The Challenge of Securing Building Control Systems
There’s been explosive growth in Internet of Things (IoT) adoption in the construction and commercial real estate industries, a trend quickened by the COVID-19 pandemic. Forced to find new ways to service properties without face-to-face interaction, businesses are now using connected devices to streamline an enormous variety of tasks related to real estate management, including wayfinding and signage, lighting control, lift and escalator management, occupancy analytics, energy consumption, and many others.
But that growth that could be undermined by lack of cybersecurity preparedness. Relying on a centralized building automation system to coordinate and manage IoT devices presents a significant cybersecurity vulnerability, a risk that gets hidden beneath the enthusiasm and marketing hype surrounding industrial and commercial IoT adoption.
According to research firm Memoori, the market for IoT in the commercial buildings will hit $82.7 billion by the end of 2025.
The Emergence of a New Cybersecurity Standard
Until now, businesses have relied on standards such as the National Institute for Standards and Technology (NIST) Cybersecurity Framework to protect their operational control (OC) systems. But even NIST acknowledged in a 2019 special publication that OT and IoT devices have unique cybersecurity risks that teams can’t address with just traditional approaches. They cite three ways in which IoT devices present a unique security challenge:
- IoT devices interact with the physical world that conventional devices don’t, a fact that most existing cybersecurity strategies fail to address.
- IoT devices can’t be accessed, managed, or monitored in the same way that conventional IT devices can. This requires that IT support staff perform manual maintenance work for many devices and address the security risk of an expanding number of third-party vendors.
- The cybersecurity and privacy capabilities of IoT devices are different from conventional IT devices in terms of availability, efficiency, and effectiveness.
Cyber criminals are increasingly attracted to unsecured IoT and smart devices. Attacking those systems provide an easier payout with less work than bad actors could achieve by focusing on other targets. In worst case scenarios, bad actors could even threaten high value assets and human safety.
In response to these unique needs, a group of stakeholders from the standards community, IT industry, as well as leaders of the IoT and building control industries, have established a new organization to help standardize and improve upon how business secure their OC/IoT devices. The non-profit Building Cyber Security (BCS) is designed to promote technology, processes, and training to accomplish, including a new framework and certification process for, IoT security.
In particular, the standards that BCS has developed is based on two already established standards:
- ISA/IEC 62443
ISA/IEC 62443, a security standard originally designed to secure industrial automation and control systems (IACSs). Working with authors of the ISA/IEC standard, the BCS team identified which controls from those standards best fit the security needs of building control systems and IoT devices, built a model for applying the concept of “zones” and “conduits” to segment critical and non-critical connected devices, and laid out clear security responsibilities for building managers, service providers, and manufacturers.
- Critical Security Control
While ISA/IEC 62443 covers most of the security needs of a building control system, the BCS decided to complement that standard by adding simplified features from the Center for Internet Security (CIS) Critical Security Control (CSC) Implementation Groups (IG). Each of the three implementation groups corresponds with a different phase, casually known as “crawl,” “walk,” and “run,” to organize the 18 areas of controls into ascending implementation levels.
The new BCS standard is under review with an expected release date of third quarter 2022. What should commercial real estate and construction companies do in the meantime, until the full standard is release? A good place to start is by securing their IoT devices, according to some of the established best practices that we have now.
According to the World Economic Forum, cyberattack is the #1 risk, with the financial impact set to reach over $50 billion dollars by 2023.
Get Started with IoT Security Best Practices
Now is the time to get on a proactive security footing for your building control systems and Internet of Things (IoT) devices, before bad actors develop an effective set of tools and strategies for attacking these systems. Here are some of the tactics that businesses should consider adopting:
Discover and Catalog Devices
The first step in achieving strong IoT security is to have a centralized inventory of the devices in each property. Cataloging the device, operating systems, and firmware version, and other details helps you create a more consistent and unified approach to device security. While real businesses can do this work manually, it’s best accomplished with automated software to reduce human error and increase efficiency.
Enforce Strong Identity Password Security
IoT devices are shipped with default login credentials, which your company should change immediately. After you’ve taken this first step, consider deploying a password management system that can help enforce minimal trust, automatically rotate passwords, and help ensure proper password management.
Rigorous Vendor Management
With the rapid explosion in the IoT industry, there are many fly-by-night manufacturers of devices in countries, such as China and India, who produce equipment that doesn’t meet security standards in the United States. Purging those devices from your network and replacing them with new equipment is best but failing that, look for work arounds (such as network segmentation) to help secure these devices.
Deploy Network Analysis Tools
Intrusion detection and prevention systems built on the Simple Network Management Protocols (SNMP) standard can provide commercial real estate companies with transparency into the function their IoT devices, so they can notice irregular access and identify attacks before they become a serious breach.
Patching and Maintenance
All network appliances should get patched and updated regularly to close security back doors and loopholes. This is especially true of IoT devices, many of which are shipped with out-of-date firmware after sitting in logistics warehouses for months while the cybersecurity landscape shifts in the world outside.
Technology Services for Construction and Real Estate
For over 20 years, the Astute Technology Management team has been helping commercial construction and real estate companies in Columbus, Cincinnati, and Cleveland stabilize their technology systems and embrace next-generation technology with confidence.
Interested in maximizing your technology investment and safeguarding yourself against cyberattack? We’re here to help.