The potential attack surface continues to expand with virtual and multi-cloud networks, connected branch offices, growing volumes of IoT and endpoint devices, new SaaS applications, and the growth of Shadow IT. Most security teams, already suffering from understaffing and the looming cybersecurity skills gap, are struggling to keep up. The convergence of IT and OT is likewise adding to the challenges of securing today’s constantly evolving digital landscape. Everything from critical infrastructures, manufacturing floors, and transportation systems are being impacted. At the same time, new smart buildings are adding to the challenge, and many of these new interconnected environments are getting overlooked from a security perspective.
Smart Buildings Interconnect Traditionally Isolated Systems
Smart buildings are part of a new trend in digital innovation that integrates technology into traditionally isolated devices and systems such as appliances, automobiles, and even entire cities. These things have historically been comprised of completely separate elements. Buildings are a perfect example. Lights, elevators, HVAC systems, physical access to rooms, floors, or the building itself, emergency and alarm systems, and security devices, to just name a few, all largely operate as independent systems that often don’t receive the same security attention as other IT-connected resources, such as financial or manufacturing systems. This has to change.
IoT and cloud computing are disrupting the construction industry as more organizations are looking to retrofit or build out new smart buildings. The benefits range from ensuring occupant comfort and safety to improved efficiency and sustainability and lower power consumption. However, connecting smart building technology to the IT infrastructure, or directly to the internet, increases the risk of a cyberattack. If cyber terrorists are able to remotely lock doors and disable fire suppression systems, for example, this could be a formula for disaster.
Steps for Securing a Smart Building’s Cyber Environment
Smart building cyber security has generally not been included in the design, selection, or deployment of smart building technologies. The challenges of this approach are highlighted in a recent IDC report, sponsored by Fortinet, that not only examines a number of industries that have embraced smart building technology, but also identifies associated security implications and challenges and provides essential guidance for how to establish a security-first approach to smart building strategies.
- Organizations must adopt a long-term strategy that addresses both physical and cyber security. So it is essential that all key stakeholders are involved early in the process so that they understand the security implications, can identify critical systems and resources that need to be protected and can build consensus around a common security strategy built around a single, integrated security fabric.
- Because the list of integrated devices and automated systems designed to improve building and facility operations expands every day, the next consideration is to establish and maintain an inventory of all connected systems. Smart components include lighting, parking, HVAC systems, elevators, and building automation. In addition, building access control, air quality monitoring, fire and safety systems, solar energy systems, and communications systems are not only connected to IT, but in many instances, also interconnected to each other through a central building maintenance and management console – which means that the entire system is only as secure as its weakest system. The challenge is compounded further when smart buildings become smart campuses of an interconnected building due to a much larger potential attack surface.
- Organizations also need to develop an understanding of the vulnerabilities these solutions are subject to and the risks that a compromise can introduce. Weak passwords for building automation systems (BAS) and industrial control systems (ICS), unpatched operating systems embedded in control devices and vulnerable IoT devices, such as cameras and sensors, and back doors between devices and manufacturers for remote troubleshooting not only put the building and its occupants at risk, but can also be a conduit into the IT network and its valuable data and other digital resources. A number of high-profile network breaches began by cybercriminals hacking through connected buildings, including HVAC systems, digital cameras, and integrated IoT devices.
- Other considerations include consolidating security solutions used for both physical and IT systems to reduce the complexity in management and maintenance that is often the result of uncontrolled vendor sprawl. Use threat intelligence to track vulnerabilities and attacks and map them to devices to prioritize essential security functions such as patching, updating, and replacing vulnerable systems. Implement strict segmentation to isolate critical functions so that a compromise to one system does not represent an existential threat to the entire smart building and IT environments. For devices and systems that cannot be patched for a variety of reasons – headless IoT devices, embedded operating systems that can’t be modified, or mission-critical devices that simply can’t be taken offline, organizations need to ensure that strict proximity controls are in place to secure and isolate them.
Smart Building Require a Security-First Strategy
Smart buildings expand the potential attack surface and increase risk due to the increased numbers of devices and connected assets involved. At the same time, security resources are already overtaxed and simply do not have the time or resources to bolt security into the smart building environment after the fact. Instead, smart building technology investments must begin with security front and center, with both physical security and cybersecurity being the highest priority as well as the core building block when developing s smart building.
Read the full IDC report on securing smart buildings.
Learn more about how Fortinet’s ICS/SCADA security solution designs security into complex OT infrastructures, extending security from the data center, to the cloud, to the network perimeter.