Security is not about making the network 100 percent impenetrable. It is unlikely that any system in the world is completely secure. A large majority of breaches are an attack of opportunity, and if bad actors see a way in, they will take it.
But if sufficient obstacles are in place to deter them, they will likely look elsewhere for an easier mark.
A variety of encryption, firewalls, and other intelligent protections can be used as deterrents, but it only takes a single slip to let a hacker pass these safeguards. That does not mean firewall and encryption best practices should be disregarded. Instead, it encourages a holistic approach that looks at staff, policies, and procedures. All these factors work in concert to keep networks secure.
Growth of Building Automation
As a growing number of connected devices are installed, concerns about cyberattacks are increasing. Even with these risks, the benefits of smart building technology are simply too immense to ignore.
Regular brick-and-mortar buildings consume roughly one-third of all energy in the United States and Canada. This includes lighting, heating, ventilation, air conditioning, and the rest of the building’s operations. While it is easy to forget about all these operational devices whirring away in the background, they consume a massive amount of energy.
In addition to the financial and energy savings, smart building technology appeals to tenants. People notice when a building is outdated, with archaic technology and clunky, slow processes. They also notice when buildings are adaptive and reactive, fast-paced and flexible. The lights, windows, and cooling systems all contribute to sleek modern spaces that provide seamless experiences.
By the end of 2030, there will be more than 30 billion connected devices installed worldwide. Malicious will hunt through this wealth of targets for their next cash grab. Building managers must make smart buildings smarter while remaining aware of the latest threats.
IT vs. OT: Management and Security
All this technology is smart, connected, shiny, and new. Operational technology (OT), on the other hand, is very different. In IT, for example, firewalls are put in place to protect internet access. But typical practice in the OT world was for years to see multiple service providers put in their connections for things like HVAC systems or solar panels on their isolated networks. These often do not go through the IT firewall.
But imagine that connectivity could be enforced through proper firewalls. All those devices potentially become attack vectors for your network. The thermostat in the bathroom. The security cameras in the parking garage. The sprinkler on the front lawn. If someone gained physical access to these devices, there may be connections that they could leverage.
End-point protection is another strategy that works well in IT. With computers, for example, operating systems (OS) can typically be kept up to date, patched, and controlled. The world of OT is another story: devices can run on an old OS and are not kept up to date. Authentication and encryption on these devices are often not offered.
The concept of it/ot convergence is widely discussed and debated, and to some extent has come to pass. It is a beautiful idea in theory but can be a nightmare in real life. Many different vendors with different requirements do not work the same way. Consequently, managing them on the same network can be tricky, if not seriously ill-advised. That doesn’t mean that systems should not be converged at all, but merely that a new approach is required.
Assets on the IT side can be very sensitive; should the building system be put on the IT network just to save money on a few switches?
Securing a building is not the same as securing computers and servers. The people are different, the flow of information is different, and the devices are fundamentally different. Attempting to manage them in the same ways does not make sense and can make both networks less secure.
Basics of Cybersecurity
There are many different kinds of attacks:
- Malware can infiltrate IT systems with viruses and worms.
- Ransomware takes over and limits access to computer files, demanding a ransom for the safe return of files or documents.
- Pharming redirects users from a legitimate website to a fraudulent one.
- Spoofing uses what appears to be a legitimate email address to send spam, and may direct the user to a fraudulent website
- Spyware infects the computer and gathers information, including usernames, passwords, and other sensitive information, without the user’s knowledge.
The strategies are different, but the core approach is to evaluate the vulnerability of a system and attack the surface. A hacker’s lifecycle is research, infiltration, discovery, capture, exfiltration, and bringing assets to market. If there are vulnerabilities in a system, they will likely find them—even if it requires sheer trial and error.
Vulnerability Management
Vulnerability management is the practice of identifying, classifying, remediating, and mitigating weaknesses. This should be a cyclical process, not a one-time evaluation that is quickly forgotten. There are three key places to review to understand a building network’s vulnerabilities: technology, people
and policies.
Technologies like firewalls, authentication, encryption, and visualization software are standard best practices for a reason. Sufficient protection makes it harder for a hacker to ram through firewalls.
Do not forget about the possibility of human error in the organization. Properly and regularly training staff on security is critical. Everyone must understand that the threats of cyberattacks are very real and serious. Ideally, this message should come from the top down: get the executives and board of directors involved in championing the organization’s cybersecurity efforts.
