Strengthen Your Commercial Cybersecurity with 3 Simple Steps

Safely connecting building automation systems (BAS) and other “smart” cyber-physical systems (CPS) is critical to maintaining the cyber resilience of your commercial business. However, this objective is growing increasingly out of reach. 

The culprit is the expanded connectivity of smart buildings — which perpetuates the goal of achieving sustainability while maximizing occupant experience. To meet these goals, smart buildings have numerous interconnected smart devices which expand the attack surface and amplify the existing security weaknesses of a BAS environment.

As a result, commercial businesses such as data centers, retail, hospitality, and commercial real estate require a tailored approach to protect against all manner of cyber threats. This begins with understanding the challenges plaguing commercial industries, recent cybersecurity incidents impacting commercial businesses, the regulations developed as a result, and finally the best ways to strengthen your mission-critical environment from attacks. 

Key Commercial Verticals that Require Protecting 

1. Commercial Real Estate

In the commercial real estate industry, many properties use internet of things (IoT) devices and BAS technologies for energy management, security monitoring, and more. These technologies often have weak security measures in place, leaving them vulnerable to attacks. Additionally, commercial real estate companies hold a vast amount of sensitive data including personally identifiable information and financial information. Unauthorized access to this data can lead to serious financial ramifications. 

2. Retail and Hospitality

Similarly, in the retail and hospitality industries, there is a widespread use of IoT devices including point of sale (POS) systems with various processing platforms. These industries house many databases and customer loyalty programs that include store customer contact and purchase information. Retail and hospitality organizations also tend to have an extensive geographical footprint, all of which are dependent on a variety of IoT, OT, and BAS assets to govern essential processes. This poses a unique challenge for these companies in securing their CPS. Additionally, these industries face significant insider threats with employees having access to sensitive customer data and internal systems. 

3. Data Centers

There are many aspects of a data center that require protection. This includes its networks, servers, power systems, and the data and processes they support. In a world that is growing ever-reliant on data for business operations, critical infrastructure, and internet activities, protecting the data centers that support so many functions of our society is paramount. In many ways, organizations rely on data centers as a safety net. They entrust that their data centers are secure so they can focus on their business without worrying about the safety of their assets — making them that much more important to protect.  

Cybersecurity Challenges Plaguing Commercial Business 

1. Unique Visibility Challenges 

Many commercial companies have geographically dispersed sites that depend on a blend of CPS asset arrays including climate control, lighting, and physical security. These CPS assets are typically integrated as part of their IT infrastructure, yet security teams do not have complete business context into how these assets are interconnected or what their criticality is.

Unlike in industrial and healthcare environments, passive monitoring of network traffic to gain visibility into CPS isn’t a practical asset discovery method for most commercial verticals. Passive detection requires dedicated hardware that would be too expensive and complicated to deploy in multi-site commercial environments.

2. Exposure Management Requires a More Dynamic Approach 

For many commercial organizations, traditional vulnerability and risk management strategies fall short because there are too many vulnerabilities to address, and very few vulnerabilities that are ever actually exploited. Additionally, risk-prone exposures such as misconfigurations, use of insecure protocols, and default password usage are rarely taken into account in traditional vulnerability management workflows.

Similarly, as we’ve stated above, commercial organizations depend on a variety of CPS asset arrays. To protect these various asset types, building operators need the business criticality context of their asset arrays to effectively prioritize exposure management workflows.

Commercial Cybersecurity Incidents 

Due to the increased attack surface brought about by hyperconnectivity and increased sophistication of cyber criminals, the commercial sector has seen various cybersecurity incidents impacting their critical operations. These include: 

• German BAS System Hack: 

A building automation engineering firm, located in Germany, experienced a nightmare scenario when it lost contact with hundreds of BAS devices after a cyberattack locked the company out of the BAS environment it had constructed for an office building client. During this attack, the company was locked out of systems including light switches, motion detectors, shutter controllers, and more. This incident highlights the importance of commercial cybersecurity and has opened the eyes of many companies to the need for securing their BAS systems to protect not only their assets but also the safety and well-being of their occupants and buildings.

• WiFi Hack in Singapore

In August of 2018, a security engineer hacked into the WiFi of a hotel while attending a cybersecurity conference in Singapore. The engineer successfully hacked into the server because the hotel administrator’s server passwords were disclosed without authority. Once the hotel was compromised, the individual documented the hacking steps on their personal blog, which could have easily allowed the passwords to be used by nefarious elements. Although their actions did not cause any actual harm, they did cause a heightened security risk and further emphasized the importance of strong commercial cybersecurity controls. 

