Cybersecurity and Ransomware – It can get ugly when a hacker takes control of your smart building

Cyber risk affects businesses of every size and industry. A data breach can lead to negative publicity, loss of customer confidence and potential lawsuits. There can be a variety of unanticipated – and costly – business disruptions.

Just ask the owners of the Romantik Seehotel Jaegerwirt hotel, in the Austrian Alps, which recently had their systems frozen by hackers, resulting in the complete shutdown of hotel computers. The hackers breached the hotel’s key card system, making it impossible for guests to enter their rooms and preventing the hotel from reprogramming the cards.

The hackers did not scrape guests’ credit card data, as has happened with other hotel data breaches, but instead demanded a ransom payable in Bitcoin. The Romantik Seehotel Jaegerwirt – which was fully occupied at the beginning of ski season – paid the ransom, at which time control of the key card system was restored.

While highly disruptive, it’s easy to imagine how it could have been worse. Fortunately, the hotel located and fixed the backdoor left by the hackers (which the hackers tried to exploit almost immediately) and secured their systems.

Vulnerability to hackers seeking to take control of a building’s system is a very real threat to organizations of all kinds: hospitals, hotels, law firms, research facilities, banks, retailers – virtually any kind of business that is housed in a “smart” building.

In a smart building, the building management system is often connected to a variety of systems related to building maintenance and operation within a corporate network, giving building management more control over critical areas like heating and cooling systems, lighting systems, door locks, video cameras, alarms, electricity and elevators.

The primary rationale for this kind of internal control is energy efficiency. Smart buildings can provide energy savings from 20-50%.

But hackers can enter these systems through stolen passwords and backdoors errantly left open, allowing them to take control of the building and gain access to the company’s entire network.

It was reported that the breach of Target Stores in December 2013, which resulted in the theft of data from 40 million credit and debit cards, was the result of a hacker who entered its system using a stolen password from a heating and ventilation vendor. Most likely, the password was acquired through a phishing email.

What should companies do to minimize the risks of hacks and breaches?

  • Analyze risk. Every business needs to identify the cyber risks it is willing to take and then determine how to neutralize remaining risks.  For a hotel, this can include decoupling systems – preventing, for example, access to the key card system through the hotel’s website – or preparing for workarounds.  (In the case of the Romantik Seehotel Jaegerwirt, the decision has been made to include physical keys, allowing a manual override of the system.) Placing controls on access by outside vendors can prove a critical component of neutralizing risk.
  • Train Personnel. Virtually every breach is the result of a human act, whether an error or malicious act.  Training personnel to identify risks and avoid them is one of the most effective steps to reduce cyber risk. In the case of building technicians and some other employees, many individuals share access to the same system. Looking at passwords alone, do personnel share passwords? Are the passwords easy to guess? Management should implement minimum requirements for passwords (length, combination of letters, numbers and symbols), and mandate regular changes to passwords. And management must require training, at all levels of the organization, in common hacker techniques to make personnel less vulnerable to phishing and other human error.
  • Plan for the breach. No matter what technical or personnel prevention is taken, every system capable of authorized access is vulnerable to unauthorized access.  When that happens, it is too late to design the response playbook.  No matter the size of the business, management needs to design, implement and test cybersecurity response plans, and update them regularly.

We now live in an age when the theft of customers’ names and financial data are not the only, or even the most significant, risks that companies face. Breaches can lead to disastrous results for a business, as this example shows. Knowing the cyber risks, training employees, and planning for breaches should be a “must do,” and not a discretionary exercise.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.