Fred Gordy

Why are commercial facilities an appealing target for cyberattacks? While most businesses protect employee and financial data, they overlook a simple fact—every building system connected to the internet is at risk of being hacked. It’s a massive opportunity for a bad actor to not only disrupt operations but endanger lives.

Cybersecurity is extremely important in today’s interconnected world. The increase in “Smart” Building design has greatly intensified the cybersecurity threat at commercial real estate properties. Building Cyber Security (BCS) has developed a framework for CRE professionals to utilize at their properties.

The best way to combat a potential cybersecurity threat is preparation and education. In this video, Director of Cybersecurity Fred Gordy with Intelligent Buildings, LLC walks through different types of cybersecurity threats and which ones CRE professionals should be aware of. He also goes into detail about the severity of each threat and offers helpful tips for how to avoid a potential attack.

“They can control lights, they can control air flow, they can control the elevators—anything that you can think that a building does can be exposed,” says Fred Gordy, director of cybersecurity at Intelligent Buildings, a smart-building consulting and advisory firm. “We had a particular case where it was a hospital group” whose systems were attacked for a ransom, he says, “and they were unable to do anything with the systems, so they had to cancel surgeries [and] send people away.”

Recent high-profile ransomware and cyberattacks expose vulnerabilities in commercial buildings that are far too widespread. In fact, the same headline-making exposures of late can be faced by any company that uses operational technology (OT) and information technology (IT).

When the first concerns about cybersecurity for control systems were raised, some in the field would ask, “So what if someone turns off the lights?” Today, there is widespread understanding that hackers can cause life safety issues, financial loss, and brand damage to companies.

Here is a list of vulnerabilities and bad practices that can make control systems easy pickings for cyber attacks.

Understand how your building automation system might be vulnerable to hackers, and how to work with IT to mitigate the risk.

Fred Gordy, director of cybersecurity for the consulting firm Intelligent Buildings, estimates only about 15 to 20 percent of BAS are “fairly substantial and resistant” to intrusion. “Some of the guys I respect through the industry — we’re all basically waiting for ‘Cyber 9-11,’ ” he says. “We know it’s coming.”

Starting from scratch can be quite liberating.

Usually, injecting new technology into Federal agencies means finding a way to retrofit existing systems and structures. Compromise is the order of the day. But every now and then comes an opportunity to start entirely from scratch, to build an entirely new structure and fill it with the latest technology, from its operational systems to its information architecture.

Part one a series of cyber security terms and definitions for the controls industry.

Part of the problem is that these control systems just weren’t designed with cybersecurity in mind, said Fred Gordy, chairman of the InsideIQ Building Automation Alliance Cybersecurity Committee. It’s common to see systems with a common user name and password and no expiration of passwords, he told CIO Journal. “The main thing I’m finding is that [these systems] are an on-ramp into the corporate network because they’re so vulnerable,” said Mr. Gordy, an operational technology manager at… Show more

Part of the problem is that these control systems just weren’t designed with cybersecurity in mind, said Fred Gordy, chairman of the InsideIQ Building Automation Alliance Cybersecurity Committee. It’s common to see systems with a common user name and password and no expiration of passwords, he told CIO Journal. “The main thing I’m finding is that [these systems] are an on-ramp into the corporate network because they’re so vulnerable,” said Mr. Gordy, an operational technology manager at McKenny’s Inc., a facility construction, operation and maintenance firm in Atlanta. Show less

During the Realcomm Real Estate CIO Forum in Atlanta, Gordy’s presentation, “Building Systems Tech Briefing: Cybersecurity to Prescriptive Analytics,” covered the topics of how hackers use social engineering to breach networks and how IT professionals can recognize the meta-characteristics of a breach. For a related Webinar, “Building Cybersecurity: Understanding and Getting Ahead of the Threat,” Gordy participated on a panel of industry experts.

