Cybersecurity solutions cannot be a self-serving or isolated in their approach. They need to be part of a holistic solution.
I have avoided this discussion in the past because understanding and highlighting all of the potential security and privacy concerns could paralyze us. For some 20 years plus we have operated in a wild west manner, mashing our machines with the open internet and achieving amazing things quickly. I do not want to lose this platform of global innovation and participation.
My concern is that in fencing off every risk we will end up the ones behind the fences—immobilized, paralyzed, victims of our own fears. I have grave concerns that over-regulation could be a worse scenario than our worst cybersecurity concerns.
Yet, our Building Automation Systems are not considered secure. We need to fix this. As we install more and more sophisticated smart building technologies, many of which involve IT systems, we have become IT people. Therefore we need to think like IT people. We need to revisit our existing systems’ security and clean up our mess.
We have gathered the views of several Cybersecurity experts to provide us with advice on how to proceed without immobilizing ourselves. I am extremely pleased and amazed at the width and depth of coverage.
In this article, contributing editor Anto Budiardjo and myself discuss why Cybersecurity has to be the concern of everyone in the building automation industry. According to James Lee, CEO, Cimetrics, Inc., "Our collective success is based on our weakest link. Our industry is inherently collaborative. We seldom work alone on a project, and partnering is our modus operandi."
Lee further develops his ideas in this article, The Need for Holistic BAS Cybersecurity:
The first and most important aspect for all players in the industry is that cybersecurity is everyone’s business, not just the experts. Yes, cybersecurity is a complex subject but we are not all going to nerd out on the intricacies of ciphers, zero-day threats, certificates and so on.
What every single professional must demand is that our devices, systems, and buildings are secure from cyber threats. Every proposal, project meeting and company planning session going forward must discuss how cybersecurity is being addressed in that instance.
This leads to my second point: Our collective success is based on our weakest link. Our industry is inherently collaborative. We seldom work alone on a project, and partnering is our modus operandi. This means not only does each player need to deal with cybersecurity in their work, but it is the task of everyone to ensure others in the value chain deliver solutions that are secure.
A useful tool many other industries use to chart their process of bringing cybersecurity to the forefront is the National Institute of Standards and Technology (NIST) Cybersecurity Framework, a comprehensive set of standards, guidelines and best practices created through a collaborative process by the U.S. government agency responsible for cybersecurity matters.
Fred Gordy of Intelligent Buildings, LLC provides cybersecurity evaluation of building control systems in this article, The State of BAS Cybersecurity. He makes note of many of the tools and methods we use to complete a holistic cybersecurity evaluation of building control systems:
In 2018 the number of assessments we performed increased to more than double of 2017. This was due in part to the growing awareness of the need for securing building control systems, but also the real and present danger of attacks to building control systems. In this article, I will share the results of assessments and BAS attacks we have first-hand knowledge of.
Another article from Anto Budiardjo, Cybersecurity: The Gatekeeper to Value discusses the opportunities that are emerging as part of the inevitable BAS/IT convergence:
On the technology front, IoT (Internet of Things) is driving down the cost of hardware; open source is democratizing software development, and communication technologies from 5G to WiFi are making connectivity cheap and ubiquitous. From a social perspective, we are all living super-connected lives with our smartphones as a must-have tool for both business and personal use. With that in mind, there is very little standing in the way of the BAS industry from leveraging this pervasive connectivity to achieve IT convergence and increase the value of what it offers.
Marc Petock, Chief Communications Officer for Lynxspring, Inc., and Contributing Editor discusses the risks to be aware of in this article, The Business Side of Cyber Security Why it Matters:
In today’s data-driven economy and smart based buildings, it is essential we collect, store and adequately protect data and proprietary secrets. Failure to do so will significantly damage a company’s brand, have an adverse effect on operations and directly impact revenue and profitability.
The frequency of cyber attacks is only going to accelerate over the coming years. Therefore it is vital that we have a full understanding of the inherent business risks and implications. Balancing cyber security priorities with business flexibility and agility is a tough challenge. But it’s a challenge every organization faces as it strives to drive growth, achieve competitive advantage and maximize operational and performance efficiencies.
Cyber security is hard and always will be. Attackers will continue to innovate with new techniques, deception and determination. The challenge isn’t people, process, or technology; they all exist today and are available. The big issue is the internal culture at companies and the understanding of cyber security from a business perspective and why it matters.
It all comes to one thing-- risk. How much are you willing to take? We can no longer take a wait-and-see philosophy or “it’s not going to happen to us” approach when it comes to prioritizing and aligning cyber initiatives within our buildings. As we operate in an interconnected environment, we must look at their entire ecosystem and spread and share responsibilities, creating security partnerships. Cyber security is no longer an individual company effort; it is a shared responsibility among us all.
Kevin T. Smith, CTO, Tridium, discusses just what’s at stake in this article, Towards a Cybersecurity Partnership in Connected Buildings:
Over the past few months, there has been some well-needed government and media attention paid to the cybersecurity posture of control systems used in smart buildings and Operational Technology (OT) networks. Cyber-threat watchers note that there continues to be a significant number of these control systems that are configured in an insecure manner and exposed on the Internet. This is something that must change.
