Cybersecurity for Smart Buildings

From OpenCommons
Jump to navigation Jump to search


Smart Buildings
Smart Buildings
Sectors Smart Buildings
Contact Colin Dunn
Topics
Authors

ColinDunn.jpegFrançois Bégin.jpeg

Cybersecurity for buildings is not just about preventing inconvenience or financial loss. It's also about protecting physical safety, personal privacy, and the overall integrity of the functions and services that buildings provide. As buildings become increasingly digitized and integrated with the Internet of Things (IoT) cybersecurity in buildings becomes crucial.


Benefits of cybersecurity in Smart Buildings

Cybersecurity in smart buildings has become increasingly important as the complexity and connectivity of building management systems (BMS) grow. These systems, which manage everything from heating and air conditioning to security cameras, are increasingly being connected to the internet for remote access and control. However, this increased connectivity also creates new vulnerabilities that can be exploited by cybercriminals.

Here are some of the key benefits of implementing robust cybersecurity measures in smart buildings:

  1. Data Protection: Smart buildings generate a significant amount of data, much of which may be sensitive or confidential. This data can include information about residents or tenants, as well as operational data about the building itself. Cybersecurity measures help protect this data from being accessed or stolen by unauthorized individuals.
  2. Privacy: Smart buildings often involve a variety of IoT devices, such as surveillance cameras, smart locks, and other sensors that could potentially invade the privacy of individuals if not properly secured. Good cybersecurity practices can help prevent unauthorized access to these systems and protect the privacy of those within the building.
  3. Operational Integrity: Cyberattacks can lead to disruptions in a building's operations, potentially causing inconvenience, financial loss, or even physical harm. For example, a hacker could potentially manipulate a building's heating, ventilation, and air conditioning (HVAC) systems, causing discomfort or even dangerous conditions. Cybersecurity measures can help ensure that a building's systems continue to function properly and safely.
  4. Business Continuity: Cyberattacks can lead to significant downtime, which can disrupt business operations and result in financial loss. Implementing robust cybersecurity measures can help to prevent these types of disruptions and ensure business continuity.
  5. Compliance: Many jurisdictions have data protection regulations that businesses must comply with. Ensuring cybersecurity in smart buildings can help ensure compliance with these regulations, helping to avoid penalties and potential damage to reputation.
  6. Trust and Reputation: By demonstrating a commitment to cybersecurity, property owners and managers can build trust with tenants, employees, and other stakeholders. This can enhance their reputation and make their properties more attractive to potential renters or buyers.
  7. The benefits of cybersecurity in smart buildings are multifold, affecting every aspect of a building's operation, from the protection of sensitive data to the safeguarding of critical infrastructure. As the complexity and connectivity of these systems continue to grow, the importance of cybersecurity will only increase.

Overview of Cybersecurity Risks Associated with Smart Buildings

The big push to adopt IoT and remote connectivity has resulted in many connected buildings with insecure remote access. Building automation systems can be a vector for cyber-attacks where potential attackers gain entry to corporate networks through HVAC systems, elevator operations, lighting, water supply, alarm systems, security devices, access systems, power supply and the list goes on. Criminals gained access to Target’s corporate information systems through inappropriate credentialing to an HVAC contractor. Russia took down the Ukrainian power grid and has infiltrated much of the US energy infrastructure. Each system and device, including its multiple versions and iterations, has its own level of cybersecurity risk. The gradual elimination of human intervention in the IoT world implies a machine-to-machine (M2M) environment where all physical systems that can interconnect and intercommunicate through an IP network can be the entry point of, or victim to, a cyber breach.

In recent years, cyber security measures have often simply focused on protecting traditional information technology (IT) systems and providing tighter controls on information security in general—often aimed at safeguarding personal and corporate data. But with the rise of smart digitization technologies and the ability to extract value out of previously disconnected or “air-gapped” operational technology (OT) systems, these systems are now part of a world they weren’t originally designed for. As such, the OT environment may be plagued by misconfiguration, vulnerable embedded hardware and software, poor cyber security practices, outdated network components, and lack of general cyber security awareness.

Many OT systems are experiencing cyberattacks similar to IT networks. IBM Managed Security Services (MSS) data shows a 110% increase in attacks on industrial control systems since 2016—a threat landscape predicted to grow at a phenomenal rate to 2020 and beyond. Kaspersky, a Russia-based Cybersecurity firm has issued an official warning that every 4 out of 10 automated buildings are vulnerable to cyber-attacks since the computer systems which are controlling them are affected by malware[1]. Frost Sullivan’s Building Automation System table below, illustrates some of the more common vulnerabilities.

