Resilience and Cyber Security of Technology in the Built Environment

Transcription

1 IET Standards Technical Briefing Resilience and Cyber Security of Technology in the Built Environment

2 Resilience and Cyber Security of Technology in the Built Environment

3 Author: Hugh Boyes CEng FIET CISSP The IET would like to acknowledge the help and support of CPNI in producing this document. Published by The Institution of Engineering and Technology, London, United Kingdom The Institution of Engineering and Technology is registered as a Charity in England & Wales (no ) and Scotland (no. SC038698) First published 2013 This publication is copyright under the Berne Convention and the Universal Copyright Convention. All rights reserved. Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may be reproduced, stored or transmitted, in any form or by any means, only with the prior permission in writing of the publishers, or in the case of reprographic reproduction in accordance with the terms of licences issued by the Copyright Licensing Agency. Enquiries concerning reproduction outside those terms should be sent to the publisher at this address: The Institution of Engineering and Technology Michael Faraday House Six Hills Way, Stevenage Herts, SG1 2AY, United Kingdom While the publisher, author and contributors believe that the information and guidance given in this work is correct, all parties must rely upon their own skill and judgement when making use of it. Neither the publisher, nor the author, nor any contributors assume any liability to anyone for any loss or damage caused by any error or omission in the work, whether such error or omission is the result of negligence or any other cause. Any and all such liability is disclaimed. The moral rights of the author to be identified as author of this work have been asserted by him in accordance with the Copyright, Designs and Patents Act A list of organisations represented on this committee can be obtained on request to IET standards. This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. Compliance with the contents of this document cannot confer immunity from legal obligations. It is the constant aim of the IET to improve the quality of our products and services. We should be grateful if anyone finding an inaccuracy or ambiguity while using this document would inform the IET standards development team at IETStandardsStaff@theiet.org or The IET, Six Hills Way, Stevenage SG1 2AY, UK. ISBN (paperback) ISBN (PDF)

4 Contents Participants in the Technical Committee 4 1 Introduction 5 2 Background 7 3 Overview of resilience and cyber security 13 4 Understanding the threat landscape 18 5 Resilience and cyber security during specification phase 23 6 Resilience and cyber security during design phase 27 7 Resilience and cyber security during construction 31 8 Resilience and cyber security during operations 35 9 Managing change impact on resilience and cyber security Resilience and cyber security during decommissioning Relevant standards 44 Appendix A Intelligent building case studies 47 Appendix B Twenty critical controls 52 Appendix C Glossary 55

5 Participants in the Technical Committee The IET and author wish to acknowledge the support received from representatives of the following organisations in reviewing the drafts of this document. Arup Centre for the Protection of National Infrastructure (CPNI) Corporate IT Forum Defence Science and Technology Laboratory (dstl) ECA Group Ltd General Dynamics UK Ltd Incoming Thought Ltd Newrisk Ltd Symantec Transport for London

6 CHAPTER 1 Introduction Creation of intelligent or smart buildings requires greater integration of systems, both the operational and business systems used by the buildings occupants and a wide range of infrastructure systems. This is typically being achieved through the convergence of the technical infrastructure and the widespread use of readily available commercial and open source technologies. Although the initial focus of the designers of intelligent or smart buildings has been on developing solutions to make them more energy-efficient, there is an increasing focus on the interaction of systems. The drivers for intelligent buildings and thus systems integration arise from the need for new energy-efficient interventions, real-time decision support systems, enhanced building and personnel security, and better management information dashboards that offer easy access to key performance indicators. The purpose of this technical briefing is to inform professionals involved in the development and operation of intelligent or smart buildings about the resilience and cyber security issues that arise from a convergence of the technical infrastructure and computer-based systems as those systems become interconnected with the global network that comprises cyberspace. This document is not intended to address the physical hardening of buildings to protect against specific physical threats such as earthquakes, weather or blast. The document examines different sources of threats across the building life cycle from initial concept through to decommissioning. It considers potential threat agents that could cause or contribute to a cyber security incident and identifies some of the measures that may be appropriate to reduce the risks. The key points that we highlight in this document are as follows: Economic and environmental factors place increasing pressure on building owners and operators to adopt a converged (i.e. common or shared) IT infrastructure and to achieve integration between multiple electronic systems supporting building management functions and business applications. Given that systems integration blurs the boundaries between traditional roles and responsibilities in any organisation, it is important to adapt the business practices and governance processes to work effectively across organisational boundaries. In view of the significant level of systems convergence in intelligent buildings and the consequent higher probability of systems failure, the design of the built environment should take resilience into account. Sharing of IT infrastructure and the integration of corporate IT and industrial control systems (ICS), including building systems, in an intelligent building poses a number of design and operational challenges if a safe, secure and resilient environment is to be achieved. Thus whenever upgrades or new investment are planned, a strategic review of new or upgraded threats should inform the requirements and design brief. 5

