access Systems

◆ Physical Security Control

◆ Video Surveillance

◆ People Count

A/v and Digital Signage

◆ Standard

◆ Emergency

Voice Communication Systems

◆ Standard

◆ Emergency

Personal Transportation Support Services

◆ Parking Systems

◆ Access

◆ EV Charging

Building Automation Systems

◆ IT Systems

◆ Owner Network

◆ Property Management

Figure: The range of vulnerable built environments (Source: Pärn, 2023)