Center

As stated by Larry O’Brien, VP of Research at ARC Advisory Group, “there is a drive to deploy more lower cost sensors, both wired and wireless, to gather as much data as possible. At the same time, the industry has a considerable installed base of legacy building automation systems, applications, devices, and networks that must be managed, maintained, and gradually modernized.”

The KPIs of good cybersecurity in Smart Buildings

Key Performance Indicators (KPIs) are critical for assessing the effectiveness of any cybersecurity strategy, and this includes cybersecurity for smart buildings. While KPIs can vary based on specific organizational needs and goals, here are some KPIs that are generally relevant to measure the efficiency and effectiveness of cybersecurity in smart buildings:

  1. Incident Response Time: Measures the time it takes for the cybersecurity team to respond to a detected security incident. This KPI includes detection time, response time, and recovery time.
  2. Patch Management Speed: Measures the amount of time from when a vulnerability is identified to when it is patched. The faster vulnerabilities can be patched, the lower the chance they can be exploited.
  3. Frequency of Security Audits and Tests: Regular audits of the security infrastructure, processes, and practices are essential. These audits can uncover hidden vulnerabilities and allow you to assess the effectiveness of current security measures.
  4. Incident Detection Rate: The effectiveness of an organization's security monitoring system can be measured by how many incidents it detects. This KPI is often measured against the total number of incidents that occurred, including those that were not detected by the system.
  5. Number of Unresolved Vulnerabilities: This measures how many identified vulnerabilities within the system are yet to be addressed. The lower the number, the better.
  6. Rate of False Positives: A balance needs to be struck to ensure that the system is sensitive enough to pick up on threats, but not so sensitive that a significant number of false positives are produced. High rates of false positives can lead to alert fatigue, which may cause real threats to be overlooked.
  7. System Uptime: A key goal of cybersecurity is to maintain system availability. Uptime should be as high as possible, indicating that the systems are resilient and can recover quickly from attacks.
  8. User Training and Awareness: A human is often the weakest link in cybersecurity. Regular training for all users of the system, and measuring the effectiveness of this training (e.g., through tests and surveys) can be a vital KPI.
  9. Compliance Score: This refers to adherence to standards and regulations, such as ISO 27001, GDPR, or any other applicable standards. Regular checks should ensure that the organization is not breaching any regulations or guidelines.
  10. Cost of Cybersecurity Incidents: This includes costs related to incident response, system recovery, potential fines, and any reputational damage or lost business as a result of the incident.

The purpose of these KPIs is to provide actionable insights. Therefore, they should be reviewed regularly and used to continuously improve the cybersecurity strategy for the smart building. Also, since each building and its use case may be different, the KPIs must be customized to meet individual organizational needs and priorities.

Review of Practical Options

Pervasiveness of technology, ubiquitous connectivity, and an increasingly evolving machine-to-machine (M2M) environment will continue to impact and influence how smart buildings are operated, which will raise the need for protection against cyber risks quite significantly. A delayed head start not only poses huge challenges in dealing with this complex issue but undermines the value and adequacy of initiatives that could potentially be used to ward off adversarial impacts. Irrespective of such shortfalls, however, inaction is no longer an option for the smart buildings industry. (Frost Sullivan – Cybersecurity in Smart Buildings)

Since everything is, or will soon be “connected,” what is good smart building cyber hygiene? Ongoing convergence of OT and IT systems in buildings has led to a review of the definition of physical systems within a smart building. In this regard, the National Science Foundation and NIST have attempted to classify the hybrid IT and OT systems as cyber physical systems (CPS). CPS are defined as integrated, hybrid networks of cyber and engineered physical elements; co-designed and co-engineered to create adaptive and predictive systems, and respond in real time to enhance performance. CPS is essentially coined to represent the transition and evolution in systems from industrial revolution/physical systems to the Internet revolution/cyber systems and, at present, evolving into industrial Internet revolution/cyber physical systems.

As is the case for personal and financial data, good OT / IoT cybersecurity practices start by implementing a rigorous risk mitigation strategy (identify, protect, detect, respond, recover). A key starting point is to avoid jumping into discussions of how to defend or what technologies to deploy. Decisionmakers should start with discussions of what citizen service is to be improved, and why connectivity might help advance that offering. When increased connectivity appears to be the answer, ask whether process improvement to an existing system might be more effective. At times, low-tech solutions like air-gaps and phone calls among maintenance staff may be appropriate. Other time, using the power of cloud-based predictive analytics can better inform city maintenance teams without handing control to the machines. However, some of these advancements through IoT and artificial intelligence are so compelling that the risks are worth the cost of mitigation. Cybersecurity solutions currently being offered to the smart buildings industry combine IT and physical security options, in addition to technology deployment approaches that attempt to detect anomalies and reduce vulnerabilities for IT and OT staff. In reviewing such technology options, it is important to begin by looking at a building’s critical vulnerability areas that gain top consideration.