7 From a resilience perspective the greatest threat to the building is likely to come from single points of failure, which may be the building fabric or structure, utilities, infrastructure, systems or processes. When considering the potential threats to a building, the assessment should take into account non-malicious acts, malicious acts (from employees, contractors, visitors and, in open access buildings, from the public) and the potential effects of natural causes. A serious challenge with some incidents, particularly those that are cyber security-related, may be identifying the cause of an incident. The task is particularly difficult where there is a lack of logs or system logging and audit. During the requirements, concept and specification phase of a building project, the resilience and cyber security requirements need to be identified, taking into account the nature and purpose of the construction and the potential threats to the occupants and their business operations. These requirements should include appropriate protection for intellectual property, and commercial or sensitive information. During the design phase of a building project, appropriate solutions to the resilience and cyber security requirements should be developed. As part of a design assurance exercise, the proposed design should be assessed to ensure that it has not introduced any new or unforeseen risks. Assuring the continuity of intent through the construction phase may require investment in competent resources. During construction of the building, resilience and cyber security issues need to be addressed while managing the supply chain, monitoring design integrity, maintaining physical security and implementing systems security. Once the building is in operational use, its resilience should be proactively managed to prevent any unforeseen or emergent loss of resilience and to identify any additional requirements arising from changes in the building s use. The building s IT systems are at risk from the outset. Application of the 20 critical controls 1 (see Appendix B) can provide protection by detecting reconnaissance, preventing unauthorised access or actions, detecting unauthorised access or actions and mitigating cyber security events. When changes to the building, its infrastructure, systems and use are being planned and implemented, the impact on resilience and cyber security should be assessed and appropriate steps taken to address any new or modified risks. This should include assessment of the impact of any decommissioning. 1 Developed, coordinated and published by the SANS Institute: [accessed 24 Apr 2013] 6

8 CHAPTER 2 Background 2.1 Technology developments in the built environment Economic and environmental pressures are increasingly affecting the design and operation of the built environment. In a competitive global economy, economic pressures relate to the total cost of ownership, both in terms of capital investment throughout the building s life cycle and operating costs. These operating costs are not just the costs of facilities management and building maintenance, but also the users operational costs that are influenced by the built environment. A building that is operationally inefficient will inevitably have an economic impact on its occupants. Environmental pressures include the need to reduce energy consumption through increased energy efficiency and to reduce waste. To address these pressures a range of innovative IT-enabled solutions are being developed, as summarised in Figure 1. Smart Cities Figure 1 Intelligent buildings are part of an increasingly integrated built environment Smart Grid Intelligent Buildings Smart Homes Intelligent Transport A key theme in these solutions is the increased IT-based interaction between physical assets with supporting communications, energy and transport infrastructures. Examples of this integration would include an intelligent building interacting with the smart grid to manage energy demand and ensure the most economic use of supply tariffs. In future it could include interaction with urban transport systems to inform building users of the current local transport situation. This integration affects both the operational and business systems used by the buildings occupants and a wide range of infrastructure systems that maintain a comfortable, safe and secure environment. Historically this integration has been difficult due to the proprietary nature of many building systems. However, the increasing adoption of open standards and commercial off the shelf products to 7

