The 2013 Target data breach of 41 million customer payment cards and the contact information of 60 million customers resulted in a record $18.5 million multistate settlement. The entry point? A third-party heating, ventilation, and air conditioning (HVAC) vendor with credentials that permitted access to the customer database and an entry point for malware.
In 2021, an observant water treatment plant operator in Oldsmar, Florida, population 15,000, noticed his computer screen being remotely controlled. An unknown hacker had increased the level of sodium hydroxide, an additive commonly used to minimize lead levels in drinking water, to a dangerous level 100 times higher than normal.
Also in 2021, hackers gained access to 150,000 Verkada security cameras located in jails, hospitals, a Tesla factory, residential homes, and more. The hackers obtained customer lists, private company financial information, and access to the corporate networks of two companies through their cameras.
Most recently, the Colonial Pipeline ransomware attack was the result of hackers gaining access through an exposed password. The largest public critical infrastructure attack in the US, Colonial was forced to shut down the pipeline to prevent the attack from spreading through its system, resulting in a gas shortage along the East Coast and the declaration of a national state of emergency.
Smart cities and connected buildings – technologically advanced infrastructure that collects data through the Internet of Things (IoT) – promise improved efficiency, sustainability, and quality of life. Yet they can also provide an entry point for cyber criminals and terrorist cyber-attacks on that infrastructure, causing physical, environmental, or financial harm. According to a recent Gartner report, by 2025, cyber attackers will have weaponized operational technology (OT) environments to successfully harm or kill humans.
“The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore, all progress depends on the unreasonable man.” – George Bernard Shaw
One man has made it his mission to build a global defense to this invisible threat on critical infrastructure and national security. Following his most recent service as Assistant Secretary of Defense for Energy, Installations and Environment, The Honorable Lucian Niemeyer took the helm of Building Cyber Security, a non-profit on a mission to build a holistic, multi-faceted defense against the invisible threat of cyber-attacks on our critical infrastructure.
What’s your vision for the use of technology in every aspect of society that’s driving your passion for cyber safety?
The Honorable Lucian Niemeyer: It started when I was an Assistant Secretary of
Defense. If you look back at the 2018 National Defense Strategy, it makes it clear that our homeland is no longer a sanctuary, that we expect that there are bad actors, and that the threat isn’t necessarily nation states. They can be cyber criminals, cyber hackers, cyber terrorists. They can attack us with a keystroke in a way that can ultimately create physical harm for us, particularly as we connect millions of new devices every day into the Internet of Things. Then Secretary of Defense Jim Mattis directed me to stop admiring this problem and get after the solution.
While leading our response in the Department of Defense, I realized that all of society faced this existential threat that could strike without warning. In an increasingly technologically dependent society, from smart cities to smart cars to smart homes, we need to ask, “How can we coexist safely? How can we engineer cyber safety and security into these devices as opposed to accepting the growing risk?”
I’ll give you an example. A typical car these days has about 1,500 to 2,000 microchips, and yet there’s nothing that tells the driver, “Pull over, somebody’s messing with your data.” There’s no dashboard warning light that there is an anomaly that could cause harm. So, my vision and passion is that we need to design cyber safety and security into all smart technologies. It can’t be bolted on afterwards. It must be engineered in.
Why should people care, and how concerned should we be?
Niemeyer: We’ve been living with the potential of a cyber-attack for decades. Malware, viruses, and identity theft have been a risk to our personal computers for a long time. You don’t want these things to happen to you, because your personal data can be taken, or your credit card can be stolen.
But critical infrastructure attacks offer a much more unsettling risk where bad actors can hack into your home camera system. Or can control your HVAC system, listen in on your baby monitor, or open your garage doors because you have an app on your smartphone. We have this convenience that we want, but we don’t necessarily understand the risk it creates. Now you have somebody who is invading your home or making your car unsafe or creating risk at a school, or near water, or with your electricity. From my perspective, we are moving towards more technology in our society. It makes our lives easier and helps us with our sustainability goals. We’re much more efficient, more effective. We just have to make sure, as we’re engineering more of those smart devices into our world, that we are doing it in a cyber-safe way.
An information attack is a nuisance, and the bank will probably cover you. But a critical infrastructure attack can invade your home, threaten your family, and create fear.
What your organization Building Cyber Security all about, and with whom are you partnering?
Niemeyer: It’s funny, when you have an Assistant Secretary title, you can call a lot of folks into a room, and they’ll jump in to help you solve a problem. So, I initially started by asking the manufacturers of the control systems that DoD relies on to run manage our facilities. companies like Johnson Controls and Honeywell and global industry organizations including the International Society of Automation, to develop standard capabilities and practices needed to mitigate cyber risk in technologies, processes and the human interface.