The scale of damages in a cyber-attack can inflate significantly when open systems and converged networks are overlaid with IoT. A key attribute is the inseparable relationship of device and data brought together through aggregation in the cloud that can be compromised in the event of a cyber breach. One approach is to aggregate and encrypt data locally at the building level and not push it out to the cloud. But if the goal of deploying IoT-based systems, and “digitalizing” legacy equipment is to reduce lifecycle costs, improved asset management can only be truly achieved in an edge to cloud environment, where regular streams of integrated data drive better, more timely decisions. So, the goal should not be to stovepipe OT-derived data, but to welcome integration of these edge-based systems, while ensuring that they can’t be used as attack vectors.

Designing for the Future

As Larry O’Brien at the ARC Advisor Group puts it: “Assets are increasingly connected, driving the need for secure remote building monitoring and management. Owner-operators must also get a better perspective of the kinds of potential vulnerabilities that exist among their installed base of cyber and control system assets. Data flows must be planned and monitored, possibly making it necessary to use one-way data diodes”.

Thus IT/OT convergence is both inevitable and desirable, as it extends asset life, reduces O&M costs, increases safety and security, and improves occupants’ comfort. But as building automation systems become ubiquitous, and co mingle with enterprise-level systems, new processes and tools need to be adopted to embrace this new reality:

  • Greater integration of IT and OT teams through joint management and training;
  • Enterprise-wide understanding and assessment of critical assets;
  • Cohesive and coordinated risk mitigation and response;
  • Continuous management of all cyber-assets, vulnerabilities and threats regardless of source or vector;
  • Secure building monitoring and management by “hardening” ICS, SCADA and building automation system protocols, through the combined use of hardware (data diodes[2], firewalls) and software solutions tailored to the vulnerability and criticality of asset classes.

The rise of the Internet of Things (IoT) and the declining costs of sensors and cloud computing are disrupting the building industry as more organizations retrofit or build out new smart buildings. Buildings can only be “smart” if they are safe, which increasingly implies cyber-safe. One simply needs to revisit the Target episode to understand how an attack on the HVAC monitoring system compromised credit card information of 40 million customers and other sensitive enterprise data. The number of vulnerabilities in internet-accessible ICS components across all manufacturers continues to grow while the number of devices proliferate. According to a 2018 Review of ICS Vulnerabilities by Positive Technologies, the number of vulnerabilities in the products of leading manufacturers grew by 30 percent compared to 2017. The share of critical and high-severity vulnerabilities increased by 17 percent. Furthermore, “on average, vendors take a rather long time to fix vulnerabilities (more than six months) Elimination of some vulnerabilities—measured by time from vendor notification to release of a patch—can take more than two years. For end users, such protracted responses increase the risk of exploitation of device vulnerabilities.

More than 220,000 ICS components are available online, which is 27 percent higher than in 2017. Most of them are automation system components. Such systems are mainly located in the U.S., Germany, China, France, Italy, and Canada, even though lawmakers have long been concerned about the security of such devices and systems. For example, the International Organization for Standardization (ISO) has recently published new guidance to reduce the risks of cyberattacks on machinery.” [3]

Our buildings are also visited, both physically and virtually, by those who cross many network boundaries from home to restaurants to work. These occupants include not only tenants and guests, but the staff that operate our buildings. During a crisis, such as that presented by COVID-19, we have seen teams rapidly bring together tools and approaches to keep businesses moving and keep supplies flowing… at times bypassing pre-established protocols for expediency. Access to critical systems may be tightly controlled under normal conditions, but these work-arounds can involve home computers, personal cell phones, and public wi-fi. When planning for the future, be sure to account for the resilience of staff and their willingness to be productive.

Smart building technologies offer many benefits, but also create a broader attack surface and risk due to the increased numbers of devices and connected assets. Both physical and cyber security should be at the core of any investment in smart building technology. Cybersecurity considerations and planning should be an enterprise-wide, integrated effort, involving key stakeholders, that encompasses all classes of assets connected to the internet. ICS and more broadly IoT devices are not primarily designed to be cyber-secure. Thus, they need to be integrated with security-centric technology if they are to safely deliver the promised benefits. By integrating cybersecurity considerations early in the planning stage, our connected infrastructure can best serve occupants safely and efficiently.

