Greetings and welcome back! This week we continue our series in Cyber Supply Chain Management. As a quick recap, we discussed last week that the 3 major communications protocols for electrical, mechanical, security and fire/life safety systems were all vulnerable to cyber attack. Those protocols together with links to research showing the dangers of their vulnerabilities are:
- Modbus – contains NO security whatsoever
- BACnet – contains minimal to modest security.
- SNMP – contains minimal to modest security.
Because your critical building systems use the protocols to communicate and, because the networks on which they sit eventually touch the Internet, all your electrical, mechanical, security and fire/life safety systems are considered to be part of the Industrial Internet of Things (IIoT). As the following graphic shows, organizations are coming to grips with the fact that IIoT systems create cybersecurity danger within their facilities.
As building systems become increasingly connected, 90% of all organizations surveyed expect the total number of IIoT devices in their site to rise. The survey also showed that both large and small organizations see the increasing number of IIoT devices as creating a SIGNIFICANT INCREASE in their cyber risk profile. So what are some of the most common pieces of IIoT infrastructure to be found at facilities. The following is a list of some of the major IIoT systems:
- Uninterruptible Power Supplies (UPS)
- Power Distribution Units (PDU)
- Smart Thermostats
- Smart HVAC Controls
- Lighting Control Systems
- Security Systems
- Fire Protection Systems
With the understanding that all of these systems could be attacked and the hijacked to harm to your company and its personnel, we turn to the crux of our issue: controlling cybersecurity by Managing Cyber Supply Chain Management. Vendors that supply these systems to your organization have long been touting the advantages of having “smart” systems with built-in networking and alarming capabilities. Unfortunately, these same vendors often remain silent, pass-the-buck or simply deny the vulnerabilities within their systems.
The goal of this blog series if to let each organization see that you are in control of your own cybersecurity by managing your supply chain vendors. Every vendor which supplies products to your organization should be able to demonstrate their ability to secure the communications of those products. Most often, they must offer 3rd party security solutions as a part of their package. If organizations are to get control over cyber threats, they must require their vendors to comply with a list of cybersecurity requirements just as they do for electrical and mechanical specifications.
At AlphaGuardian, we are happy to work with both purchasers of IIoT systems as well as the vendors. We believe that only a coordinated effort among purchasers and vendors will ultimately bring about proper solutions to the huge problem of securing your site infrastructure. Please think about these things and, if you would like to speak about this in confidence, please feel free to give us a call. We are here for you.
Until Next Time,