9 build these systems, for example TCP/IP networking and the use of commercial operating systems, has made the integration much easier. Unfortunately the use of these technologies can create significant issues from a resilience and security perspective. For example, some software products have remote access links inbuilt, connecting them to their suppliers for upgrade and maintenance support by default, and the increasing use of browser-based control interfaces has encouraged some manufacturers to require Internet access to their systems for condition monitoring and diagnostic purposes. If these remote connections are not adequately protected and managed, they create vulnerabilities and adversely affect system security and resilience. The greatest economic and environmental benefits are likely to be derived from deployment of new automation and control systems that take information from business systems and data from sensor networks and building systems, to automate routine functions, maintain an optimum environment and achieve improved performance. In an office environment an example of intelligent building technologies could be the management of meeting rooms. If a building management system has access to meeting room booking information, it could be configured to reduce energy use by turning off non-essential equipment in the room and limiting environmental conditioning until the room is required and the first occupants arrive. This would require interaction between building systems and the room-booking service, which may be part of the organisation s or operational systems. In a factory environment, similar integration might be used to control the heating and lighting of operational areas based on shift patterns, operational demand and the presence of the workforce in a particular area. Provided that these features work reliably they can offer significant user benefits, but chaos can result when there are system failures or unwanted/unauthorised human intervention. Therefore, the more complex the technology and the greater the reliance on its fault-free operation, the greater the need will be for integrity, availability and confidentiality from a safety, security and reputational perspective. Any IT system is potentially at risk, regardless of whether it is standalone or part of an integrated system. The increased systems integration required to deliver an intelligent building is therefore not without risk even when carefully managed and monitored. We need to recognise that intelligent buildings are complex systems. This document outlines the key factors that need to be addressed to identify and manage the resilience and cyber security factors, and risks to an intelligent building. 2.2 What is an intelligent building? The precise definition of an intelligent building varies around the world. Although there is no agreed definition, there is a common theme the integration of technologies. For the purpose of this document we define an intelligent building as one that provides a responsive, effective and supportive environment within which an organisation can achieve its business objectives. Intelligent buildings may also be referred to as smart buildings. Some of the systems that may be integrated in an intelligent building are illustrated in Table 1. The fact that a building contains some of the listed systems does not 8

10 make it an intelligent building: it is the systems integration to achieve operational efficiencies, energy efficiency, additional functionality or other user benefits that delivers the intelligent element. An issue that potentially increases the operational complexity of managing an intelligent building is the organisational and often contractual boundaries between those responsible for the different elements of infrastructure, building, ICT and business systems. A key principle for an intelligent building is that it needs to be designed and operated so that it provides a safe, secure and resilient environment, and to the extent that is practical, it needs to include a degree of future-proofing. Infrastructure Sensors, Structured cabling, IP network, Wireless*, Plant rooms, Data rooms, Server rooms, Communications rooms, etc. Building systems (ICS) ICT systems Business systems Building management HVAC controls Access control Lighting control Intruder alarm Security/CCTV Fire alarm Water management Waste management Utilities Stand-by generators UPS Office automation ( , data, Internet) Media/multi-media (voice, video, music) Telephony (voice, fax, video conferencing, SMS, pagers) IP-based applications Enterprise resource planning (ERP) Material requirements planning (MRP) Customer relationship management (CRM) Integrated commandand-control centre Integrated service/ helpdesks Table 1 Systems that may be integrated in an intelligent building * The term wireless is used as a generic term to cover communications and data links that do not require a physical connection; technologies employed include WiFi, Bluetooth, ZigBee, radio, NFC, RFID ICS Industrial Control Systems Only included to the extent that they are integrated with building systems, for example CRM Access Control, ERP/MRP Supply Chain Management Relevant where they interact with building systems or sensors, for example RFID for tracking location of material or assets An innovative aspect of systems integration is the increasing use of sensors within intelligent buildings. This can range from passive infrared motion detectors, to the CCTV motion detection and the use of radio frequency identification (RFID) technologies. By allowing sensors that are usually applied to a single sub-system to be used by other systems, the building can be made more intelligent: for example, the use of RFID tokens to control access to the building or building zones, to provide access to the corporate network and to retrieve documents on communal printers. Another example is the use of building security sensors and CCTV motion detection to operate and control lighting (both internal and external) and in conjunction with environmental monitoring systems to manage heating, shutters, etc. Appendix A to this document contains some intelligent building case studies, which provide examples of the types of systems integration already occurring and the operational benefits achieved. Currently the intelligence is predominantly automation of routine tasks, based on the sharing of information or data, e.g. energy efficiency measures applied to unoccupied rooms. 9