Next Steps…

The cyber resilience policy

Cyber resilience must be integral not only to technical systems but is also essential in teams, the organizational culture and daily operations. Therefore the best practice is to start with the cyber resilience policy https://www.weforum.org/whitepapers/the-cyber-resilience-index-advancing-organizational-cyber-resilience This is a framework that guides local government leaders and responsible departments on how to establish resilient systems that maintain essential functions and service delivery in an increasingly risky digital landscape. The five policy functions are an adaptation of the five US National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)[Framework (CSF)] functions: identify, protect, detect, respond and recover

The cyber resilience assessment

Conducting a thorough assessment of ones’ own property which includes the building systems, other operations focused systems and platforms, third party systems and applications, communications infrastructure may seem daunting, costly and time consuming. But, as detailed above, the cost of not doing so both for one’s own operations and those of building occupants can be significant and sometimes immeasurable.

As a first next step, SBSC invites planning teams to review the Cybersecurity and Privacy Risk Management Preparation Questionnaire & Handbook. Also based on the NIST Cybersecurity Risk Management Framework, it outlines core issues to watch for The Handbook portion acts as a guideline for information gathering and assessment.

Municipal citizens are intimately tied to and increasingly digitally connected to the buildings in which they live work and play. It is incumbent upon the public and private organizations that manage the broader built environment to be vigilant and diligent in their active pursuit of cyber protection.

"Investing in smart buildings is good business, but investing in cybersmart buildings—that’s great business. Without security, the truly transformative benefits of connectivity and automation are at risk. embracing cyber security means protecting your customers and your bottom line.” (Sedar Labarre, Vice President, Booz Allen Hamilton)

Examples of cybersecurity measures in smart buildings

Many smart buildings utilize comprehensive cybersecurity measures to safeguard their digital infrastructure and the data they collect. These strategies encompass various elements, from stringent access controls to encrypted data transfers, to ensure the secure functioning of smart systems. Here are a few examples:

  1. Secure Communications: All communication between devices and servers is encrypted to prevent unauthorized access or data breaches. For instance, technologies like Transport Layer Security (TLS) are commonly used for this purpose.
  2. Firewalls and Intrusion Detection Systems (IDS): Smart buildings employ advanced firewalls and IDS to identify and neutralize potential threats. These can detect suspicious activities, such as multiple unsuccessful login attempts or abnormal data transfer patterns, and trigger appropriate countermeasures.
  3. Authentication and Access Controls: Robust authentication mechanisms ensure only authorized users have access to the system. This could be in the form of two-factor authentication, biometrics, or advanced password policies. Furthermore, the principle of least privilege is often adopted, where users are given the minimum levels of access necessary to perform their roles.
  4. Frequent Software Updates and Patches: Regular updating and patching of all software components is vital. This includes operating systems, firmware, applications, and security software, ensuring that any known vulnerabilities are quickly addressed.
  5. Security-By-Design: Smart building technology providers often design their products with security built-in from the ground up. This includes secure boot processes, hardware and software attestation, and secure update mechanisms, among other things.
  6. Network Segmentation: By dividing the network into separate segments, it's easier to control traffic and minimize the potential impact of a cyber attack. This means that if one device is compromised, the threat can be contained and not spread to the entire network.
  7. Anomaly Detection Systems: These monitor the regular patterns of the network and alarm when something unusual happens, such as a sudden spike in data transfer, unusual login attempts, or changes in device behaviors.
  8. Data Protection and Privacy Policies: Good cybersecurity practice also involves the correct handling and storage of user data. This could involve anonymizing data, only keeping necessary data, and regularly deleting old data.
  9. Training and Awareness Programs: Humans are often the weakest link in cybersecurity. Regularly training staff on the importance of cybersecurity, how to identify and report potential threats, and best practices in maintaining security is key to a robust cybersecurity program.
  10. Penetration Testing and Security Audits: Regular security assessments can help identify potential vulnerabilities and provide an opportunity to address them before they're exploited.

These are just some of the cybersecurity measures that can be implemented in smart buildings. The exact strategies will depend on factors such as the type of data being collected, the specific technology in use, and the risk profile of the organization Furthermore, the cybersecurity landscape is continuously evolving, with organizations always having to adapt to new threats. In this sense, good cybersecurity is a process of continual adjustment and improvement rather than a static goal.

Additional Resources:

Building Cyber Security

Whole Building Design Guide

References