Smart Buildings Need Smarter Cybersecurity
Smart building technologies are shaping the future of our cities, driven by the need for energy-efficiency, wide-spread adoption of Internet of Things (IoT) platforms, and government initiatives. Seeking to reduce costs through increased operational efficiency and streamlined processes across IT, maintenance, facilities, distribution, and more, business are integrating these smart systems – such as Building Automation Systems (BAS) – across the organization on an ever-expanding scale.
Connectivity and Control Often Outweigh Security
One of the biggest concerns for network security practitioners is connected devices and systems that cannot protect themselves. This includes aging legacy systems, devices running un-patchable operating systems (e.g. Windows XP), and vulnerable systems often used in Industrial Control System (ICS) deployments. ICS, SCADA, and components such as HVAC systems, remote sensors, and IP cameras, have a single common denominator: inherent vulnerability. The primary goals of smart building technology are typically connectivity, control and monitoring, meaning security is often overlooked despite constant reminders from ICS-Certifying bodies and the Department of Homeland Security.
Most organizations maintain a relatively flat Layer 2 network. That means security, fire suppression, building access controls, HVAC systems, and other building-specific protocols are often on the same flat network as other systems, like HR servers, Finance, etc. Vulnerable devices and machines – like those mentioned above – are the weakest link and, when they operate on a shared network, it puts the entire organization at risk.
What’s more, these security shortcomings present attackers with a way to move laterally within the network and compromise machines that could impact reliability and availability of entire systems – which could lead to service interruption, safety issues, loss of brand prestige and a negative impact to the bottom line.
The Root Cause of Networking Complexity
What many people don’t understand is, despite all the layers of security in place and in the roadmap, most building automation systems remain vulnerable because they connect via TCP/IP: an inherently insecure protocol.
But why is TCP/IP insecure? Because it serves as a device’s location and identity on a network. This exposes those devices to numerous attack vectors, such as IP spoofing. This fundamental flaw of TCP/IP is the root cause of virtually all networking and security challenges.
To combat this, network segmentation and device isolation are considered industry best practices. Most organizations turn to traditional segmentation tools like VLANs or leverage firewalls, managing certificates, ACLs, VPNs, etc. to accomplish this initiative.
These systems, however, often require new routing rules for certain traffic as well as custom-configured policies for each system or location. This often results in high costs and only modest improvements in network security posture.
Firewalls can help limit traffic in and out of designated areas, but most firewalls enforce rules based on arbitrary (dynamic and spoofable) IP addresses. Furthermore, inside the protection of a firewall, devices are still able to communicate laterally and are often visible to the rest of the network. And, any slight misconfiguration of either the device or the firewall can be catastrophic.
Thankfully, with recent advancements in technology, this problem can be easily resolved. Rather than using ephemeral IP addresses for device identity, we can now use a unique host identifier that provides a more reliable attribute of identity. One such implementation is the Host Identity Protocol (HIP), an open IETF standard that adds a "host identifier" in the form of a cryptographic public key associated with the host. With HIP-based solutions, two parties must share a cryptographic binding before being able to see each other on the network; effectively hiding (cloaking) portions of the network that are not allowed to communicate with each other.
With HIP, IP resources can move anywhere in the world and maintain connectivity, regardless of whether they’re in a static or dynamic IP environment. Now mobility and migration between buildings, remote offices, datacenters, shared networks, and multiple cloud providers is not only possible, but simple.
Smart Building Challenges – Beyond Cybersecurity
When we work with facilities and operations teams on building automation projects, they’re also trying to optimize network performance and resiliency. For example, pervasive Building Automation and Control Networks (BACnet) systems can create broadcast storms that might cripple network performance. These traffic storms can cause problems for network administrators due to high signal-to-noise ratios and interference that can disrupt other IP traffic on the network. It can happen without warning and take down critical building services. Today, with proper micro-segmentation, you can improve overall network performance by restricting noisy traffic to encrypted network segments.
Successful BACnet Segmentation for a Leading University
We recently worked with Penn State University and its Facility Automation Services team who was tasked with segmenting and centralizing the university’s expansive BACnet system. In this case, the BACnet system-controlled HVAC, lighting controls, and access controls for classrooms, high-value research labs, and more. Over 640 buildings are spread across dozens of state-wide campuses. Their network attack surface was large due to many rogue access switches and wireless access points. With BACnet communications openly traversing Penn State’s flat network, orders were to get the BACnet traffic segmented.