11 As technology develops it is likely that significant gains will occur when the converged systems become self-aware, with network-based tools learning over time and responding accordingly. For an intelligent building this could represent the development of a self-preservation response, with the systems developing an awareness of relationships between events. An example might be that rather than relying on signature-based analysis to detect malware, attacks or system failures, the intelligent building responds to deviations from system and network behavioural norms, seeking to minimise disruption and alerting an operator to the need for an intervention. With this increased integration and interaction there will be a need to avoid the creation of single points of failure. Economic and environmental factors place increasing pressure on building owners and operators to adopt a converged (i.e. common or shared) IT infrastructure and to achieve integration between multiple electronic systems supporting building management functions and business applications. 2.3 How does this integration affect building operations? There are three fundamental issues that need to be considered in respect of the operation of an intelligent building: the organisational responsibilities for integrated technical infrastructure; the differences in the nature of corporate IT and building systems (ICS); the processes, practices and governance, including legal and regulatory compliance, required to operate and maintain the intelligent building in a safe, secure and resilient fashion. In multi-occupancy buildings there will also be the issue of maintaining the privacy of the occupiers, and where appropriate, their information and data, their staff, visitors or customers. If there is no integration or interconnection between corporate IT and building systems (ICS), the responsibility for these systems will lie with IT management and facilities or operations management respectively. Integration and interconnection creates a shared responsibility across two often culturally and technically different teams, because a malware incident on a corporate computer could have a significant impact across the entire intelligent building, affecting all the systems. At a generic level, the differences between the building systems (ICS) and corporate IT systems (ICT and business systems) are shown in Table 2. These differences are significant and inevitably lead to differing operational practices. For an intelligent building, the criticality of a system needs to be assessed in terms of business impact on resilience, physical security and personal safety. A failure to recognise these differences and system-criticality assessments, or to take account of them in the design, delivery and operation phases of an intelligent building, will significantly affect resilience and increase cyber security risks. Where some features are at the very least safety or security critical, they must be adequately protected from unauthorised intervention or access from the rest of the system while being part of it. 10

12 2 Characteristic Corporate IT systems Building systems (ICS) Lifetime 3 5 years 5 20 years Availability Out-of-hours outages often acceptable Continuous operation typically required for control systems Time-critical Delays often acceptable May be safety-critical Patching Frequent, can be daily Rare User accounts Usually individual users with permissions according to business role Often shared functional accounts, based on specific roles, e.g. operator, administrator, engineer Outsourcing Widely used Varies, rare for production systems Antivirus Widely used Difficult/impossible to deploy Security skills Limited to good Often poor or non-existent Security awareness General awareness Often poor or non-existent Security testing Widely used Rarely used and risk of damage to control systems Physical security Generally secure and manned Generally remote/ unmanned Table 2 Comparison of corporate IT systems and building systems (ICS) 2 An example of the difference between systems is the practice of allowing users to access removable media (CDs, DVDs, USB drives) from their desktop or laptop computers, which may be acceptable on the corporate IT system, where antivirus and anti-malware is installed, but is best avoided on the building management network where not all computers can be protected in this way. The practices for dealing with a compromise may also differ significantly. The New York Times, 3 for example, simply replaced all compromised computers on its corporate network when faced with a serious threat. Removing a virus or malware from a building management system may be significantly more complex, however, given that some electronic sensors or components will be embedded in many different major components and sub-systems. The problem may be further exacerbated by the potential age of the systems and the need to maintain building operations. Historically, industrial control systems (ICS), including the subset that comprise building systems, and corporate IT systems have been managed by operations (including estates) teams and IT teams respectively, with different operational processes, practices and governance. The combination of these organisational 2 Adapted from Table 5.1 in Protecting Industrial Control Systems from Electronic Threats, Joseph Weiss, 2010, [accessed 24 Apr 2013] 11

13 boundaries coupled with systems integration and/or interconnection can introduce significant operational complexity and risk into intelligent buildings. Given that systems integration blurs the boundaries between traditional roles and responsibilities in any organisation, it is important to adapt the business practices and governance processes to work effectively across organisational boundaries. 12

