This photo shows Ethan Hunt, the fictional character from the Mission: Impossible series, being lowered from the ceiling to hack a computer.

From a cybersecurity perspective, when you bring up the need to protect your organization’s endpoints, most people will think of computer assets: laptops, desktops, servers, and maybe smartphones and tablets. Today, these endpoints include devices within your buildings and campuses like security cameras, door locks, HVAC, elevators, solar arrays, and a host of other IoT/industrial IoT (IIoT) or building management system (BMS) devices.

The threats targeting the traditional endpoints of desktops, servers, and mobile devices are after your business data, either to steal it for resale to other malicious actors — or even data brokers who will resell it again — or to prevent you from accessing it and holding that access for ransom. The goal is money. When it comes to IoT/IIoT/BMS devices, the goals of the attackers are different, mainly because these devices rarely have enough business data on them to make an attack worthwhile. But if we go past that first level of reasoning, we uncover a few motives why attacking these devices is still valuable for skilled hackers or nation-state advanced persistent threats (APTs).

The most obvious effect from attacking weaknesses within BMSes like HVAC or elevators is the ability to take them offline. A data center that is not properly cooled and ventilated may have to shut down immediately or risk damaging the boards inside the computers. Shutting down the movement of employees can cripple your teams and customers and create a host of operational issues. Modern battery or generator backup units are also IoT/IIoT devices and can be exposed to cyberthreats. Disrupting the power to your building or campus while your power backup is compromised means your ability to operate is in the hands of the threat actor. Multiple stories and research have shown that the power grid is susceptible to cyberattacks, but this also includes other power delivery systems like solar arrays. But that’s just one level beyond data theft. Let’s keep going deeper.

When it comes to security systems like cameras, door locks, or motion sensors, these internet-connected devices within most buildings today allow for centralized control and incorporate cloud orchestration solutions and AI engines to provide analytics to the business on the overall state of your physical security infrastructure. A simple attack would be to take the devices offline, but a more sophisticated attack against cameras is to mirror the feed, sending it to the malicious actor so they can monitor the movements within the building, possibly targeting individuals or look for those weakness in monitoring so they can recreate “Mission: Impossible” and dangle from the ceiling on a wire. They could manipulate physical access control systems to expand the access to sensitive areas for a fraudulent access card. They could increase the sensitivity of motion sensors so they regularly trip alarms, creating “alert fatigue”; security operations analysts can get so desensitized to the endless flood of low-priority or false-positive alerts from particular desktops that they start ignoring that endpoint, which can mean a truly malicious action is missed — giving a physical attacker access to unauthorized areas. And still, the rabbit hole goes deeper.

Another threat to the business from IoT/IIoT/BMS devices is not what can happen on the device itself, but the access that device has to other parts of your IT or operational technology (OT) infrastructure. Controlling the device allows an attacker to leverage device vulnerabilities to access the device’s OS or firmware. But often, because security of these devices can be compromised, an attacker can use the device as a network probe and look for other IT endpoints that this IoT/IIoT/BMS device may have access to. If enough resources are available like memory and CPU, the attacker can start scanning those other endpoints for vulnerabilities. This lateral movement is how attackers move from an uninteresting target like a fish tank thermometer into a database server to extract the information of high rollers at a casino.

This all sounds terrible, and we should shut off all computer systems and head for the forests, right? Sounds peaceful until you realize how nice it is to have AC, lights, and power. Instead, we should apply the same principles that we apply to IT and ensure we’re following the least privileged access ideal that is core to the Zero Trust model. And as we utilize endpoint security solutions for our common IT endpoints in our infrastructure, we should utilize IoT security solutions for those IoT/IIoT/BMS endpoints in our infrastructure and across our buildings.

Forrester clients who want to discuss how best to secure these IoT/IIoT/BMS devices within their facilities and across their campuses should schedule an inquiry or guidance session with me where we can dive deeper into this topic.