Smart Buildings allow us to interact, learn and adapt with our environment. But how can we keep people, data and buildings safe and secure? Let’s explore!
There are many good reasons for smart buildings: they react intuitively to the needs of their users, learn the experiences and continuously adapt. They are comfortable, safe and efficient. They use resources optimally, can generate and store energy and manage consumption intelligently. When connected to the smart grid, they can become an active contributor in the energy ecosystem.
However, smart buildings can pose new risks. The Internet of Things and increased connectivity of devices to the cloud, can make buildings vulnerable to cyberattacks. The risks are constantly changing with the technical evolution on the building side, the legal framework that applies to cybersecurity, and the methods used by cybercriminals. Cybersecurity is no longer an option for building owners and operators, but a must.
Let’s take a closer look at the key trends impacting the cybersecurity of smart building technologies and the measures being taken to address these challenges.
Cybersecurity trend #1: The convergence of Information Technology (IT) and Operation Technology (OT) creates new risks
When IT and OT merge in smart buildings, new risks arise.
In
the past, building devices were OT-devices with a very small portion of
IT-technology (mostly IP address, subnet mask and default gateway address). IT-
and OT-networks were intentionally separated from each other, as they did not
need to mutually share information.
With
the requirement towards smarter buildings and shared infrastructure,
cross-domain information flows started and high demand for IT-OT convergence
arose. This trend exposes building systems to cyberattacks, if not adequately
protected.
Attackers can exploit known vulnerabilities in both new and existing installations to manipulate operations, steal data and cause damage in the buildings. For example, hackers can use phishing emails to gain illegal access and entry into OT systems from the enterprise network; and attackers are using OT systems, such as heating, ventilation and air conditioning (HVAC) systems, as entry points into data centers and corporate IT networks.
Cybersecurity trend #2: Improved security in building networks
Most building protocols (BACnet, KNX, Modbus, etc.) lack built-in security features, making attacks on building networks extremely difficult to detect and mitigate. This year, the American Society of Heating, Refrigerating and Air-Conditioning Engineers (ASHRAE) published an addendum on BACnet Secure Connect.
With
BACnet Secure Connect (BACnet/SC), the building industry is taking important
steps to make building networks secure. BACnet/SC uses IT best practices and
techniques and integrates easily with the IT infrastructure.
Today, various
approaches are used to secure BACnet infrastructure, but these solutions can be
difficult to setup, and they place a burden on IT groups. BACnet/SC will make
it much easier to create a secure and standardized building
automation infrastructure that is fully compatible with existing BACnet
deployments. BACnet/SC impacts all aspects of Siemens BACnet automation
systems and tools; providing benefits to key buildings stakeholders – building
owners, operators and system integrators.
Other building
protocols also continue to advance in security, for example, KNX IP Secure protocol becomes the new ISO Standard, protecting the IP
communication between the KNX installations.
More info regarding building protocols and BACnet/SC is available in the Buildings for Tomorrow podcast.
Cybersecurity trend #3: Stricter legislation and regulations worldwide
The
growing risk of malicious cyberattacks on infrastructure assets and networks has
triggered regulators across the world to develop regulatory frameworks, mainly driven
by the need to safeguard critical national infrastructure.
In the first half of 2020, we have seen a wave of new legislations come into force across the globe. From the California IoT Bill and the California Consumer Privacy Act (CCPA) in the USA, through to the Telecommunications Business Law in Japan and a draft bill for the IT Security Act in Germany (IT-Sicherheitsgesetz 2.0).
The scene has been set and without doubt, more regulations will follow on a global scale, at both a national and regional level. Organizations need to be prepared by following best-practices and implementing cybersecurity standards, such as IEC 62443, ISO 27001, NIST 800-53, etc. in their products, systems and processes. Collaboration with global partners will also play a role in shaping the future success of cybersecurity.
Cybersecurity trend #4: Cyber-resilient supply chains
Don’t
be caught out by a weak link in the chain! Third-party risks
in supply chains can be a source of cyberattacks.
Recognizing
this as a rising trend, the Charter of Trust
initiative (a collaboration between Siemens and global partners to address
global cybersecurity needs), is focused on improving cybersecurity along the
whole digital supply chain, as a baseline for trust in digitalization,
and to reduce the risk of security incidents.
The Charter of Trust members have outlined the baseline requirements for ensuring cybersecurity is an absolute necessity throughout all digital supply chains. These requirements address all aspects of cybersecurity – including people, process, and technology. For example, new Siemens suppliers must comply with minimum binding cybersecurity requirements, which are anchored in a separate, binding clause in all new contracts.
Cybersecurity trend #5: Cybersecurity by design and default
In the past, building
devices and systems were isolated and faced fewer security risks. Over the
years, buildings improved by providing interconnectivity,
cloud connection and data analytics. With that came IoT-enabled
devices connected to cloud services via the internet – opening the door to
cyberattacks.
Products with in-built security are becoming the new norm.Therefore, to protect such devices, building technology manufacturers have adopted a new approach to cybersecurity. They have started to enable cybersecurity into the initial design of products (“cybersecurity by design”), and provide secure default settings in their new products and portfolios, before shipping to the customers (“cybersecurity by default”), as for example with the new Desigo PXC4 and PXC5 controllers from Siemens.
The most important features which can be built directly into new products are:
- Firmware signature for verifying the integrity of firmware.
- Encrypted communication with the embedded web interface and TLS/SSL certificates handling.
- Device identification by imprinting a digital certificate on every device already in the factory, thus providing a trustful and unforgeable source from which the serial number of the device can be retrieved.
- Password protection policy and the force of password change on the first use.
- System hardening with penetration test, so not required or insecure features and functionalities are disabled by default.
Final Thoughts on Cybersecurity for smart buildings 2020 and beyond
2020 has already been an interesting year. The cybersecurity threat landscape is constantly changing,
given the rapid pace of digitalization
and technological progress in the building industry. But one thing is clear – a
holistic approach to cybersecurity is essential.
It is a global challenge that requires awareness, continuous vigilance, and a consolidated effort from key building stakeholders – owners, planners, designers, building operators, system integrators, users and device manufactures. Superior technology, information advantages, and the right partners are important keys to success.
The latest cybersecurity trends in smart buildings.