14 CHAPTER 3 Overview of resilience and cyber security 3.1 What does resilience mean and why is it an issue? Resilience is the ability to adapt and respond rapidly to disruptions and maintain continuity of business operations. From a business perspective, resilience is generally about preparing for any potential threat to the delivery of a smooth, steady and reliable service so as to maintain the delivery of critical services. Thus when bad things happen, as they do, the personnel operating the building are expected to minimise disruption to the use of the building. To achieve this goal they should have considered potential causes of disruption, both human and natural, make sure that key systems and processes are maintained to ensure business continuity, and have in place systems and processes to enable timely detection of, and response to, disruptive events. The concepts of business continuity and disaster recovery are reasonably well understood by organisations in respect of their corporate IT systems and the management of manufacturing or production processes. To ensure the resilience of business operations, the organisation might employ a range of provisions, including: alternate/disaster recovery premises; offsite backups of business-critical data; diverse network and communication routes, etc. This is particularly the case for organisations that are heavily dependent on technology and IT for their business operations. From a resilience perspective, the threat to business-critical corporate IT systems is generally mitigated and managed through disaster recovery, incident response and business continuity plans. The nature of these plans and the specific measures required to maintain business operations should be determined by the nature of the business, regulatory and legal requirements, and a business impact analysis. Where there is a critical business need to maintain continuity of IT operations, the solution may be to increase redundancy, such as through the provision of duplicate IT systems in geographically separate high-availability data centres. The resilience of systems, whether they are IT or building systems (for example HVAC), is generally considered in terms of redundancy and their availability under both fault and maintenance conditions. Table 3 illustrates a classification mechanism used for data centres and industrial plants. A building or plant classified as Tier 1 will have minimal resilience, with single points of failure in critical systems. This type of accommodation is likely to be used by organisations that can tolerate some loss of IT or building systems. In contrast, a building or plant classified as Tier 4 will have a high degree of fault tolerance and might be used by an organisation delivering critical national infrastructure services. A Tier 4 site should be able to accommodate varying levels of scheduled maintenance and systems failure without losing capacity. 13

15 4 Tier Description Performance 1 Basic infrastructure Non-redundant capacity components and single non-redundant connection/ distribution paths 2 Redundant capacity components infrastructure 3 Concurrently maintainable infrastructure Redundant capacity components and single non-redundant connection/ distribution paths Redundant capacity components and multiple distribution paths 4 Fault-tolerant infrastructure Fault-tolerant architecture with redundant capacity systems and multiple distribution paths In the built environment, the need for building systems to be resilient will generally be determined by the operational use of the accommodation. Thus for example data centres and acute health care facilities will have requirements for the continuity of critical building services, whereas a retail outlet or warehouse may only require the provision of emergency lighting to allow safe evacuation of the premises. Table 3 Tier classifications for site infrastructure performance 4 In an intelligent building, resilience and cyber security are inextricably linked, because the failure of a building system could have a significant impact on the cyber security of the building. In view of the significant level of systems convergence in intelligent buildings and the consequent higher probability of systems failure, the design of the built environment should take resilience into account. 3.2 What does cyber security mean? Cyber security is a broad subject it is not just about the technology, but has to address a wide range of factors: people, process and governance issues, and their interrelationships. These factors are management issues and are as important in cyber security as the deployment of technical solutions such as firewalls and antivirus software. One internationally agreed definition for cyber security is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user s assets. 5 The aim is that they remain under the control of legitimate users. 4 Adapted from Site Infrastructure White Paper Tier classifications define site infrastructure performance, W. Pitt Turner IV, John N. Seader and Kenneth G. Brill, 2008, The Uptime Institute; available from Define%20Site%20Infrastructure.pdf [accessed 24 Apr 2013] 5 From ITU-T X.1205: aspx [accessed 24 Apr 2013] 14

