No system in the world is completely cybersecure, but there are best practices that can make your building network safer. Learn what you can do today.
Forget the common wisdom about cybersecurity
Security is not about making the network 100 percent impenetrable. In fact, it is unlikely that any system in the world is completely secure. Hacking is an attack of opportunity, and if criminals see a way into a building, they will take advantage. But if sufficient obstacles are in place to deter them, they will likely look elsewhere for an easier mark.
A variety of encryption, firewall and antivirus protections can be used as deterrents, but it only takes a single slip to let a hacker past these safeguards. That does not mean firewall and encryption best practices should be disregarded. Instead, it encourages a holistic approach that looks at staff, policies and procedures. All these factors work in concert to keep networks secure.
Growth of building automation
As a growing number of connected devices are installed, concerns about cyberattacks are increasing. Even with these risks, the benefits of smart building technology are simply too immense to ignore.
Regular brick-and-mortar buildings consume roughly one-third of all energy in the United States and Canada. This includes lighting, heating, ventilation, air conditioning and the rest of the building’s operations. While it is easy to forget about all these operational devices whirring away in the background, they consume a massive amount of energy. Over the lifetime of a building, construction accounts for only about 20 percent of total costs, while the rest is consumed by energy and maintenance. Technology like LED lighting and smart thermostats can easily reduce this energy consumption by 50 percent.
In addition to the financial and energy savings, smart building technology appeals to tenants. People notice when a building is clearly a product of the 20th century, with archaic technology and clunky, slow processes. They also notice when buildings are adaptive and reactive, fast-paced and flexible. The lights, windows and cooling systems all contribute to sleek modern spaces that provide seamless experiences.
More and more, people are recognizing the benefits of smart buildings. By the end of 2017, there will be more than eight billion connected devices installed worldwide. Plenty of hackers will hunt through this wealth of targets for their next cash grab. Building managers must make smart buildings smarter while remaining aware of the latest threats.
IT vs. OT: Management and security
All this technology might look, feel and smell like information technology (IT), but it is smart, connected, shiny and new. Operational technology (OT) is very different, and it is not so easily managed with conventional IT methods. In IT, for example, firewalls are put in place to protect internet access. In the OT world, too often multiple service providers will put in their own DSL connections for things like HVAC systems or solar panels. These often do not go through the IT firewall. But imagine that connectivity could be enforced through proper firewalls to the internet. Is protecting internet access enough? What about the thermostat in the bathroom, the security cameras in the parking garage, or the sprinkler on the front lawn? If someone gained physical access to these devices, there may be connections that they could leverage.
End-point protection is another strategy, and it can work well in IT. With computers, for example, operating systems (OS) can typically be kept up to date, patched and controlled. The world of OT is another story: devices can run on an old OS and are not kept up to date. Authentication and encryption on these devices are often not offered.
The concept of convergence is widely discussed and debated. It is a beautiful idea in theory, but can
be a nightmare in real life. Many different vendors with different requirements do not work the same way. Consequently, managing them on the same network can be tricky, if not seriously ill-advised. That does not mean that systems should not be converged at all, but merely that a new approach is required. Assets on the IT side can be very sensitive; should the building system be put on the IT network just to save money on a few switches?
Securing a building is not the same as securing computers and servers. The people are different, the flow of information is different and the devices are fundamentally different. Attempting to manage them in the same ways does not make sense and can make both networks less secure.
Basics of cybersecurity
There are many different kinds of attacks: malware, ransomware, pharming, spoofing and spyware are just a few examples. Malware can infiltrate IT systems with viruses and worms; ransomware takes over and limits access to computer files, demanding a ransom for the safe return of files or documents; pharming redirects users from a legitimate website to a fraudulent one; spoofing uses what appears to be a legitimate email address to send spam, and may direct the user to a fraudulent website; and spyware infects the computer and gathers information, including usernames, passwords and other sensitive information, without the user’s knowledge.
The strategies are different, but the core approach is to evaluate the vulnerability of a system and attack the surface. A hacker’s lifecycle is research, infiltration, discovery, capture, exfiltration and bringing assets to market. If there are vulnerabilities in a system, they will likely find them—even if it requires sheer trial and error.
Vulnerability management is the practice of identifying, classifying, remediating and mitigating weaknesses. This should be a cyclical process, not a one-time evaluation that is quickly forgotten. There are three key places to review in order to understand a building network’s vulnerabilities: technology, people
Technologies like firewalls, authentication, encryption and visualization software are standard best practices for a reason. Sufficient protection makes it harder for a hacker to ram through firewalls.
