Ingenuity Magazine Spring 2019

4 Pond | www.pondco.com S ometime before May 2010 a group of hackers in China breached the computer defenses of the United States’ top business lobbying group and gained access to its information technology (IT) systems. The hack went largely unnoticed until a thermostat started communicating over the internet and stopped working properly and a printer started to randomly print pages with Chinese characters. No one knows how long the information of its three million members was viewed and available to the hackers, but if it wasn’t for these missteps the hack may have gone unnoticed for much longer. The relevant part of this story to facility designers is that the hackers had access to a printer and a thermostat, typically not things you would associate with network access. As facility designers we have various codes that require adherence and specific performance targets for the buildings we design. These targets require our buildings to be more energy efficient. The parts of the building designed to achieve these targets are passive, like building insulation and low- e glass, and active systems like lighting controls and heating and air conditioning control systems. These active control s y s t ems requ i re a ne two r k t o communicate with each other and the building operation team. Because of this, as facility designers, we are introducing cyber security threats into the buildings we design. This threat is not unknown to certain building owners, i.e. the Department of Defense, the Federal Bureau of Investigation and other federal agencies involved in national security. These agencies have active programs in place to monitor network activity and understand the threats introduced by operational technology (OT) and the internet of things (IoT). Designers who work with these clients know to follow certain protocols (namely ensuring products comply with the Buy American Act) that help reduce the threat OT and I oT product s may have on the building network. Designers primarily working in the private industry are only concerned with such threats if their clients are. The client must have a sophisticated IT organization that will work with designers to identify the methods OT and IoT products are specified and connected to the building network. Clients without this awareness or protocol run the risk of hacking and infiltration in their networks. For example, at the end of 2013, 70 million Target customers had their credit card information stolen from the stores’ point of sale systems. The hackers placed malware on all the cash registers in certain stores that recorded customer credit card numbers and other sales information. Though 70 million is a staggering number of affected customers, it could have been much worse. The hackers were only able to gain access to certain stores because these buildings’ heating and air conditioning controls were installed by the same company. This company still had access to the Target stores’ heating and air conditioning controls and these controls, as well as all of the IT systems in the stores, including the cash registers, operated on one IT network. The hackers circumvented a relatively easy fire wall at the HVAC control company, allowing them into Target’s HVAC control network, which gave them access to the cash registers and credit card scanners. The initial vulnerability did not exist in Target’s IT network but within the network of an obscure vendor that affected only a limited number of stores. But even access to that limited number of stores led to a monumental amount of stolen data. As facility designers, we may be saying the same thing to ourselves, “How am I going to introduce a threat? I am not building the systems or the networks that the systems rely on.” It is agreed that the facility designer is not creating the threat, but the selection of certain equipment and control systems adds vulnerabilities to a building’s IT network that did not exist or could not be exploited 10 years ago. Addressing Cyber Security in Building Design Within As facility designers, we are introducing cyber security threats into the buildings we design As featured in The Military Engineer Magazine