The top five trends shaping cybersecurity in smart buildings
Smart Buildings allow us to interact, learn and adapt with our environment. But how can we keep people, data and buildings safe and secure? Let’s explore!
There are many good reasons for smart buildings: they react intuitively to the needs of their users, learn the experiences and continuously adapt. They are comfortable, safe and efficient. They use resources optimally, can generate and store energy and manage consumption intelligently. When connected to the smart grid, they can become an active contributor in the energy ecosystem.
However, smart buildings can pose new risks. The Internet of Things and increased connectivity of devices to the cloud, can make buildings vulnerable to cyberattacks. The risks are constantly changing with the technical evolution on the building side, the legal framework that applies to cybersecurity, and the methods used by cybercriminals. Cybersecurity is no longer an option for building owners and operators, but a must.
Let’s take a closer look at the key trends impacting the cybersecurity of smart building technologies and the measures being taken to address these challenges.
Cybersecurity trend #1: The convergence of Information Technology (IT) and Operation Technology (OT) creates new risks
In the past, building devices were OT-devices with a very small portion of IT-technology (mostly IP address, subnet mask and default gateway address). IT- and OT-networks were intentionally separated from each other, as they did not need to mutually share information.
With the requirement towards smarter buildings and shared infrastructure, cross-domain information flows started and high demand for IT-OT convergence arose. This trend exposes building systems to cyberattacks, if not adequately protected.
Attackers can exploit known vulnerabilities in both new and existing installations to manipulate operations, steal data and cause damage in the buildings. For example, hackers can use phishing emails to gain illegal access and entry into OT systems from the enterprise network; and attackers are using OT systems, such as heating, ventilation and air conditioning (HVAC) systems, as entry points into data centers and corporate IT networks.
Cybersecurity trend #2: Improved security in building networks
Most building protocols (BACnet, KNX, Modbus, etc.) lack built-in security features, making attacks on building networks extremely difficult to detect and mitigate. This year, the American Society of Heating, Refrigerating and Air-Conditioning Engineers (ASHRAE) published an addendum on BACnet Secure Connect.
With BACnet Secure Connect (BACnet/SC), the building industry is taking important steps to make building networks secure. BACnet/SC uses IT best practices and techniques and integrates easily with the IT infrastructure.
Today, various approaches are used to secure BACnet infrastructure, but these solutions can be difficult to setup, and they place a burden on IT groups. BACnet/SC will make it much easier to create a secure and standardized building automation infrastructure that is fully compatible with existing BACnet deployments. BACnet/SC impacts all aspects of Siemens BACnet automation systems and tools; providing benefits to key buildings stakeholders – building owners, operators and system integrators.
Other building protocols also continue to advance in security, for example, KNX IP Secure protocol becomes the new ISO Standard, protecting the IP communication between the KNX installations.
More info regarding building protocols and BACnet/SC is available in the Buildings for Tomorrow podcast.
Cybersecurity trend #3: Stricter legislation and regulations worldwide
The growing risk of malicious cyberattacks on infrastructure assets and networks has triggered regulators across the world to develop regulatory frameworks, mainly driven by the need to safeguard critical national infrastructure.
In the first half of 2020, we have seen a wave of new legislations come into force across the globe. From the California IoT Bill and the California Consumer Privacy Act (CCPA) in the USA, through to the Telecommunications Business Law in Japan and a draft bill for the IT Security Act in Germany (IT-Sicherheitsgesetz 2.0).
The scene has been set and without doubt, more regulations will follow on a global scale, at both a national and regional level. Organizations need to be prepared by following best-practices and implementing cybersecurity standards, such as IEC 62443, ISO 27001, NIST 800-53, etc. in their products, systems and processes. Collaboration with global partners will also play a role in shaping the future success of cybersecurity.
Cybersecurity trend #4: Cyber-resilient supply chains
Don’t be caught out by a weak link in the chain! Third-party risks in supply chains can be a source of cyberattacks.
Recognizing this as a rising trend, the Charter of Trust initiative (a collaboration between Siemens and global partners to address global cybersecurity needs), is focused on improving cybersecurity along the whole digital supply chain, as a baseline for trust in digitalization, and to reduce the risk of security incidents.
The Charter of Trust members have outlined the baseline requirements for ensuring cybersecurity is an absolute necessity throughout all digital supply chains. These requirements address all aspects of cybersecurity – including people, process, and technology. For example, new Siemens suppliers must comply with minimum binding cybersecurity requirements, which are anchored in a separate, binding clause in all new contracts.
Cybersecurity trend #5: Cybersecurity by design and default
In the past, building devices and systems were isolated and faced fewer security risks. Over the years, buildings improved by providing interconnectivity, cloud connection and data analytics. With that came IoT-enabled devices connected to cloud services via the internet – opening the door to cyberattacks.
Therefore, to protect such devices, building technology manufacturers have adopted a new approach to cybersecurity. They have started to enable cybersecurity into the initial design of products (“cybersecurity by design”), and provide secure default settings in their new products and portfolios, before shipping to the customers (“cybersecurity by default”), as for example with the new Desigo PXC4 and PXC5 controllers from Siemens.
The most important features which can be built directly into new products are:
- Firmware signature for verifying the integrity of firmware.
- Encrypted communication with the embedded web interface and TLS/SSL certificates handling.
- Device identification by imprinting a digital certificate on every device already in the factory, thus providing a trustful and unforgeable source from which the serial number of the device can be retrieved.
- Password protection policy and the force of password change on the first use.
- System hardening with penetration test, so not required or insecure features and functionalities are disabled by default.
Final Thoughts on Cybersecurity for smart buildings 2020 and beyond
2020 has already been an interesting year. The cybersecurity threat landscape is constantly changing, given the rapid pace of digitalization and technological progress in the building industry. But one thing is clear – a holistic approach to cybersecurity is essential.
It is a global challenge that requires awareness, continuous vigilance, and a consolidated effort from key building stakeholders – owners, planners, designers, building operators, system integrators, users and device manufactures. Superior technology, information advantages, and the right partners are important keys to success.