• DDoS Attack in Finland

During the winter of 2016, hackers used a Distributed Denial of Service (DDoS) attack to shut down the heating system of two apartment buildings in Finland. During this attack, the central heating and hot water systems of both buildings had been impacted, leaving the residents in the cold. This malicious attack demonstrated how easily a significant threat to BAS can impact the health and welfare of society. As we’ve seen during this attack and the ones mentioned above, an unprotected commercial environment can quickly become a high-risk situation with potential damage to a building and its occupants.  

As a result of these incidents, regulatory bodies and governments around the world have begun to establish regulations and frameworks to protect the critical operations of these organizations.

Commercial Cybersecurity Regulations

• NIS2 Directive: The NIS2 Directive is a piece of legislation that aims to enhance the cyber resilience of critical infrastructure in the EU. The directive is applicable to financial institutes and banking specifically, providers of public communication networks / services, and public administration. Its goal is to improve cybersecurity risk management and introduce reporting obligations across sectors. However, maintaining compliance can be complex. That’s why it is essential for commercial organizations to work with a trusted partner to minimize regulatory risk while driving resilience across their critical operations and infrastructure.

• ISO/IEC 27001: ISO/IEC 27001 is a globally recognized standard for information security management systems (ISMS). Compliance with this standard helps secure sensitive operational technology (OT) systems such as cooling, power, and environmental controls in BAS. With ISO/IEC 27001 commercial organizations can establish a comprehensive framework for managing and protecting the confidentiality, integrity, and availability of sensitive information — including financial data and the personal data of both employees and customers.

• NIST SP 800-53: The NIST SP standard was created by the U.S. National Institute of Standards and Technology (NIST) to outline security and privacy (SP) controls for federal information systems and organizations. These controls are the operational, technical, and management standards and guidelines information systems use to maintain confidentiality, integrity, and availability. In many cases, implementing NIST SP 800-53 can allow commercial organizations to ensure compliance with other regulations that deal with cyber risk and information security. 

Although the regulations mentioned above just scratch the surface of the unique requirements impacting commercial organizations, they display the increased pressures to establish minimum standards for cybersecurity to protect critical infrastructure from cyber attacks. These standards and frameworks are key in promoting consistency and interoperability amongst stakeholders; however, many organizations may struggle to keep up with mounting regulatory pressures. By seeking out a purpose-built cyber-physical systems (CPS) solution provider to help your organization align to regulatory requirements, industry guidelines, and other cybersecurity standards your organization will reap the benefits of a strengthened cybersecurity posture, improvement of risk management strategies, and the proper guidance when it comes to industry best practices – among several other improvements to your overall commercial cybersecurity posture. 

3 Ways to Strengthen Cybersecurity for your Commercial Business 

1. Gain a comprehensive asset inventory 

The foundation of any effective commercial cybersecurity strategy begins with a comprehensive and current inventory of all assets. With full asset visibility into all CPS in your BAS environment, you can understand what assets you have, where they are located, what their status is, and how they function. This begins with an approach that prioritizes non-passive collection methods. Non-passive methods provide deep visibility without the need for hardware or configuration changes and are recommended for commercial environments.

2. Identify, validate, and prioritize exposures relevant to their BAS 

With a strong exposure management strategy, commercial companies can systematically identify and prioritize vulnerabilities in order to reduce the likelihood of a security breach. By proactively addressing weaknesses in critical systems, networks, and applications, organizations can reduce the risk of exploitation by threat actors.

3. Extend CPS controls & governance to support all use cases  

Once enterprise-wide visibility is achieved and an effective exposure management strategy is in place, commercial companies can extend their CPS security controls to cover network protection, secure access, and threat detection use cases. By partnering with a comprehensive platform that supports the full CPS cybersecurity journey, commercial organizations can more quickly and easily progress in their CPS security and reduce their attack surface. 

By following these three steps and by adhering to industry regulations and standards, your commercial organization can boost their cyber resilience and tackle their most pressing cybersecurity challenges head-on. However, you may still be wondering where to get started. That’s where we come in. 

For more information on how a built-for-CPS cybersecurity solution, like Claroty xDome, can help, get in touch with our team now.