Page 48 - index
P. 48
SPOTLIGHT: SECURITY
Trust but Verify–Smart Building Security
Michael Schell
Cyber Security Advisor
Laconicly, LLC
The Russian maxim, “Doveryai, no proveryai” translates to building devices do we have?”, and “Do we know where all of our
“trust, but verify.” The proverbial saying was made pop- smart building devices are located?”Those are easy questions to
ular by former president Ronald
ask and to answer. A great beginning,
Reagan to describe the fundamentals of but what questions follow? Are you truly
the Intermediate Range Nuclear Forces asking the right questions to establish
Treaty between the former Soviet Union trust with the integrators? How can you
and the United States in 1987. The treaty verify the integrator’s claims?
eliminated conventional ground-based Below are ten helpful questions that
nuclear weapons with intermediate will enable organizations to build the
ranges between the two countries. The “trust but verify” process around smart
treaty was ratified in 1988 to allow for building technologies:
a verification process, or inspections by 1) Are our devices configured securely?
the respective countries. Trust, but verify. 2) Do we have a security policy de-
Merriam-Webster’s definition of trust ployed to all of our devices?
is the “belief that someone or something 3) Are the log files being monitored for
“To assume that the integrators intrusion or malicious activity?
is reliable, good, honest, effective, etc.”
Most organizations would likely prefer and facilities engineers that deploy 4) How would we know if any of our
to have the ‘warm and fuzzy’ feeling in smart building technologies are devices have been compromised?
everyday business. How refreshing is the also experts in cyber security is 5) How can we confirm the network
feeling of having trust in your co-work- segmentation or ‘air gap’ is secure?
ers, business partners and customers? unfair and impractical. “ 6) Are any of our devices facing the
A rhetorical question, as the answer is Internet? Have we confirmed?
almost always: very refreshing. 7) Are our devices patched with the
To assume that the trust is there almost always ends with latest version of vendor software?
one party being dissatisfied. Does established trust come from 8) Do we know if any devices were recently replaced? If so,
luck, experience, or does it develop in other ways? How does were they deployed matching our security policy?
one manage to obtain and maintain a certain level of trust that 9) Are any of our old devices deployed to locations we longer
benefits both parties? How does an organization verify that what manage?
is being said is in fact, true? 10) How do we audit our devices in a cost effective and repeat-
When trust is established, it seems to come with a certain able way?
amount of due diligence from each party. So let’s focus on how
trust is built by using one of the most elementary techniques, If organizations cannot answer the questions above, or obtain
asking good questions. To quote one of America’s ‘masters of the answers from their integrators, assumptions begin. If you’re
emotion’Tony Robbins, “…successful people ask better questions, still following along, you begin to realize where trust can be lost
and as a result, they get better answers.” and dissatisfaction begins. That warm and fuzzy feeling you once
Why not begin with asking better questions about the cyber had begins to turn into a cold and uncomfortable feeling. Not
security posture of smart building technologies? Asking better refreshing.
questions will inevitably open the doors for verification later Every organization at some point has made the fatal flaw of
down the road. assumption by not asking the right questions aimed at the right
From our experience, some of the questions organizations are individuals. To assume that the integrators and facilities engineers
asking themselves and their integrators are “How many smart that deploy smart building technologies are also experts in cyber
46 Realcomm