In addition to training staff, the organization should have policies and procedures in place to respond to cyberattacks swiftly and appropriately. The system will likely never be 100 percent impenetrable, so establish policies to deal with the worst-case scenario.
Responding to Hacks: The CIA Triad
There is no one-size-fits-all response to cyberattacks, as each hack is different. However, there are some core principles to refer to. The CIA Triad (which is in no way connected to the Central Intelligence Agency) is at the heart of information security, and it functions as a sort of checklist. The triad highlights the importance of confidentiality, availability, and integrity (Figure 1).
- Confidentiality means that only those who are authorized can get access to information. Ensuring confidentiality could entail encryption to keep communications secure from end to end.
- Availability means that data is accessible whenever it is needed. This is especially powerful in a ransomware situation, where important documents are taken hostage. Backing up important files helps safeguard against this sort of data loss.
- Integrity means that information is not altered between sending and receiving. For example, encryption of files to protect against cyberattacks should not change the integrity of the data.
Cybersecurity is tough because it is, by nature, uneasy. It forces compromises such as privacy versus convenience and security versus cost. Maintaining a balance between these three core tenets will keep networks more secure and will provide a basis for cyberattack responses.
Securing the Network
There are a few different methods of protecting a smart building network, all of which should be a part of the system:
- Physical security, with locks and protected wiring.
- End-point protection through authentication and encryption.
- Network security with WAN and LAN.
One of the most underutilized methods is to use the network itself to provide a solid layer of protection with a LAN. The network is scalable and covers almost everything, so it can be a useful shield.
These different methods have many layers. Each one is important and has its advantages and disadvantages. All of them should be a part of the system, though they might be implemented into the network differently.
Three Key Principles to Secure Building Networks
When considering cybersecurity in your building network, there are three key principles to keep in mind: isolation, observability, and controllability.
To isolate sensitive data and keep it secure, create trusted islands, whether physical or logical. Air gaps, where two networks are completely separated — for example, keeping a secure network separate from an unsecured one — can help protect confidential assets. Another approach is to create completely physical dedicated networks. There may be cost trade-offs to these security strategies, but isolating is one way to ensure a vulnerable network won’t open the door to sensitive assets.
Observability means knowing about anomalies in the network. Be aware of what is happening in the network, and when it has been compromised. There are many ways to get reports on link status and user logins in your building network. Put these systems in place to identify malicious activity.
Controllability entails managing access to the network. Set proper passwords, refresh them, and use authentication. Be sure to renew or delete accounts, as necessary, so it is clear exactly who has access to network systems. No one should be able to get into the network without the manager’s knowledge. Zero trust security is the name of the game when it comes to the human component.
Basic Action to Take Today
Cybersecurity does not need to be overwhelming or difficult. For the most part, cybersecurity is about thinking logically and strategically. A few alterations can be made to the network immediately. Above all, implement policies and procedures that are based on the CIA Triad of confidentiality, availability, and
integrity. Develop policies and procedures that will keep sensitive assets secure in the case of a cyberattack or threat.
Look at realistic ways to isolate networks. Consider isolating building systems from IT, for example. Use a dedicated building network, with a separate virtual local area network (VLAN) for each service provider and vendor. Isolation is a straightforward way to limit connections between vulnerable networks and confidential data.
Observe what is happening on the networks. It is important to understand how the network normally behaves and to recognize anomalies. Ask for regular reports on the number of connected devices and number of disconnected ports, for example. Review network management log files for user logins.
Keep track of and manage who has access to your building network. Control the flow of information. Disable unused ports so no one can plug their laptop into an available port and communicate on your network.
Network hacking is a serious, growing threat that needs to be addressed by proper cybersecurity. Smart devices bring immense benefits to our daily lives, but we have to understand how to properly secure them. No one wants to see their building in the news for some catastrophic hack and leak of information. Implementing some of these best practices is the first step in safeguarding against cyberattacks.
Observability begins with best-in-class monitoring and management. OptigoVN is next-generation OT network software designed to optimize the performance of commercial buildings, resulting in time, cost, and energy savings. Are you ready to see what OptigoVN can do for your network? Sign up for a free account today, or drop us a line and book a demo with one of our experts.
The article was originally published in the July/August 2017 Issue of BICSI ICT Today, and republished here with their permission. View the published article from Vol. 38, No. 4 in this PDF.