Do not forget about the possibility for human error in the organization. Properly and regularly training staff on security is critical. Everyone must understand that the threats of cyberattacks are very real and serious. Ideally, this message should come from the top down: get the executives and board of directors involved in championing the organization’s cybersecurity efforts.
In addition to training staff, the organization should have policies and procedures in place to respond to cyberattacks swiftly and appropriately. The system will likely never be 100 percent impenetrable, so establish policies to deal with the worst-case scenario.
Responding to hacks: The CIA Triad
There is no one-size-fits-all response to cyberattacks, as each hack is different. However, there are some core principles to refer to. The CIA Triad (which is in no way connected to the Central Intelligence Agency) is at the heart of information security, and it functions as a sort of checklist. The triad highlights the importance of confidentiality, availability and integrity (Figure 1).
Confidentiality means that only those who are authorized can get access to information. Ensuring confidentiality could entail encryption to keep communications secure from end-to-end.
Availability means that data is accessible whenever it is needed. This is especially powerful in a ransomware situation, where important documents are taken hostage. Backing up important files helps safeguard against this sort of data loss.
Integrity means that information is not altered between sending and receiving. For example, encryption of files to protect against cyberattacks should not change the integrity of the data.
Cybersecurity is tough because it is, by nature, uneasy. It forces compromises such as privacy versus convenience and security versus cost. Maintaining a balance between these three core tenets will keep networks more secure and will provide a basis for cyberattack responses.
Securing the network
There are a few different methods of protecting a smart building network, all of which should be a part of the system:
- Physical security, with locks and protected wiring.
- End-point protection through authentication and encryption.
- Network security with WAN and LAN.
One of the most underutilized methods is to use the network itself to provide a solid layer of protection with a LAN. The network is scalable and covers almost everything, so it can be a useful shield.
These different methods have many layers. Each one is important and has its own advantages and disadvantages. All of them should be a part of the system, though they might be implemented into the network differently.
Three key principles to secure building networks
When securing the building network, there are three key principles to keep in mind: isolation, observability and controllability.
To isolate sensitive data and keep it secure, create trusted islands, whether physical or logical. Air gaps, where two networks are completely separated—for example, keeping a secure network totally separate from an unsecured one—can help protect confidential assets. Another approach is to create completely physically dedicated networks. There may be cost trade-offs to these security strategies, but isolating is one way to ensure a vulnerable network won’t open the door to sensitive assets.
Observability means knowing about anomalies on the network. Be aware of what is happening in the network, and when it has been compromised. One example of observability is in Gmail: set up notifications for unrecognized logins from unknown IP addresses. There are many ways to get reports on link status and user logins in your building network. Put these systems in place to identify malicious activity on the network.
Controllability entails managing access to the network. Set proper passwords, refresh them, and use authentication. Be sure to renew or delete accounts, as necessary, so it is clear exactly who has access to network systems. No one should be able to get into the network without the manager’s knowledge.
Take basic action today
Cybersecurity does not need to be overwhelming or difficult. For the most part, cybersecurity is about thinking logically and strategically. A few alterations can be made to the network immediately. Above all, implement policies and procedures that are based on the CIA Triad of confidentiality, availability and
integrity. The Internet of Things (IoT) is very predictable and well-behaved, so use this to your advantage. Develop policies and procedures that will keep sensitive assets secure in the case of a cyberattack or threat.
Look at realistic ways to isolate networks. Consider isolating building systems from IT, for example. Use a dedicated building network, with separate virtual local area network (VLAN) for each service provider and vendor. Isolation is a straightforward way to limit connections between vulnerable networks and confidential data.
Observe what is happening on the networks. It is important to understand how the network normally behaves and to recognize anomalies. Ask for regular reports on the number of connected devices and number of disconnected ports, for example. Review network management log files for user logins.
Keep track of and manage who has access to your building network. Control the flow of information. Disable unused ports so no one can plug their laptop into an available port and communicate on your network. In addition, set MAC address filtering so that ports will not work with unrecognized devices and MAC addresses (Figure 2).
Network hacking is a serious, growing threat that needs to be addressed by proper cybersecurity. Smart devices bring immense benefits to our daily lives, but we have to understand how to properly secure them. No one wants to see their building in the news for some catastrophic hack and leak of information. Implementing some of these best practices is the first step in safeguarding against cyberattacks.
Protect the network, protect the system. Start today.
Article originally published in the July/August 2017 Issue of BICSI ICT Today, and republished here with their permission. View the published article from Vol. 38, No. 4 in this PDF.