16 This definition refers to a couple of terms that perhaps need clarifying: the cyber environment (also sometimes called cyberspace ) effectively comprises the interconnected networks of electronic, computer-based and wireless systems; the organization and user s assets includes connected computing devices, personnel, infrastructure, applications, services, telecommunication systems, and the totality of transmitted, processed and/or stored data and information in the cyber environment. The cyber environment therefore encompasses the Internet, telecommunication networks, computer systems, embedded processors and controllers, and a wide range of sensors, storage and control devices. Although this definition of cyber environment only makes reference to systems, it also includes the information, services, social and business functions that exist only in cyberspace. Experience shows that even standalone systems and isolated networks are at risk from attacks by malicious users and from the introduction of malicious software via removable media. Cyber security strives to ensure the attainment and maintenance of the security objectives of the organisation and user s assets against relevant security risks in the cyber environment. The general security objectives comprise the following: Confidentiality, including the control and authorisation of access to information or data, for example to protect personally identifiable information, intellectual property and commercially sensitive data such as financial transactions, energy-metering data and production records. Integrity, which may include the trustworthy and safe operation of electronic and computer-based systems, their software and associated business processes, the assurance and authenticity of data or information, and the validity and retention of transactions including their authentication and nonrepudiation. Availability of the building in general, and in particular the systems and processes required for its safe, secure and reliable operation. The availability needs to take into account the impact of failure on the system of systems arising from the failure of a single system, i.e. is there a cascading or domino effect. Privacy, as, although this is often treated as part of the confidentiality objective, the convergence of systems creates additional risks. It is important that personal data remains private and that in any system where there is an aggregation of data, that personal data is given appropriate protection as required by regulation and/or legislation. An example of this aggregation in a transport terminal is the aggregation of data relating to individual travellers as passenger data. 3.3 Why is cyber security an issue? For both safety and security reasons it is important that an intelligent building meets the general security objectives of its owners, operators and occupiers, thus maintaining the required level of confidentiality, integrity and availability. From legal and regulatory perspectives (e.g. under EU and UK data protection and privacy legislation) there are also requirements to protect personal data. The interconnection and integration of systems from the three categories (i.e. building, ICT and business 15

17 systems) creates additional risks. Without careful planning, testing and monitoring, the more technology that is added to a building, the more the Law of Unintended Consequences 6 may apply to the system of systems. From a cyber security perspective it is important that the intelligent building is designed and operated so as to minimise and manage the risks to confidentiality, integrity and availability. The nature of potential threats to intelligent building systems will vary widely and will in part depend on the nature of the building and its occupants or users. Threats to systems include deliberate attacks, unintentional disruption and natural factors. A key difference between the cyber security of corporate IT systems and buildings systems (ICS) is the focus of protective measures, as illustrated in Figure 2. In part this arises from the differences between the systems that were outlined in Table 2, but it is also influenced by the differing operational priorities. Corporate IT systems Building systems (ICS) Figure 2 Risks arising from compromised systems Financial integrity Denial of service Loss of information Loss of view Loss of control Financial and reputational risk Impact on systems Safety and operational risk In protecting corporate IT systems the emphasis is typically on the prevention of data loss and the threats to the financial integrity of the business, for example loss of intellectual property or customer data, fraudulent transactions and the continuity of business operations. The focus of technical solutions is therefore generally on the protection and control of information, with solutions deployed to address known attack vectors, for example network security, access control, advanced persistent threat (APT) detection and prevention and encryption. In building systems (ICS), prevention of loss of control (i.e. the ability to control the process and physical assets) or loss of view (i.e. the ability of an operator or manager to see what is actually happening in the process or systems) are the primary requirements. Prevention of information or data loss is potentially accorded a much lower priority for these systems. The reason for this difference in emphasis is that the loss of control or view can lead to significant safety and operational risks: the former could lead to death or serious injury and physical damage to equipment; the latter may ultimately have financial or reputational consequences. Therefore system availability and integrity are generally afforded the greatest protection, with for example mechanisms such as verification of message integrity and the authentication of devices being given a higher priority than encryption of data. 6 [accessed 24 Apr 2013] 16

18 Solutions that afford protection to a corporate IT system may not be an appropriate or optimum solution for building systems (ICS). Thus in an intelligent building, infrastructure convergence and systems integration may impose technical and operational constraints on the protective measures employed. Sharing of IT infrastructure and the integration of corporate IT and industrial control systems (ICS), including building systems, in an intelligent building poses a number of design and operational challenges if a safe, secure and resilient environment is to be achieved. Thus whenever upgrades or new investment are planned, a strategic review of new or upgraded threats should inform the requirements and design brief. 17