Decades ago, organizations had to quickly become savvy about protecting their Information Technology (IT) networks from remote attackers. As IT networks grew, so did the cybersecurity threats — viruses, malware, and phishing attacks proliferated, and they continue to do so. Organizations that experienced early, highly publicized cyberattacks and data breaches learned painful and costly lessons. In too many of those cases, proper focus on cybersecurity awareness and best practices only happened after such an attack. Luckily, we can learn from those mistakes and lessons from the past and apply them to OT networks today. It is our goal that smart building owners and operators avoid the harsh realities of cyberattacks now by taking a proactive approach towards cybersecurity.
Cybersecurity is a partnership: we all have a role to play.
Therese Sullivan, Contributing Editor and Customer Marketing Leader for Tridium talks about the need to continually maintain and upgrade the new cybersecurity systems in this article, Cybersecurity or Something Better:
For decades now, the vision of intelligent buildings that self-correct when they are wasting energy and self-adjust when they are providing anything less than a healthy, comfortable and productivity-enhancing indoor environment for occupants has been driving the building automation industry forward. Today, advancements in cloud computing and machine learning, as well as greater adoption of common standards for network connectivity and data interoperability, are making the full vision a reality for some showcase buildings. At the same time, connected devices are seeping into all types of buildings in less visionary, more piecemeal ways and sometimes without sufficient IT/OT oversight. Is this moving us faster toward the intelligent-buildings-for-all future we expect? Or, is this trend simply creating a larger and more attractive cyber-threat landscape for attackers, with consequences that will slow our progress.
Jim Butler CTO Cimetrics Inc. talks security in this article, BACnet/SC a Secure Alternative to BACnet/IP:
For the past several years, the members of the BACnet IT working group I chair have been developing a more secure method of communication for BACnet based on widely used IT standards. This method exclusively applies to communication on IP networks, and we are calling it "BACnet/SC" or “BACnet Secure Connect.” I believe BACnet/SC will become a popular alternative to BACnet/IP in the future.
I have skipped over many important details of BACnet/SC in this short article. If you are interested in learning more, I encourage you to read the white paper "BACnet Secure Connect" written by members of the BACnet IT working group.
Pook-Ping Yao, CEO, Optigo Network, questions how NIST’s cybersecurity framework applies to operational Ttechnology in this article, A Cybersecurity Framework for the World of BAS:
It’s been five years since the National Institute of Standards and Technology (NIST) released its cybersecurity framework. A great deal has changed in technology over those years, but the framework remains absolutely critical in our world of growing connectivity.
And yet, I still hear the confusion in the building automation world about what this framework means for us. Many buildings are slowly marching forward in that journey to “smart.” Do we really have to worry about cybersecurity?
Well, in a word: yes.
Deb Noller, CEO, Switch Automation in this e-mail interview talks about How to Safeguard your CRE portfolio against Cybersecurity Attacks:
Noller: A smart building platform is a powerful cybersecurity tool that empowers your FM team to easily perform continuous commissioning as well as regularly assess device connectivity and network integrity. Cloud-hosted smart building solutions are often the most secure, updating automatically for protection against the latest malware. Additionally, a cloud solution tends not to require the regular dispatch of software engineers for functionality customization and support. By integrating diverse hardware and software, an effective smart building solution will support a range of stakeholders, driving asset visibility and enabling more cost-effective building performance. To extend the flexibility of your FM team, consider a solution with a mobile app and empower them to communicate about critical issues quickly and effectively while on the go.
How secure is your commercial real estate portfolio? Download this free e-book and safeguard your portfolio against cybersecurity threats now.
Please ensure you are not our weakest link due to a lack of understanding and the necessary proactive implementation. Cybersecurity is everyone’s business, not just the experts. Protect yourself while helping to secure our industry.
A list of some Communities of Practice for Cybersecurity
NIST This voluntary Framework consists of standards, guidelines, and best practices to manage cybersecurity-related risk. The Cybersecurity Framework’s prioritized, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security. https://www.nist.gov/cyberframework
"BACnet Secure Connect" written by members of the BACnet IT working group.
Niagara systems integrators Harden Your Smart Building Against Cyber Threats. Cybersecurity as a the top priority and we are dedicated to continuously improving the security posture of our products and providing guidance to Niagara systems integrators, business partners, and facility managers.
https://www.isasecure.org/en-US/ IEC 62443 Standards and ISASecure® Certification: Applicability to Building Control Systems The ISASecure® Certification Program can accelerate BCS industry cybersecurity initiatives.
https://ics-cert.us-cert.gov/ The Cybersecurity and Infrastructure Security Agency (CISA) incorporates an Industrial Control Systems (ICS) element that works to reduce risks within and across all critical infrastructure sectors by partnering with law enforcement agencies and the intelligence community and coordinating efforts among Federal, state, local, and tribal governments and control systems owners, operators, and vendors.
The not-so-definitive guide to cybersecurity and data privacy laws US cybersecurity and data privacy laws are, to put it lightly, a mess. Years of piecemeal legislation, Supreme Court decisions, and government surveillance crises, along with repeated corporate failures to protect user data have created a legal landscape that is, for the American public and American businesses, confusing, complicated, and downright annoying.