We also asked them to start working on a solution to engineer cyber safety. This group expanded to include companies like Jacobs and Parsons that build the physical infrastructure, to make sure that we design buildings, toll roads, stadiums, and water systems in a way that are not creating risk, and ultimately making those systems safe from cyber-attack. We also partner with the Society of American Military Engineers. The working group working on a new performance framework eventually inspired the establishment of the nonprofit, Building Cyber Security in 2020.
Our performance framework is intended to assemble industry best capabilities and practices for products, processes, and training to reduce risk to human safety.
What innovation sets your effort apart, and what do you think is still needed?
Niemeyer: We’ve created a performance framework that provides an assessment and then certifies continual performance. We took some lessons from the U.S. Green Building Council Leadership in Energy and Environmental Design (USGBC LEED) program for sustainable design, and we created a dynamic framework responding to the constantly changing cyber threat to the life, safety, and health of occupants. We install software updates on our phones every month or so, and we need to do the same with smart building systems.
Effective cyber safety starts in the building requirements stage before design. Our partners include some of the top engineering companies in the world who are using the framework to help build a cyber practice to provide clients comprehensive protections in all building systems and operation.
I do believe that it’s time for the building profession to look beyond the traditional disciplines of mechanical engineering, electrical engineering, and architecture, and have a technologist of record who signs off on the cyber safety and the network design of the building. That would ultimately lead to a more concerted effort to address the convergence of building systems.
I wasn’t a believer in digital twins at first, but I now believe a virtual depiction of a building’s design and energy/data performance characteristics together in a real-time model will be essential for cybersecurity, sustainability, and efficiency. The technologist of record would ultimately be responsible for that digital twin, which could then be turned into a dashboard that provides a warning when the building systems are not performing as intended.
At what end state of Building Cyber Security will you declare success?
Niemeyer: Success is going to be a moving goalpost. Cybersecurity is not static; it isn’t like fire where we know the properties of fire and can mitigate them with a fire code. The cyber threat is constantly evolving, constantly metastasizing, so the goal is to create something flexible and responsive enough to ensure that we can maintain those capabilities no matter where the cyber threat goes. From our perspective, success will never be declared.
I think success for us is to have a mechanism in place that’s quicker than government, because government regulation can take years to be updated. We have a performance framework developed by the private sector and implemented by its end users. One measure of success will be when that flexible, adaptable framework is in place and adopted by all the verticals of industry that require cyber safety: critical infrastructure like transportation and water, as well as robotics and automated processes.
Building Cyber Security has a technical team of member companies with some of the best operational technology (OT) experts in the world who have developed and test-driven our first framework for commercial real estate (CRE). We started there because it’s the easiest set of controls to build the first framework, but also, CRE holds about $37 trillion worth of assets worldwide with relatively little understanding of the cyber risk to intelligent building systems.
Insurance has a significant role to play. One of our founding members is Aon, the largest insurance broker in the world. Commercial real estate has huge asset value, and huge insurance exposure. Our framework’s assessment and certification process developed by industry experts will be a significant tool for insurers to assess and mitigate client cyber risk for the CRE vertical as well as follow on verticals including water systems, healthcare, industrial processes, robotics, and transportation.
What obstacles have you had in achieving your mission?
Governments tend to respond to crisis. They don’t necessarily lead proactively. What came out of the SolarWinds attack was an executive order. What came out of the Colonial Pipeline attack was another executive order. We would prefer to prevent a major OT attack, not respond to one. We want to be adopted without having to rely on a catastrophic national event like a grid going down or people poisoned by a water system. Our lives can be fundamentally altered in a matter of minutes by a cyber-attack to critical infrastructure. People can be hurt or killed. Getting people to truly understand and be aware of the risk that is growing by the day is a huge obstacle.
You’ve had a broad and varied career in public service, beginning as an architect serving as an active duty Air Force engineer; serving as a staff member of the U.S. Senate Committee on Armed Services; and culminating as Assistant Secretary of Defense for Energy, Installations and Environment. What motivated you to establish Building Cyber Security, and why now?
Niemeyer: I don’t know that I’ve ever been asked that question! I’m an architect by degree and I’m from Philadelphia so I I’ve got this double arrogance going for me. My motto in high school was a quote from George Bernard Shaw: “The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore, all progress depends on the unreasonable man.”
Throughout my public service career, I’ve been asking hard questions with the goal to challenge the status quo and strive for improvement.
I feel that if folks can rally around an idea bigger than themselves, we can change the world. We have a dedicated group of volunteers who have given thousands of hours because they believe in the same thing. They want a safer, smarter world for their kids and grandkids, and they see the threat, they see the compelling need, and want to urgently drive towards that solution. When we are successful, Building Cyber Security ultimately will make the world a safer place.