By Michael Skurla
From the October 2024 Issue
The advent of intelligent building technology has revolutionized everything from homes to commercial buildings, factories, warehousing, and everything in between. It has altered, mainly for the better, how large and small facilities are managed. Though we have had ‘Smart’ building systems and BMS/EMS for decades now, future efficiency gains are being seen through integrating disjointed systems such as lighting, HVAC, security, and access control onto a single network allowing data to be used between these silos to drive better insight and action. This convergence introduces new challenges, particularly in terms of cybersecurity and interoperability.
Understanding The Converged Smart Building Landscape
In traditional building management systems, each system operated in isolation. However, converged or “unified” smart buildings break down these silos, allowing different systems to communicate and share data. This convergence creates a unified platform that enables facility managers to monitor and control various aspects of the building from a centralized “single source of truth.” Given the nature of networking, this interconnectedness offers unprecedented benefits but introduces new risks of an expanded attack surface.
The Critical Role Of IT Standards In Smart Building Security
IT has long stayed out of the scope of building systems. Yet, this interconnected ecosystem now requires IT standards and know-how to function efficiently and safely and play a crucial role in securing converged smart buildings—now and into the future. By adopting IT industry-recognized standards, facility executives can ensure that their systems are robust, resilient, and resistant to cyberattacks. IT standards provide the framework for best practices in network design, data security, and access control while promoting interoperability (particularly over the TCP/IP stack), allowing different systems to communicate seamlessly.
Though IT standards constantly evolve, the IT space is used to this evolution and has processes and procedures to assure “best in practice” updates to meet these changing needs. Hence, within building ecosystems, IT now needs to play an essential role in every step, from procurement to system design to deployment. Interestingly, building standards have evolved with the industry and BACnet/SC demonstrates that facility operations have been created with IT standards in mind.
Now, common standards that should be looked at from a building perspective include:
- BACnet (Building Automation and Control Networks): a widely adopted standard for building automation and control systems that defines a common language for different devices to communicate with each other, regardless of the manufacturer. By adhering to BACnet, facility managers can ensure their systems are interoperable and easily integrated with other BACnet-compliant devices. Additionally, the recent addendum to this through BACnet/SC is a secure, encrypted communications datalink layer that meets the needs of secure IP infrastructure.
- NIST Cybersecurity Framework: provides a comprehensive guide for managing and reducing cybersecurity risk. It outlines a set of best practices for identifying, detecting, responding to, protecting, and recovering from cybersecurity attacks. The recovery part is especially important, given no security can ever be seen as 100% secure. The framework is adaptable to organizations of all sizes and can be applied to smart building systems to enhance their security posture.
- ISO/IEC 27001: is an international information security management systems (ISMS) system that provides a systematic approach to managing sensitive information and ensuring its confidentiality, integrity, and availability. By implementing an ISMS based on ISO/IEC 27001, facility managers can demonstrate their commitment to information security and reduce the risk of data breaches.
Implementing IT Standards: A Step-By-Step Guide
- Conduct a Risk Assessment: Before implementing any IT standards, it’s crucial to conduct a comprehensive risk assessment to identify potential vulnerabilities and threats. This needs to include an inventory of every facility-related system that exists, even if it is not connected to a network yet. This assessment will help you understand the specific risks your smart building faces and tailor your security measures accordingly. Additionally, it can guide you in what is missing from a data perspective and what systems or devices must be added to enable a comprehensive and unified intelligent building. Older systems will often require some form of bridging from legacy protocols to Ethernet.
- Develop a Security Policy: A security policy outlines the rules and procedures for protecting your smart building systems. It should include guidelines for password management, access control, data encryption, and incident response. Ensure that all employees are aware of the policy and understand their responsibilities. This can be time-consuming, but documenting this provides a framework. This should be done with the IT organization to explain the scope of the systems and the desires for data from each.
- Implement Security Controls: Based on your risk assessment and security policy, implement appropriate security controls. These may include firewalls, intrusion detection systems, antivirus software, and multi-factor authentication. Importantly, these need to be regularly updated to address new threats. An important choice needs to be made here as to who will administer these policies in the future. It is highly recommended that the IT organization has control here, as they will be the first to identify risks.
- Train Your Staff: Educate your staff on cybersecurity best practices and the importance of adhering to IT standards. Most breaches are not complex. They can be as simple as a phishing email for a password. People uneducated on security are the largest threats to organizations.
- Monitor and Review: IT organizations should continuously monitor the infrastructure for patches, software updates, and signs of suspicious activity. Regularly review your security measures and parameters, and update them regularly to address new threats.
Addressing Connectivity And Communication Concerns
Connectivity and communication issues can hinder the seamless operation of converged smart building systems. To eliminate these concerns, network segmentation, secure remote access, and redundancy should be considered. As mentioned before, bridging from legacy systems and protocols is often necessary, and these bridging devices should stay up to date. IoT platforms can play a role in seamlessly bridging these legacy solutions into one secure ecosystem to limit the number of required proprietary devices.
Network segmentation is often a choice of IT professionals and involves dividing the network into different zones to isolate critical systems from less sensitive ones, thereby limiting the impact of a breach and preventing attackers from moving laterally across the network. This sometimes comes as a blessing and a curse, given the need at times to allow access across these segments. This can often be resolved with proper routing and firewall setups as well as secure remote access solutions, such as virtual private networks (VPNs).
VPNs should be utilized when accessing smart building systems remotely to prevent unauthorized access through unsecured public Wi-Fi networks. Finally, IT will bring to the table redundancy solutions that often were not present in isolated systems. These can include backup power systems (or UPSs), redundant network links, and failover mechanisms, ensuring that systems remain operational even if a component or service fails. These measures collectively enhance the connectivity and communication capabilities of converged smart building systems, ensuring their reliability and security.
It’s About Collaboration
Securing converged smart building systems requires a proactive approach that incorporates IT standards, best practices, and continuous monitoring. Most importantly this is about collaboration and sharing knowledge between facility managers and IT professionals to create a robust security posture that protects their buildings from cyber threats, eliminates connectivity and communication concerns, and ensures the seamless operation of their interconnected systems.
Skurla, co-founder of Radix IoT, has over 25 years of expertise in connected product design commercialization. He has focused on critical infrastructure sectors’ control automation and building technology product design with Fortune 500 companies.
Do you have a comment? Share your thoughts in the Comments section below, or send an e-mail to the Editor at jen@groupc.com.