Death Stars, IT and building security

Editor’s note: this is the second in series of articles where we draw parallels between everyday IT and the Star Wars saga. In the first episode we imagined the advantages baramundi would bring as a character in the Star Wars universe. In Episode 2, we’re analyzing the security strategy of the much-feared planet-destroying Death Star.”

Some modern facilities like factories and office buildings on Earth – and a massive planet-destroying weapon in a galaxy far, far away – share a serious weakness: they are overly dependent on inadequate security and defensive measures. In the case of the Death Star, it was the so-called Thermal Exhaust Port – a tiny secondary outlet for venting reactor core heat -- exploited by the Rebels to destroy the entire station.

We see something similar in many real-world buildings. A single overlooked access point or incomplete security measure can quickly lead to the compromise of critical systems or the structure itself. That makes it increasingly important to think comprehensively about how to identify and eliminate vulnerabilities in building operational technologies (OT). These include internet-connected IoT devices, HVAC and lighting controls, industrial process controllers in manufacturing, and other systems.

Back to the Death Star: Its reluctant architect, Galen Erso, intentionally added the Thermal Exhaust Port as a hidden vulnerability that attackers might exploit. We see this scenario play out in various ways – usually as mistakes vs. sabotage – time and again in building security. Security protocols are neglected, and backup systems, firewalls or network and physical access controls are either inadequate or missing.

The easier it is to bypass half-hearted security measures, the easier it is for intruders to gain access to the entire system. For example, many companies lack safeguards that reliably deny access to unauthorized individuals. Electronic employee badges and other measures should prevent anyone from getting into the building. But have you ever asked an unaccompanied visitor how they got in? Unlocked server rooms or unsecured points of network access increase the danger. That means that layers of technical and physical security are crucial.

Once a potential vulnerability has been identified, don’t dismiss it. The Death Star’s two-meter-wide Thermal Exhaust Port – not much bigger than a womp rat -- was considered such an unlikely risk that it was not adequately protected.

Likewise, security vulnerabilities in many real-world buildings are not adequately addressed. Have you ever waited at a reception desk when the person behind the desk had to step away briefly? Did they leave screens unlocked or documents out? While more prominent risks may be addressed, seemingly minor factors are often overlooked! After identification, prioritization, remediation and documentation of vulnerabilities must follow. This is the only way to prevent attackers from easily exploiting security gaps.

In the case of the Death Star, the threat was noticed too late and past the point when effective countermeasures could be deployed. Similarly, building management processes often lack rapid response capabilities.

One example? The building’s air-conditioning control system fails. Does the process involve calling in an outside service contractor, and does that consider possible risks? Service manuals and instructions for some Internet-connected building systems can be easily found online. However unlikely, preventative and defensive measures should account for possible vulnerabilities.