There’s no doubt that smart buildings encompass a greater number of connected systems and devices than ever in the history of commercial real estate. While smart building technologies enable efficient, safe, healthy, and productive environments, they also expand the digital attack surface for cybercrimes that threaten to jeopardize business, endanger lives, and disrupt critical infrastructure. Unfortunately, the risk increases as more information technology (IT) and operational technology (OT) systems and devices come online, making cybersecurity a critical issue for smart building owners and operators.
Where Is the greatest vulnerability?
While IT systems have long been seen as a risk and protected via network firewalls, antivirus software, and data encryption, traditional standalone building systems were not deemed significantly in danger of exposure to outside threat because they were not connected to the internet. With convergence and integration of IT/OT technologies, that’s no longer the case.
“There are many different zones across building systems, from lighting and physical security, to building automation and fire safety systems,” says Jason Christman, vice president and chief product security officer at Johnson Controls. “What was previously isolated and not really part of cybersecurity governance is now connected, which offers greater opportunity for hackers and presents inherent risk. Vulnerable endpoint devices could enable a botnet attack, as we have witnessed with the Mirai botnet that exploited security cameras and video systems to cause a widespread denial of services. These vulnerable devices can also be used by attackers as a pivot point to gain deeper access across IT and OT systems. The good news is that the industry is now starting to focus on the issue, and building owners and operators are recognizing the need to have a secure-by-design OT infrastructure.”
Additional challenges plaguing OT systems stem from often being made up of a variety of proprietary devices and protocols, lack of security expertise in the OT environment, and outdated software. While patches are constantly pushed out over the IT network to keep operating systems up to date and secure, they are rarely applied on the OT side because patching can be more problematic due to thorough testing and verification and planned downtime impact on high-availability automation, life, and safety systems.
In a July 2021 report, Gartner predicted that by 2025, cyber attackers will succeed in weaponizing OT environments to successfully harm or kill humans, with the potential for the financial impact of these types of attacks to reach more than $50 billion in the next two years. According to Gartner, hackers have three main objectives for attacking OT systems—actual harm, commercial vandalism, and reputational vandalism. “In operational environments, security and risk management leaders should be more concerned about real world hazards to humans and the environment, rather than information theft,” said Wam Voster, senior research director at Gartner.
What are the best strategies for protection?
Securing a smart building is easier in a greenfield situation where the right policies, procedures, and governance can be implemented from the very beginning to design the building with a zero-trust architecture (ZTA)—the underlying concept of cybersecurity policies and programs like the NIST (National Institute for Standards and Technology) Cybersecurity Framework used by federal government agencies and adopted by many organizations. Sometimes referred to as “perimeter-less,” ZTA is based on the “never trust, always verify” principle that nothing can be trusted. In other words, any system, device, application, and user accessing the architecture cannot be considered secure. But that doesn’t mean there isn’t hope for retrofits.
“Greenfield installations can cost more up front but are ideal for designing a zero-trust architecture right from the beginning. They offer a clean slate to implement contemporary security controls and capabilities and secure configurations and provide the opportunity to educate IT and facility managers on cybersecurity governance, create incident response play books, and establish a cadence of continuous monitoring,” says Christman. “In existing facilities, there are ways to overlay elements of a zero-trust architecture on top of OT systems. While having everything connected can increase the possibility of a hacker finding their way in, increased integration supports better security monitoring and risk management through practices such as microsegmentation and software-defined networking.”
Microsegmentation and software-defined networking are related concepts that can work together to improve security. Microsegmentation is the practice of dividing network infrastructure, data, and workloads into unique zones that can be individually secured to reduce the attack surface and improve the ability to contain security breaches. Software-defined networking (SDN) provide a more effective way to logically (virtually) implement microsegmentation using software. One SDN technology ideal for protecting OT systems, known as software-defined perimeter (SDP), creates microsegment zero-trust access boundaries that are dynamically configured using software and can be deployed in public and/or private clouds, as well as on-prem.
According to Christman, the number one cybersecurity objective of any smart building project is to make sure that it includes an OT security governance program. “Once you know how you’re going to govern it, you can start to determine which capabilities and technologies you need, which standards to follow, and how to ensure assessment and continuous monitoring. But it is a shared responsibility, and all stakeholders play a part—suppliers, integrators, service providers, owners, and operators,” he says. “You also have to look at your individual business and identify your specific risks and what you have to lose, including the downstream impact on the financial health of the business and occupant safety. Then ROI can be demonstrated to stakeholders, including insurance providers that seek to prevent the biggest losses and may provide incentive for doing so.”
Standards and guidelines to follow
Organizations can follow several standards, guidelines, and procedures to ensure cybersecurity in a smart building, including some geared specifically to OT systems where protection is needed most. Among the documents are NIST standards, the ISA/IEC 62443 series of standards that covers cybersecurity in industrial automation and control systems, the ISO/IEC 27001 information security management standard, SOC 2 (Systems and Organizations Controls 2) requirements for organizations processing data and storing information in the cloud, NERC CIP (North American Electric Reliability Corporation/Critical Infrastructure Protection) standard for energy and utility companies, and UL 2900 standards that present general software cybersecurity requirements for network-connectable products—just to name a few.
With so many standards, many of which are industry-specific, Christman says this is where the Building Cyber Security (BCS) Risk Framework and the SPIRE Smart Building Program come in handy. “Not all of the technical controls in these standards apply, and smart building owners and operators don’t have the ability to absorb them all. What we really need to do is simplify it for commercial buildings—we need to speak their language. Unlike LEED certification that has no requirement to go back and reevaluate and fine tune the building’s efficiency, cybersecurity demands continuous monitoring and reassessment. That’s what programs like SPIRE and BCS are working towards—they basically take standards and package them into a risk framework for commercial buildings,” says Christman. “While there are criminals focused on data and financial gain through ransomware, it’s becoming easier for more sinister adversaries to take down systems that could impact life, health, and safety. We have no choice but to do the work.”
Betsy Conroy is a freelance writer, editor, and content consultant, specializing in business-to-business media and commerce. She has 30 years’ experience writing technical content.