Having recently taken a security awareness course as part of my annual requirement by my organization, I was thinking about how other assets (besides people) also tasked with roles in the business can better protect the corporate environment. This led to thoughts about the role of the smart building in deterring cyber-attacks. An organization’s information risk profile is defined through a risk assessment of organizational information infrastructure and associated data assets.
So how might the infrastructure of a smart building decrease your organizational risk profile? Can you measure this?
In terms of having an index, I am currently creating an index (like my security awareness course) to rate the level of cybersecurity a building provides to its owners (or lessees). Given we already have sustainability indices for commercial real estate in the form of the CBRE Green Building Adoption Index, my intention is to build a reference cybersecurity metric in how the infrastructure of smart buildings can be compared from the point of those either owning or renting the space. For this index, I will be defining the number of risks, type of risk and potential effects of risk on smart building infrastructural implementations.
Separating control from performance
Physical control of buildings was traditionally seen as separate from enterprise networks. The control systems domain was protected by physical separation, and facilities management was handled as a different domain. However, as global services delivery, data sharing and data acquisition for cost-effectiveness became critical functions within modern business, facilities management became tied to the corporate data network.
Smart buildings now combine legacy operational technology for building automation systems (BAS) together with enterprise IT and IoT devices. Unlike IT environments, which have developed workflows and technologies to address cyber threats, hackers can exploit the vulnerabilities of BAS to enter the IT network and get hold of restricted data located on servers and computers.
The benefits of operation and analytics available for facilities management on how the building performed have given insights into better asset management. But with connectivity has come risk exposure to external exploits and possible attacks.
Life at the Edge
Given edge computing and IoT devices create content for analysis, can they also provide misinformation or redirection for potential attacks on the corporate network? In other words, can the smart building dangle a click bait carrot or honey trap for potential hackers to pull them off the scent of the main system?
Just as we have access layers of data security based on roles within the enterprise, perhaps we should start looking at creating a separate operational data layer for physical control of the building, with the building taking an active role in its own defense. IoT technology, such as sensors, can automatically transfer an office area to ‘vacant’ security mode so potential hackers cannot gain access by moving the area to preset security settings to optimize network protection. This could also mean terminals off, USB ports disabled, and access secured with physical tokens.
Design to cloak or protect
Another way we can create a buffer to protect those assets by a slight disconnect with better perimeter management. One recent approach is the concept of Airwalls. Tempered Networks defines their Airwall edge services as “identity-defined perimeters that enforce access and segmentation for the systems protected within the Airwall”. This creates the possibility to deploy end-to-end encrypted connectivity around operational assets. An Airwall controls and enforces authenticated network communications between protected systems, while denying access to all unauthorized systems. To my understanding, authorized devices for protected access would be physical objects, not passwords. The goal is to remove the access to the IP address information for the potential hacker by creating an air pocket within the enterprise. For those Star Trek fans reading this, imagine a Klingon cloaking device for the ICS.
From the point of standards, there is the development of the IEC 62443 global set of cybersecurity standards to reduce vulnerability. This is set to improve safety, availability, integrity and confidentiality of systems used for industrial automation and control.
How much risk exists from your operational BAC systems?
Smart buildings can be efficient and effective but can also come with cybersecurity vulnerabilities that can be inadvertently introduced when smart technologies are deployed without the necessary consideration of what controls and patches are required to protect them.
In your cybersecurity planning for 2020, what active role does your operational systems play both in protection and in deterrence? Is your smart building helpful with sensor usage and alerts, or does it create hacking opportunities with disconnects and older communication protocols?
Reach out to have a conversation with me if you are interested in the index I am working on, or you’d like some advice on what cyber risk issues to consider in your infrastructural development.