Page 41 - RC18-EDGE Spring.FINAL
P. 41

Firewalls can help limit traffic in and out of designated   Defined Network (IDN) solution enabled the facilities staff
          areas, but most firewalls enforce rules based on arbitrary   to rapidly segment their expansive BACnet system with
          (dynamic and spoofable) IP addresses. Furthermore,   centralized management across their entire deployment.
          inside the protection of a firewall, devices are still able to
          communicate laterally and are often visible to the rest of   In short, a secure networking solution enables Facilities
          the network. And, any slight misconfiguration of either the   and Operations teams to remove the traditional
          device or the firewall can be catastrophic.          networking obstacles and:

          Thankfully, with recent advancements in technology,   •  Easily connect, control, and secure building
          this problem can be easily resolved. Rather than using   automation systems to optimize efficiency
          ephemeral IP addresses for device identity, we can now
          use a unique host identifier that provides a more reliable   •  Enhance risk posture by reducing the network attack
          attribute of identity. One such implementation is the Host   surface across the enterprise
          Identity Protocol (HIP), an open IETF standard that adds
          a ‘host identifier’ in the form of a cryptographic public key   •  Improve overall network performance by isolating
          associated with the host. With HIP-based solutions, two   specific network segments
          parties must share a cryptographic binding before being
          able to see each other on the network; effectively hiding   •  Experience significant OpEx savings through
          (cloaking) portions of the network that are not allowed to   simplified point-and-click management – no advanced
          communicate with each other.                            IT skills required


          With HIP, IP resources can move anywhere in the world            Jeff Hussey is the President and CEO of Tempered
          and maintain connectivity, regardless of whether they’re         Networks, the pioneer of the Identity-Defined
          in a static or dynamic IP environment. Now mobility and          Networking market. He is an accomplished
          migration between buildings, remote offices, datacenters,        entrepreneur and business leader with a proven
          shared networks, and multiple cloud providers is not only   track record in the networking and security markets.
          possible, but simple.

          Smart Building Challenges – Beyond Cybersecurity
          When facilities and operations teams work on building
          automation projects, they’re also trying to optimize
          network performance and resiliency. For example,
          pervasive Building Automation and Control Networks
          (BACnet) systems can create broadcast storms that      Control for Smart Buildings.
          might cripple network performance. These traffic storms
          can cause problems for network administrators due
          to high signal-to-noise ratios and interference that can
          disrupt other IP traffic on the network. It can happen
          without warning and take down critical building services.
          Today, with proper micro-segmentation, you can improve
          overall network performance by restricting noisy traffic to
          encrypted network segments.

          Successful BACnet Segmentation
          for a Leading University
          Penn State University (and its Facility Automation
          Services team) was tasked with segmenting and
          centralizing the university’s expansive BACnet system.
          The BACnet system-controlled HVAC, lighting controls,
          and access controls for classrooms, high-value research
          labs, and more. Over 640 buildings are spread across
          dozens of state-wide campuses. Their network attack
          surface was large due to many rogue access switches                               Visit us at IBcon Las Vegas
          and wireless access points. With BACnet communi-                                  Booth #315
          cations openly traversing Penn State’s flat network, orders   Secure Networking Made Simple.  temperednetworks.com
          were to get the BACnet traffic segmented. An Identity

                                                                                                                39
   36   37   38   39   40   41   42   43   44   45   46