Smart Buildings Need Smarter Cybersecurity
Smart building technologies are shaping the future of our cities, driven by the need for energy-efficiency, wide-spread adoption of Internet of Things (IoT) platforms, and government initiatives. Seeking to reduce costs through increased operational efficiency and streamlined processes across IT, maintenance, facilities, distribution, and more, business are integrating these smart systems – such as Building Automation Systems (BAS) – across the organization on an ever-expanding scale.
Connectivity and Control Often Outweigh Security
One of the biggest concerns for network security practitioners is connected devices and systems that cannot protect themselves. This includes aging legacy systems, devices running un-patchable operating systems (e.g. Windows XP), and vulnerable systems often used in Industrial Control System (ICS) deployments. ICS, SCADA, and components such as HVAC systems, remote sensors, and IP cameras, have a single common denominator: inherent vulnerability. The primary goals of smart building technology are typically connectivity, control and monitoring, meaning security is often overlooked despite constant reminders from ICS-Certifying bodies and the Department of Homeland Security.
Most organizations maintain a relatively flat Layer 2 network. That means security, fire suppression, building access controls, HVAC systems, and other building-specific protocols are often on the same flat network as other systems, like HR servers, Finance, etc. Vulnerable devices and machines – like those mentioned above – are the weakest link and, when they operate on a shared network, it puts the entire organization at risk.
What’s more, these security shortcomings present attackers with a way to move laterally within the network and compromise machines that could impact reliability and availability of entire systems – which could lead to service interruption, safety issues, loss of brand prestige and a negative impact to the bottom line.
The Root Cause of Networking Complexity
What many people don’t understand is, despite all the layers of security in place and in the roadmap, most building automation systems remain vulnerable because they connect via TCP/IP: an inherently insecure protocol.
But why is TCP/IP insecure? Because it serves as a device’s location and identity on a network. This exposes those devices to numerous attack vectors, such as IP spoofing. This fundamental flaw of TCP/IP is the root cause of virtually all networking and security challenges.
To combat this, network segmentation and device isolation are considered industry best practices. Most organizations turn to traditional segmentation tools like VLANs or leverage firewalls, managing certificates, ACLs, VPNs, etc. to accomplish this initiative.
These systems, however, often require new routing rules for certain traffic as well as custom-configured policies for each system or location. This often results in high costs and only modest improvements in network security posture.
Firewalls can help limit traffic in and out of designated areas, but most firewalls enforce rules based on arbitrary (dynamic and spoofable) IP addresses. Furthermore, inside the protection of a firewall, devices are still able to communicate laterally and are often visible to the rest of the network. And, any slight misconfiguration of either the device or the firewall can be catastrophic.
Thankfully, with recent advancements in technology, this problem can be easily resolved. Rather than using ephemeral IP addresses for device identity, we can now use a unique host identifier that provides a more reliable attribute of identity. One such implementation is the Host Identity Protocol (HIP), an open IETF standard that adds a "host identifier" in the form of a cryptographic public key associated with the host. With HIP-based solutions, two parties must share a cryptographic binding before being able to see each other on the network; effectively hiding (cloaking) portions of the network that are not allowed to communicate with each other.
With HIP, IP resources can move anywhere in the world and maintain connectivity, regardless of whether they’re in a static or dynamic IP environment. Now mobility and migration between buildings, remote offices, datacenters, shared networks, and multiple cloud providers is not only possible, but simple.
Smart Building Challenges – Beyond Cybersecurity
When we work with facilities and operations teams on building automation projects, they’re also trying to optimize network performance and resiliency. For example, pervasive Building Automation and Control Networks (BACnet) systems can create broadcast storms that might cripple network performance. These traffic storms can cause problems for network administrators due to high signal-to-noise ratios and interference that can disrupt other IP traffic on the network. It can happen without warning and take down critical building services. Today, with proper micro-segmentation, you can improve overall network performance by restricting noisy traffic to encrypted network segments.
Successful BACnet Segmentation for a Leading University
We recently worked with Penn State University and its Facility Automation Services team who was tasked with segmenting and centralizing the university’s expansive BACnet system. In this case, the BACnet system-controlled HVAC, lighting controls, and access controls for classrooms, high-value research labs, and more. Over 640 buildings are spread across dozens of state-wide campuses. Their network attack surface was large due to many rogue access switches and wireless access points. With BACnet communications openly traversing Penn State’s flat network, orders were to get the BACnet traffic segmented.
Tempered Networks’ Identity Defined Network (IDN) solution enabled the facilities staff to rapidly segment their expansive BACnet system with centralized management across their entire deployment. The cost comparison was an eye opener for the facilities team.
"Alternative solutions would have taken us two to three years and require hiring net new technical staff to deploy and manage," according to Tom Walker, Systems Design Specialist at Penn State University.
In short, Tempered Networks’ secure networking solution enables Facilities and Operations teams to remove the traditional networking obstacles and:
- Easily connect, control, and secure building automation systems to optimize efficiency
- Enhance risk posture by reducing the network attack surface across the enterprise
- Improve overall network performance by isolating specific network segments
- Experience significant OpEx savings through simplified point-and-click management – no advanced IT skills required
This Week’s Sponsor
Tempered Networks offers organizations a smarter, secure and scalable way to connect, segment, and manage building automation system (BAS) deployments. With no changes to the underlying infrastructure, you can easily isolate BACnet traffic, for example, with hardened segmentation using point-and-click orchestration that anyone can manage. Facilities and Operations teams can remove the traditional IT networking obstacles - with the lowest TCO - without compromising security for simplicity. Visit www.temperednetworks.com.
UPCOMING REALCOMM WEBINARS
CRE Tech Innovation Showcase - Uncovering the Next Generation of New Ideas - 7/12/2018
Never before in the history of the Commercial Real Estate market has technology been so prevalent. Since 2009, hundreds—if not thousands—of companies selling tech to the Commercial Real Estate Industry have emerged. Estimates now suggest there are more than 2,000 new CRE Tech companies in the space. The sheer number of new companies makes it almost impossible to keep up and organizations are struggling to establish an effective process to discover, organize, vet, test and implement new technologies. This webinar will evaluate the categories of technologies, best practice criteria, and clarify different solutions that are making their way to the top of the list.
Shaun Klann has over 15 years of experience dedicated exclusively to transforming the concepts of the ‘Smart Building' industry into reality. His expertise includes engineering, implementation, and strategic consulting services that pair current day technologies with innovative deployment tactics and strategies. Shaun is a proven thought leader in the area of connected real estate and has received numerous awards for his dedication to this market segment, including an award recognizing him as a top 40 under 40 to watch in the space of real estate technology.
Chip Pierpont manages and provides expert guidance on the development and execution of requirements/solutions for building operations and technologies for General Services Administration (GSA), a Public Buildings Service (PBS) government agency tasked with managing government buildings and real estate, providing product and service procurement support, and developing policies and regulations. The landlord for the civilian federal government, PBS owns or leases 8,700 assets, maintains an inventory of more than 370 million square feet of workspace for 1.1 million federal employees, and preserves more than 481 historic properties.