Tempered Networks’ Identity Defined Network (IDN) solution enabled the facilities staff to rapidly segment their expansive BACnet system with centralized management across their entire deployment. The cost comparison was an eye opener for the facilities team.
"Alternative solutions would have taken us two to three years and require hiring net new technical staff to deploy and manage," according to Tom Walker, Systems Design Specialist at Penn State University.
In short, Tempered Networks’ secure networking solution enables Facilities and Operations teams to remove the traditional networking obstacles and:
- Easily connect, control, and secure building automation systems to optimize efficiency
- Enhance risk posture by reducing the network attack surface across the enterprise
- Improve overall network performance by isolating specific network segments
- Experience significant OpEx savings through simplified point-and-click management – no advanced IT skills required
This Week’s Sponsor
Tempered Networks offers organizations a smarter, secure and scalable way to connect, segment, and manage building automation system (BAS) deployments. With no changes to the underlying infrastructure, you can easily isolate BACnet traffic, for example, with hardened segmentation using point-and-click orchestration that anyone can manage. Facilities and Operations teams can remove the traditional IT networking obstacles - with the lowest TCO - without compromising security for simplicity. Visit www.temperednetworks.com.
UPCOMING REALCOMM WEBINARS
Technology and the Impact to a Commercial Real Estate Strategy – Innovators Weigh In - 10/3/2018
For today’s Commercial Real Estate CIO, new technologies continue to emerge that are changing the landscape daily. Long gone are the days where property management, budget and forecasting and e-mail are the only concerns. Today, digital transformation, smart buildings, occupant experiences, automated leasing, artificial intelligence, augmented reality and cyber are just a few of the new technologies impacting the role of CIO. This webinar will discuss the wide-ranging set of technologies changing the commercial real estate industry and more importantly, the types of strategies necessary to navigate at an ever-increasing speed. Hear from some of the industry’s most successful CIO’s regarding this “Age of Acceleration”!
Founder of Realcomm Conference Group, an education organization that produces Realcomm, IBcon and CoRE Tech, the world's leading conferences on technology, automated business solutions, intelligent buildings and energy efficiency for the commercial and corporate real estate industry. As CEO, Jim interacts with some of the largest companies globally pertaining to some of the most advanced and progressive next generation real estate projects under development.
Susan Gerock currently serves as VP, Information Technology and CIO for Washington REIT, a publicly traded REIT based in Washington, DC. She has over 20 years' experience in various technology roles spanning manufacturing, consulting, application service provider, and commercial real estate organizations. Her specialties include ERP selection and implementation, project and change management, and cybersecurity. She is also a proponent of the use of social media and the overlapping relationship between technology and marketing.
Phil Klokis is currently the CIO for the Public Buildings Service (PBS) of the General Services Administration. He is responsible for delivering Information Technology (IT) solutions and services supporting PBS' diverse real estate operations and portfolio management consisting of 1,500 owned assets, 9,000 active leased assets and nearly 350 million square feet of office space.
Ron Victor is a Silicon Valley based technology entrepreneur with 20 years of experience and expertise launching new ventures at start-ups and fortune 1000 technology companies. To-date he has enabled raising more than $30Million in start-up capital for multiple start-ups in silicon-valley. Ron has founded and led three companies to-date with successful exits. His latest venture is IoTium Inc. – a Silicon Valley start-up that provides a secure, cloud-managed, easy-to-deploy software defined network infrastructure for all IoT verticals.
Marc is a pioneer in leading the Intelligent/Smart Buildings and M2M movements pushing the industry forward and has contributed to transforming and changing the Intelligent Buildings and M2M (now IoT) industries. As Chief Marketing and Communications Officer for Lynxspring Marc leads corporate and product marketing, strategy, brand management, public relations and communications that support the company’s strategic and growth initiatives.
Scott Sidman has 14 years of CRE technology experience leading sales and marketing efforts. He is responsible for supporting company growth goals and assuring company and product direction aligns with market needs as well as leads. Scott is CRE tech evangelist and host of a CRE Tech Talks podcast.