Page 24 - index
P. 24

INTELLIGENT BUILDINGS

The Vulnerable Intelligent Building:
An Insider’s Approach to Securing Your Smart
Building

Pook-Ping Yao    Byron Thom
CEO              General Counsel
Optigo Networks  Optigo Networks

Cybersecurity (or insecurity) is now a persistent business                 •	 Stuxnet worm - This malware searched for and targeted
         risk. The events of the past few years have shown that               vulnerabilities in specific BAS devices from a well-known
         building and facility managers can no longer ignore                  vendor, in order to (allegedly) sabotage the production of
the fact that smart buildings are plagued with vulnerabilities—               enriched uranium in facilities located in Iran. Spread through
sometimes leading to devastating                                                                        USB flash drives.
consequences.                                                                                           •	 Insecam website - This Russian web-
                                                                                                        site temporarily gained notoriety last
   With the advance of Internet of                                                                      fall, for providing IP addresses and log-
Things (IoT) technologies, this risk is                                                                 in info for over 73,000 private security
escalating. Intelligent buildings are                                                                   cameras worldwide. The cameras were
increasingly adding new capabilities                                                                    both IP addressable and used default
into building infrastructure to improve                                                                 passwords, allowing anyone with an
efficiency, productivity and building                                                                   internet connection to monitor the
safety—all at a reduced cost.                                                                           camera’s feed, allegedly including busi-
                                                                                                        nesses and even U.S. military locations.
   However, this advancement does                                                                          Recognizing there is a problem is
not come without risk. ‘Smart’ devices                                                                  not enough; it takes action to secure a
are often quite stupid when it comes                                                                    smart building. And that action must
to digital privacy and informational
security. As highlighted in a 2014 study                                 come from both the top and the bottom—from the executives
by HP, 70% of the most common IoT devices contained vulnera-             who must prioritize a secure building as an essential corporate
bilities, with an average of 25 vulnerabilities per device.              value of the organization, to the facility managers and the IT
                                                                         teams who need to understand the risks and vulnerabilities in
   That risk is magnified when diverse subsystems which have             order to implement best practices.
historically operated separately (i.e. HVAC, lighting control, securi-
ty and access control, fire and life safety, etc.) are integrated onto   Starting from the top–taking cybersecurity seriously
a common and open IP network. Vulnerabilities from one subsys-           In many organizations, network security is often an afterthought.
tem can spill over onto other Building Automation Systems (BAS)          This is even more troubling in a smart building, where sensitive
applications, or worse, the corporate IT network.                        information is often accessible from the same network as the
                                                                         HVAC controller. In many cases, no thought or planning is put
   Given the benefits of this advanced technology, smart building        into cybersecurity until after the building system has been de-
operators have little choice but to educate themselves regarding         signed or even installed. Or worse, until after a hack has occurred
the associated risks. Networking these previously independent            (if it is even discovered).
systems often brings them online and accessible to new levels
of control and analytical processing, but disastrous repercussions         But this doesn’t have to be the case. Here are three common
can result if implemented without the appropriate layers of              sense steps that every corporation should take to address the
security.                                                                cyber threat inside and outside the smart building:
                                                                         A. Good governance
   Case studies on the vulnerable smart building                         Good security starts with leadership and the recognition that
   There are many documented examples of the vulnerability of            security is always a people problem, and cannot be solved with
   connected buildings. These include:                                   technology alone. A proper governance framework is essential,
                                                                         along with adequate financial and personnel resources to imple-
      •	 Target hack - Costing the company well over $200 million        ment them. Cybersecurity must become a corporate value that
        (so far), hackers used stolen credentials of a third-party HVAC
        systems company to gain access to Target’s point-of-sale (PoS)
        terminals and the financial information of its customers.

22 Realcomm
   19   20   21   22   23   24   25   26   27   28   29