19 CHAPTER 4 Understanding the threat landscape 4.1 Who or what might cause an incident? This section examines different sources of threats in terms of who (or what) might cause an incident. It considers the potential threat agents, which can be individual(s) whose actions or inactions will cause or potentially cause a cyber security incident, or natural factors. For those threat agents with a malicious intent, it then considers the nature of the groups to which the threat agents may belong, because this may influence the potential severity and sophistication of the threat. From a resilience perspective the greatest threat to the building is likely to come from single points of failure, which may be the building fabric or structure, utilities, infrastructure, systems or processes Potential threat agents The potential threat agents that initiate a cyber security incident are as follows: Malicious outsiders: This is a person or persons unconnected with the building owner, the building occupier or supporting contractors; in essence, a person who does not have privileged access to the building or its systems. A malicious outsider could be a hacker, a cyber criminal, activist, terrorist or state-supported attacker in all cases the intent is to cause harm or disruption. The attack may be targeted at the intelligent building and/or its occupants or be indiscriminate, for example malware or viruses. Malicious insiders: This is a person (or persons) connected with the building owner, the building occupier or supporting contractors; in essence a person who has some level of authorised or privileged access to the building or its systems and puts that privileged access to a use not intended or allowed. Non-malicious insiders: This is a person (or persons) connected with the building owner, the building occupier or supporting contractors, who through error, omission, ignorance or negligence causes a cyber security incident. Nature: This could be solar, weather, animal or insect related and result in a failure or significant impairment of one or more of the utility supplies or building systems, with a knock-on effect on systems that enable the correct operation of the intelligent building. When considering the potential threats to a building the assessment should take into account non-malicious acts, malicious acts (from employees, contractors, visitors and, in open access buildings, from the public) and the potential effects of natural causes. 18

20 4.1.2 Potential threat agent groups Malicious threat agents will belong to one of the following groups, which are listed in order of increasing sophistication and capacity to cause damage and disruption: Sole activists: This could be a disaffected employee or an activist in an organised group who decides to take his or her own action. The severity and sophistication of the threat will be determined by the individual s capabilities. Unfortunately, the ready availability of hacking and denial-ofservice tools on the Internet (and in some cases distributed with technical magazines) means that the level of technical understanding required to launch an attack has been significantly reduced. Activist groups: The recent activities of some groups demonstrate that when a team of determined activists work together the threat increases, e.g. when they have persuaded naïve third parties to allow installation of software on their computers, thus magnifying the effect of distributed denial of service (DDoS) attacks. Competitors: These groups are likely to work through third parties, with the aim of harming a rival by stealing intellectual property or disrupting operations to cause financial or reputational loss. Organised crime: These groups are well organised and motivated by financial gain, through fraud, theft of intellectual property, attacks on e-commerce and banking systems, and blackmail or extortion. The sophistication of the malware used by these groups is increasing and there is evidence that they operate on a commercial basis, making their tools available to third parties. Terrorist: These groups have demonstrated that they are increasingly IT aware, making use of the Internet to distribute propaganda and for communications purposes. Well-funded groups could take advantage of the services offered by organised crime, seek support from a nation state or encourage internal members to adopt these attack methods. Again these groups could rely on the various toolkits available for download. Proxy terror threat agent with nation state support: In effect, this is statesponsored terrorism, where the proxy party is used to provide deniability. This type of group effectively has the capacity and sophisticated technical support available to a nation state made available by the sponsoring nation. Nation states: It is alleged that some nation states are actively involved in cyber attacks on a wide range of organisations to acquire state secrets or sensitive commercial information and intellectual property. During periods of heightened international tension and conflict, these activities may include more widespread attacks as evidenced by malware such as Stuxnet, Duqu and Flame. 4.2 What harm might an incident cause? Depending on the nature of the incident, where it occurs during the building life cycle and whether it is deliberate (the motivation of the threat agents), the building owner, operator, occupants and user may suffer significant inconvenience or losses. It is important that the losses below are not considered in isolation and there may be significant interdependencies. Commercial losses: These could be consequential losses due to the building being uninhabitable or inoperable, or they could arise from loss of commercial opportunities, e.g. due to commercial espionage during a tender exercise. 19