Ten years ago may as well have been 100 years ago for most aspects of building climate controls and security. Aside from the introduction of digital thermostats, everything else in our buildings relied on analog controls for their functions. Now we have programmable lights, CO2 sensors, and thermostats which can drive variable-speed HVAC that targets both temperature and humidity settings. Smart buildings are here and they promise us more pleasant surroundings as well as savings in maintenance and energy.
Home workers are seeing similar developments in their domestic workspaces. What used to be solely the domain of commercial real estate is now firmly in place in our homes. Smart buildings aren’t just here, they’re pervasive. Those IoT devices promise us better living through technology.
They also promise a new class of devices for attackers to consider. These smart building controls are connected to the Internet and have a good deal of processing power, all things considered. They’re also usually connected to flat internal networks that allow them free rein to reach out and touch anything else on the network. Unlike other items on the network, they’re often deployed outside the overview of IT teams that want to secure them – and by facilities teams that don’t know that they need to be secured.
I’ve written about IoT security recently but I’m writing about it again because of a recent Wall Street Journal article about smart buildings and the security vulnerabilities they present.
It’s ironic that controls put into place to detect viruses in the office air aren’t ready-made to detect computer viruses that could be attacking them. That means we have to help them out.
The first step is segmentation. Getting to an IoT building control should not mean that the rest of the network is the next destination. Traffic to and from these devices only needs to be what is necessary. Typically, that should include traffic paths to and from a management system, security tools, and directory services to handle logons. If the management system, security tools, and directory services are themselves protected with strong identity management and enforcement tools, then strong controls are already in place. Remember, not only can controls be exploited to move deeper into a network, but they are themselves a potential target for an attacker looking to replicate a kinetic attack through modification or destruction of building controls. If the management tools are secure, then the risk of a compromise of the building controls is reduced.
Next, IT and facility teams must know the vulnerabilities the building controls have and what to look for as an indicator of compromise (IoC). You may not be able to patch the vulnerabilities in question but being able to alert on and have an automatic containment response to an IoC is the next best thing to patching.
Finally, follow the industry trend and merge facilities and physical security with cybersecurity. All three teams have similar goals, so it makes sense to combine efforts. While it’s one thing for a security team to approach facilities with an audit finding, it’s quite another thing – and a better thing, I’ll add – for the security team to also be the facilities team when it responds to the audit finding.