Upload File

cyber security considerations in major buildingcng.files.cms-plus.com/admin/kpmg...

  • Home
  • Documents
  • Cyber Security considerations in major buildingcng.files.cms-plus.com/admin/KPMG Cybersecurity... · by usual security protocols. In short – weaknesses in physical security and
13
Cyber Security considerations in major building assets

Upload: others

Post on 16-Jul-2020

2 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Cyber Security considerations in major buildingcng.files.cms-plus.com/admin/KPMG Cybersecurity... · by usual security protocols. In short – weaknesses in physical security and

Cyber Security considerations in major building assets

Page 2: Cyber Security considerations in major buildingcng.files.cms-plus.com/admin/KPMG Cybersecurity... · by usual security protocols. In short – weaknesses in physical security and

1© 2015 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name, logo and "cutting through complexity" are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.

The premise....• Systems controlling building management/

facilities (plant control, CCTV, access control) have moved from analogue/manual systems to digital TCP/IP based systems.

• These digital systems are frequently beyond the view and/or control of information security team – often susceptible to risks and consequences that don’t exist in corporate systems.

• Insecure network design might not be detected by usual security protocols.

In short – weaknesses in physical security and systems that were previously not TCP/IP based, are creating cyber security risks for building managers, owners and tenants

Some real world consequences:• Researchers identified that the

Google Sydney office building management system (BMS) could be compromised and used to control the air-conditioning system

• Target (US) Point of Sale breach – speculation that credentials were obtained from an HVAC service provider and were used in some way to obtain access

Page 3: Cyber Security considerations in major buildingcng.files.cms-plus.com/admin/KPMG Cybersecurity... · by usual security protocols. In short – weaknesses in physical security and

2© 2015 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name, logo and "cutting through complexity" are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.

In addition, to the Google and Target examples, KPMG has been working with major property management organisations in Australia to help them better understand the risks

Overview• Very large retail shopping mall – suburban

• High rise office tower CBD

• Substantial recent expansion – new building works and fit out

• Sophisticated systems for building management, security, parking management, customer information etc.

KPMG Scope

• Review security (internal and external) protecting information assets

• Assess access integrity of key systems

• Consider operability and resilience

• Assess physical security related to information protection

Page 4: Cyber Security considerations in major buildingcng.files.cms-plus.com/admin/KPMG Cybersecurity... · by usual security protocols. In short – weaknesses in physical security and

3© 2015 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name, logo and "cutting through complexity" are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.

Finding Caused by

The building management system could be compromised.

• Poor systems access controls.• Lack of encryption systems.• Ineffective physical protection of communications

infrastructure.• Inadequate network design.

CCTV Security system could be disabled.

• Ineffective physical protection of communications infrastructure.

• Inadequate network design.

KPMG Demonstrated that.....

Page 5: Cyber Security considerations in major buildingcng.files.cms-plus.com/admin/KPMG Cybersecurity... · by usual security protocols. In short – weaknesses in physical security and

4© 2015 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name, logo and "cutting through complexity" are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.

Finding Caused by

CCTV stored footage could be anonymously viewed, modified or deleted.

• Poor systems access controls.• Lack of encryption systems.• Ineffective physical protection of communications

infrastructure.

Security systems and CCTV have excessive risk of failure

• Numerous single points of failure in network design.

Parking management systems can be disabled.

• Ineffective control of wireless data networks.

KPMG Demonstrated that.....

Page 6: Cyber Security considerations in major buildingcng.files.cms-plus.com/admin/KPMG Cybersecurity... · by usual security protocols. In short – weaknesses in physical security and

5© 2015 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name, logo and "cutting through complexity" are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.

Finding Caused by

Perimeter security can easily be compromised.

• Inadequate door design.• Doors not monitored or maintained.• Lack of CCTV surveillance on all entries.• Crawl spaces not secured.

Internal security (public Vs controlled space) is inadequate.

• Service corridors not secured• Lack of CCTV coverage• Failure to secure communications cabinets, electrical

services panels etc.

KPMG Demonstrated that.....

Page 7: Cyber Security considerations in major buildingcng.files.cms-plus.com/admin/KPMG Cybersecurity... · by usual security protocols. In short – weaknesses in physical security and

6© 2015 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name, logo and "cutting through complexity" are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.

Finding Caused by

Commercial systems can be compromised.

• Inadequate access controls.• Poor network design.• Lack of encryption.

KPMG Demonstrated that.....

Note that the deficiencies applied to all areas - the new development areas were not more secure than the original

structures.

Page 8: Cyber Security considerations in major buildingcng.files.cms-plus.com/admin/KPMG Cybersecurity... · by usual security protocols. In short – weaknesses in physical security and

7© 2015 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name, logo and "cutting through complexity" are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.

Gaining network access from an unsecured electrical services cabinet.

High voltage electrical distribution board unlocked.

Paparazzi...

Page 9: Cyber Security considerations in major buildingcng.files.cms-plus.com/admin/KPMG Cybersecurity... · by usual security protocols. In short – weaknesses in physical security and

8© 2015 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name, logo and "cutting through complexity" are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.

Connecting to the security network via an easily accessible cable termination point outside the centre complex at the edge of a car park Perimeter security!!

Paparazzi...

Page 10: Cyber Security considerations in major buildingcng.files.cms-plus.com/admin/KPMG Cybersecurity... · by usual security protocols. In short – weaknesses in physical security and

9© 2015 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name, logo and "cutting through complexity" are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.

Considerations for building managers and owners

Existing assets –Consider current risk profile

Acquisitions –Consider possible exposures and remediation costs

New developments –Ability to prescribe standards for IT infrastructure and systems

Page 11: Cyber Security considerations in major buildingcng.files.cms-plus.com/admin/KPMG Cybersecurity... · by usual security protocols. In short – weaknesses in physical security and

10© 2015 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name, logo and "cutting through complexity" are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.

