Why divorcing your building and IT networks will make for a more secure long-term relationship with your smart building.
You’ve taken the plunge and are now operating or developing a smart building. All those efficiency savings and the improved tenant satisfaction from automated systems is pretty amazing. But have you given much thought about how integrating your building network onto your existing IT network can lead to security issues down the road? Is connecting your new smart thermostat opening up your IT network to potential threats and intruders?
Challenges of integrated systems
For years, IT networks have combined our wired and Wi-Fi Internet connections with our phones, data centers, and servers. When smart building technologies came along and needed networking, it seemed like a no-brainer to ride these new building systems onto the already available IT network. As a consequence, our HVAC, lighting, security cameras, elevators, access controls, and other smart devices have increasingly become part of the IT network; sometimes, with communications and access provided to facility managers for them to monitor those devices that typically remain their responsibility. Convergence, it seems, is prevalent.
However, this model is increasingly coming under attack. While the vulnerabilities of IT systems have long been seen as a security concern, the same cannot be said of building systems. It is only in the recent move to IP-addressable smart building technology and the convergence of building systems onto the IT infrastructure that IT networks have once again become vulnerable – this time through building technologies. And hackers are taking notice, even if it has not yet reached general concern amongst smart building integrators.
The 2013 attacks on Target is a case in point. If you remember, the breach started with hackers gaining access to Target’s network through an HVAC system. Once onto Target’s building network, the hackers were able to gain access to Target’s point-of-sale (PoS) terminals, which were accessible from the same network (most likely through convergence). An even larger attack took place on Home Depot’s networks in 2014.
Because of the daily news of hacks and breaches, there is growing concern in the more general Internet of Things (IoT) sector with respect to privacy and security. The industry has learned (and governments are catching on) that widespread adoption of IoT is hampered by consumer and business apprehension over privacy and security. According to IDG Enterprise Research, the biggest increase in IT spending is in security technologies with 46 percent of companies reporting that their budgets for this will increase in 2015. It’s a huge market looking for answers and new technologies.
With the threat of hackers attacking the building network increasing (especially PoS terminals) and enterprise and consumers increasingly concerned, Homeland security is starting to get involved. This is particularly prudent, as the the Secret Service estimates more than 1,000 US businesses were affected by the same attack as Target and Home Depot. However, what is a smart building operator/developer to do?
What is the answer?
Solutions do exist for those with the proper equipment and expertise. A single switch can be configured to properly manage inbound and outbound communications. Sophisticated Access Control Lists (ACL) can be created on the Ethernet layer level to limit traffic between devices and the servers/data centers they are meant to connect to. And expensive monitoring software can be purchased to actively search out anomalies in network traffic. All of these require a highly trained IT team with specific knowledge, and a particular interest, in network security.
But these solutions are generally only good for single switches that are easy to logically configure and monitor. What happens when the building has hundreds or thousands of devices across a wide area, riding on top of a sophisticated IT infrastructure configured to share sensitive financial and confidential information? Furthermore, as new devices are added or when changes in the network are required, a rebalancing of these rules and configurations may make maintenance of the network complicated – especially after turnover in your IT team. How is such a complex system to be managed?
The case for segregated networks
Segregating your building systems from your IT network is the simplest and most effective way to minimize any impact of someone infiltrating the building systems and stealing sensitive information. It is the best and only way to ensure the building network port connected to your HVAC controller cannot talk to sensitive servers or gain access to sensitive credit card information riding on your IT infrastructure.
Physical separation ensures this. And if communications between the IT and building systems are required, the use of properly configured firewalls or virtual private networks (VPNs) between your IT and your building network is easily managed to only allow the proper traffic between these two networks to get through.
The Department of Homeland Security agrees. In response to the Target attacks, a recent alert from the US Computer Emergency Readiness Team (US-CERT) recommends segregated networks as an important layer of security separating devices (i.e. PoS devices) from the broader IT infrastructure. We agree with this recommendation and believe that the entire building system should be logically and physically separated from IT.
Building systems and IT often have different owners, and require different layers of security. While firewalls and complex security software are commonplace on servers and computers, they do not yet exist for the user-less devices that make a smart building work.
While no amount of security will guarantee protection, there are simple steps that a smart building developer should take. It starts with segregated or dedicated building networks. This layer of security is a cost effective approach to securing a smart building that will become even more crucial in the years ahead, as increasing amounts of smart technology is added to a smart building’s infrastructure. Target’s hack through the HVAC system has cost the company $200 Million and counting. Separating networks is not that hard to do, and it will result in not just a smart building, but a secure smart building. It’s worth it.
About the Author:
Pook-Ping Yao is CEO of Optigo Networks, a company making smart buildings smarter. Ping is a recognized expert in networking with years of network security experience. He has over 12 years at PMC-Sierra in networking design and applications.