A recent survey by the Royal Institute of Chartered Surveyors (RICS) reported that 27% of companies said that their building had suffered a cyber-attack in the last 12 months. The survey highlights the problem that many buildings may be using dangerously outdated building management systems (BMS). For example, a building opened in 2013 could conceivably be using a BMS that uses Windows 7, an operating system that hasn’t received security updates in more than 5 years. The problem only gets worse when we remember that for many organisations, Windows 10 will be unsupported after October 2025.
But this is really only the tip of the iceberg in terms of building-related cyber vulnerabilities. Buildings are, of course, not simply about bricks and mortar, they incorporate CCTV networks, Internet of Things (IoT) devices and access control systems. These are all key components in mitigating potential threats to an organisation, but ironically they are also potential entry points that can be used by threat actors who seek to use physical or remote access as a means of unearthing or capitalising on cyber vulnerabilities. They’re also typically accessed via the BMS or the operating system used by building managers.
The usefulness of any CCTV in monitoring physical access points around and within a building is undeniable, but while cameras may cover a building’s physical entry and exit points, sensitive internal locations such as the entrances to server rooms, or cupboards containing comms equipment, are frequently neglected. Changes in the use being made of different parts of a building and its internal access routes can also significantly affect the areas that need to be covered by CCTV, but building managers don’t always review and update that coverage and let’s not forget that CCTV cameras themselves are sometimes vulnerable to cyber-attacks that result in hackers gaining access to cameras and their data.
IoT devices are often used all over office sites and even if they’ve been deployed by an organisation’s own IT team, traditional corporate security measures such as firewalls don’t work and they can only be controlled to a very limited extent by the IT team because they operate beyond the bubble controlled by the team. That means a situation where devices that are embedded within the business are virtually impossible to protect, and are a ridiculously open door for various types of attacker to exploit.
When it comes to access control systems—those essential security mechanisms that prevent unauthorised entry into buildings and other physical spaces—cyber security often isn’t the first thing that comes to mind. Yet, the data these systems process is crucial to protect because granting someone access to a restricted area involves the transmission of sensitive data across various components—credentials, readers, controllers, servers, software clients, and more. If any part of this chain is compromised, it can lead to severe security breaches.
So, what to do?
Cyber risk assessments are a frequent activity highlighted by auditors or compliance managers, and while they often result in organisations taking a look at their policies and procedures, together with the currency of their software patching and so on, there’s often a limited uptick in the level of scrutiny that might be undertaken. While some pentesting may be commissioned (which is good), it’s much more effective when this is combined with physical access penetration testing, also known as physical pentesting and a wider review of the physical and logical environment where IT infrastructure and data assets reside
Physical pentesting is a security assessment where authorised individuals simulate real-world attacks to identify vulnerabilities in an organisation’s physical security controls, in order to understand the effectiveness of current access controls. Testing often involves reviewing employees’ social media presence, job advertisements, building/office adverts and physical reconnaissance prior to attempts being made to gain physical access.
Wider risk assessments look at the broader environment, campus, building and other structures to identify potential threats and hazards that have a reasonable likelihood of materialising as disruptive IT incidents and often go hand in hand with threat actors capitalising on the confusion and dislocation to insert themselves into networks while defences are down.
Both types of assessment can be carried out by Redcentric’s cyber experts who have vast experience in cyber security, resilience and risk management and can provide bespoke advice and knowledge to increase the resilience of your organisation and enhance its cyber security posture.