"There are two basic camps of hackers," says Fred Gordy, operational manager at McKenney's, which offers mechanical contracting and other services. "There's the thrill seekers who just want to see what they can do — and that happens every day and a lot — and then there are those who seek to accomplish a goal." For the latter camp, says Gordy, who is also chairman of the InsideIQ Building Automation Alliance Cybersecurity Committee, 80 percent of the time or more the aim is to infiltrate the… Show more

"There are two basic camps of hackers," says Fred Gordy, operational manager at McKenney's, which offers mechanical contracting and other services. "There's the thrill seekers who just want to see what they can do — and that happens every day and a lot — and then there are those who seek to accomplish a goal." For the latter camp, says Gordy, who is also chairman of the InsideIQ Building Automation Alliance Cybersecurity Committee, 80 percent of the time or more the aim is to infiltrate the corporate network via a BAS, and to get past those controls to accomplish a larger goal or seek a more specific target. Show less

“Fred Gordy is an example of the type of technology experts that are employed by InsideIQ member firms and whose knowledge and expertise is available to all members,” said Paul Strohm, president of the InsideIQ Building Automation Alliance. “Our members are industry-leading firms at the forefront of innovation in the building automation industry who share best practices so our customers have access to the latest technology and BAS applications available.”

Fred Gordy, operational technology manager, McKenney's Inc., and chairman of the InsideIQ Building Automation Alliance Cybersecurity Committee spoke recently on the Cybersecurity threats faced by facilities at two events sponsored by Realcomm, a promoter of technology, automated business solutions and intelligent buildings strategies for real estate executives. Gordy is an advocate for protecting buildings from cyber-attacks and leads efforts to educate members of InsideIQ, an international… Show more

Fred Gordy, operational technology manager, McKenney's Inc., and chairman of the InsideIQ Building Automation Alliance Cybersecurity Committee spoke recently on the Cybersecurity threats faced by facilities at two events sponsored by Realcomm, a promoter of technology, automated business solutions and intelligent buildings strategies for real estate executives. Gordy is an advocate for protecting buildings from cyber-attacks and leads efforts to educate members of InsideIQ, an international alliance of independent building automation contractors, on this issue. Show less

The InsideIQ Building Automation Alliance, an international alliance of independent building automation contractors, is addressing the issue of cybersecurity to enable member firms to better protect themselves and their customers from cyber attacks. A newly formed Cybersecurity Committee will provide education and support to promote best practices in cybersecurity, especially to safeguard building automation systems (BAS).

Cybersecurity, network hacking and data theft are topics that seem to be in the headlines on a monthly or weekly basis. Retailers are worried, financial institutions are concerned, and individuals wonder if their identities and credit cards are secure. As a building operator, should you be worried that your building-automation systems (BAS) network could be hacked? Recent research and some emerging anecdotal evidence suggest the answer is yes.

The interview with Fred Gordy of Atlanta-based BAS integration firm McKenney’s in the CNBC news brief on ‘Hacking America’ was eye-popping. McKenney’s has been running a honeypot experiment to draw out would-be industrial control systems attackers. Gordy reports that in about six months there has been some 30,000 unauthorized attempts to breach the system, most originating in China, Russia, the Netherlands and Iran.

Atlanta, Georgia — November 5, 2013 — Fred Gordy, technology evangelist of McKenney's, Inc.
Enterprise Intelligence Group, has been featured in an article in CNBC's Hacking America series that
dives into the latest developments in the ongoing global fight against cyber hackers.

Protecting Facility Networks From Cyber Attack
Oct. 2, 2013By MARK BALENT and FRED GORDY, InsideIQ Building Automation Alliance | HPAC Engineering

McKenney's spotlighted for the use of Splunk to analyze building data.

"We implemented the honeypot in March, under the direction of Rios and McCorkle. We built a system that looks to be like any small data center and we put a piece of monitoring software on there that we wrote. Since we implemented it, we've been hit over 30,000 times" by unauthorized attempts to breach the system, said Fred Gordy, technology evangelist-enterprise intelligence at McKenney's.