Skip to content

Cyber Security for Your Building

Back to CIBSE ANZ Home

Lessons from a CIBSE SA seminar.

The CIBSE South Australia technical seminar on 20 March was informative and disquieting. It focused on the pitfalls and the ease of Cyber hacking into IT networks, and of particular interest – through the Building Management System.

Four speakers presented –

Ben Verschaeren (allegedly termed a professional hacker) spoke of his experiences at Sophos, security software and hardware company and likened Sophos to “security made simple”.

He highlighted that data breach occurs in one out of four systems with a global average of 28%. In Australia it cost us $4 million last year.

People generally are not aware that there is a mandatory data breach notification to government in Aus.

Beware, attackers can hack into your PC then gain access to clients by ‘pivoting’.

Some systems used for extorsion or ransom are termed Leakware, Doware, Sextortion. There is even a professional ‘Showdown’ site and you can buy phishing as a service for a mere $1,000.

He named the other alternative, where by the City of Atlanta, USA had a massive breach but rather than use the quick fix of paying the ranson – a sum in the millions – they chose to fix it themselves. Good on them! But it took months and lots of money.

He ended with a word of caution we can all take away –
·       Systems are very easy to access
·       Use a password manager
·       Get systems audited ever 3 years
·       Have a Response Plan.

Richard Cooper of Air Con Serve discussed the Building Management System (BMS) connected to the internet where access can be gained through the connection to get plans, occupation times and also into the customer network.

He cautioned to upgrade routers, instigate antivirus updates,  not to multiuse and use a password phase in lieu of word or number.

Peter Palonek represented Tridium Systems, a supplier of equipment and software building systems

He stated that IT phishing attacks are worth $2 billion.

An example given was where one Casino’s financial system in the USA was hacked through the temperature gauge in the Casino fish tank via the BMS allowing access into the network where by the Casino lost millions!

Peter’s advise – Segregate your network better, keep data off the network if you can, and apply patches as soon as they’re available.

Amy Bishop from DW Fox Tucker Lawyers finished off with the legal issues and liabilities.

She supported that the idea that a BMS can be an easy gateway into your building, network and data.

She emphasised caution regarding leaking of data either intentionally or non-intentionally which can manifest into identity data sale as you have an accountability to customers and watch out for the APP (Australian Privacy Principles) Act and mandatory obligations regarding reporting of data breach. (Note: There are exceptions if remedied and proven).

The Australian Information Commission has been active for only one year but an Australian company, if dealing with the Eu (GDPR), can be fined millions of dollars tif data is leaked and compliance procedures not followed regarding reporting etc.

The Australian penalty is a mere $100K to $420K and notification within seventy-two hours is required in each case.

Make sure that you have a privacy policy and a data breach control plan and policy available.

The employer has a legal obligation to ensure confidentiality, have an awareness plan and IT policy for employees and take reasonable steps to keep data secure or confidential.

Also beware of the ex-employee who could restrain trade or breach confidentiality therefore requiring a tight contract of employment/engagement (also required with IT contractors).

Employees are a potential risk. They should maintain limited access, including to the server.

Cyber insurance tends to be very broad. Watch out for excisions and take action to mitigate.

CIBSE SA would like to thank Air Con Serve, DW Fox Tucker Lawyers, Sophos and Tridium Systems for providing the networking food and drink that followed this seminar.

Presentations have been provided where permission has been given:
Cyber Security - Legal Issues
Amy Bishop, DW Fox Tucker Lawyers

Defending your business against cybersecurity threats
Kevin T. Smith, Tridium

Back to CIBSE ANZ Home