Considerations for tenants in large properties

What common property systems are you relying on to maintain the physical security of your premises?

Where are these systems and are they secure?

How is your network environment segmented from other tenants? And building management?

What assurances have you received from building management regarding the physical and logical security of these systems?

Page 12: Cyber Security considerations in major buildingcng.files.cms-plus.com/admin/KPMG Cybersecurity... · by usual security protocols. In short – weaknesses in physical security and

11© 2015 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name, logo and "cutting through complexity" are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.

People can be the weakest link

Increase awareness –

Social engineering targets employees to bypass physical and system controls

Cyber Response –

Know who to bring together to manage response actions

Don’t forget paper based assets –

Handling and destruction of paper just as important as access to systems

Page 13: Cyber Security considerations in major buildingcng.files.cms-plus.com/admin/KPMG Cybersecurity... · by usual security protocols. In short – weaknesses in physical security and

Q&A


EPC RFID Tag Security Weaknesses and Defenses: Passport ...yoshi/papers/RFID/ccs280-kosche… · EPC RFID Tag Security Weaknesses and Defenses: Passport Cards, Enhanced Drivers Licenses,

Port Security OverviewPort Security Overviewaapa.files.cms-plus.com/SeminarPresentations/06_MTMT...Port Security OverviewPort Security Overview Presented to: AAPA Marine Terminal Management

August 1999 DOD INFORMATION SECURITY Serious Weaknesses

MTSA/ISPS facility security officer refresher courseaapa.files.cms-plus.com/SeminarPresentations/2015Seminars... · MTSA/ISPS facility security officer refresher course ... Title

Network Security - Labprotocols.netlab.uky.edu/~calvert/classes/571/lectureslides/NetSec.p… · Security Threats • Machine Compromise (breakin) – Exploiting software weaknesses

Exploiting Elevator Security Weaknesses by Deviant Ollam

GAO-12-875, General Aviation Security: Weaknesses Exist in

L-24 Security 1. Today's Lecture Internet security weaknesses Establishing secure channels (Crypto 101) Key distribution 2

VulnerableMe: Measuring Systemic Weaknesses in Mobile ...traynor/papers/amrutkar-iciss12.pdf · VulnerableMe: Measuring Systemic Weaknesses in Mobile Browser Security Chaitrali Amrutkar

The impact of NTP security weaknesses on DNS(SEC)

SANs:Fibre Channel Security - cdn.ttgtmedia.comcdn.ttgtmedia.com/searchStorageChannel/downloads/Dwivedi_ch02.pdf · security weaknesses and the lack of authentication, authorization,

Security Weaknesses Increase Risks to Critical United States Coast

Emerging Security Technologies - RDwebaapa.files.cms-plus.com/SeminarPresentations/2016Seminars...•Emerging Technologies •Real Time Security & Optimization 2 Current Security Situation

Security in Near Field Communication Strengths and Weaknesses

Cybersecurity Best Practicesaapa.files.cms-plus.com/SeminarPresentations/2015Seminars... · Cisco Confidential 9 Security Manifesto for today’s world Cisco Annual Security Report

Virtual LAN Security: weaknesses and countermeasures GIAC Security

Security Measures and Weaknesses of the GPRS Security

INFORMATION SECURITY Environmental Protection Agency Needs to Resolve Weaknesses

GAO-12-137 Information Security: Weaknesses Continue Amid ... · Weaknesses in information security policies and practices at 24 major federal agencies continue to place the confidentiality,

Emerging Trends in Port Security Technologiesaapa.files.cms-plus.com/SeminarPresentations/2011Seminars... · Emerging Trends in Port Security Technologies Presented July 2011 American

Security incidents, weaknesses and vulnerabilitiesnew.dcs.fmph.uniba.sk/files/biti/l01-weaknesses-2020.pdf · I possibly other network services Security incidents, weaknesses and

Port Security Grant Program (PSGP)aapa.files.cms-plus.com/2017Seminars/17Security/FEMAPSGP201… · Port Security Grant Program (PSGP) Transit Security Grant Program (TSGP) Intercity

IT Security: a practical approachprincetonacm.acm.org/tcfpro/presentations/IT_Security_a_practical... · Identify application weaknesses •IBM Security AppScan identifies potential

PORT SECURITY: Interagency Operation Centers, Past…aapa.files.cms-plus.com/SeminarPresentations/2015Seminars... · PORT SECURITY: Interagency Operation Centers, Past, Present, and

AIMD-99-107 DOD Information Security: Serious Weaknesses

Democratising insecurity Bringing security weaknesses to the tech masses

Computer & Network Security [email protected]. Outlines Definition of computer and network security Security Terminology Weaknesses and Vulnerabilities

Port Security Advanced Technology Initiatives At …aapa.files.cms-plus.com/SeminarPresentations/2009Seminars... · Port Security Advanced Technology Initiatives At SPAWAR Systems

Better protect your business by uncovering security weaknesses · Better protect your business by uncovering security weaknesses > Review of network, operating system, application,

Common Info Security Weaknesses

Joint Terrorism Task Forces (JTTFs) Maritime Security ...aapa.files.cms-plus.com/SeminarPresentations/2015Seminars... · Joint Terrorism Task Forces (JTTFs) Maritime Security Program

Security Weaknesses in the APCO Project 25 Two-Way Radio System

Security incidents, weaknesses and vulnerabilitiesnew.dcs.fmph.uniba.sk/files/biti/l01-weaknesses-2018.pdf · Verizon – 2017 Data Breach Investigations Report (1) I summary of 2016,

Virtual Lan Security Weaknesses Countermeasures

Security Weaknesses Increase Risks to Critical Emergency