The Security Of Security: A Q&A Roundtable

What does adding a digital layer to traditional security look like? And, what is the future shaping up to be for security in the built environment?

What does adding a digital layer to traditional security look like? And, what is the future shaping up to be for security in the built environment? Three security professionals shared their insights on this topic, which include consideration of integrated facility systems, impact of IoT, working with IT and other departments, and cyber security concerns overall.

How has the shift from analog to IP-based systems benefitted facility executives?

Peter Boriskin, vice president of product management for ASSA ABLOY Americas: The shift to IP-based systems has allowed facility executives to protect more of their systems with a layer of digital security and more of their building with physical security. In terms of deployments for access control, for example, the IP-based setup saves on expense in deployment because there is no need to dig into walls and run wires as was previously the standard.

Strategically, this also allows facilities workers to take advantage of others’ budgets. You have IT folks who are more and more interested in having the facility wired up for networking for their own purposes. That is a huge benefit to [facilities] in terms of implementing any type of new facilities system as you can essentially utilize that IT buildout.

Jonathan Cartrette, senior systems architect, Legrand Building Control Systems: IP is one of the biggest innovations that we’ve seen and it’s caused a big shift in what’s possible with building control systems. Before IP, using legacy or proprietary protocols and analog technologies and adapting those to legacy networks would have worked, but the outcome might not end up being better than what you had in the first place or might not be worth the effort. Adapting to an IP network makes the process simpler, requiring less change for any given IP-based sub-system; making it faster to arrive at a holistic resulting functionality.

There are a lot of conversations happening around the value of building controls, but there’s also the recognition that we don’t have all the answers yet. We’re going into a really exciting time where our IP-based technology is enabling additional acceleration on what’s possible.

Brad Eck, strategic alliances program owner-Americas, Milestone Systems: An infrastructure change is never easy. There are many who still haven’t made the shift, and many who made a hybrid shift. Those who have are benefitting from the advancement in technology that IP brings. As we enter the era of leveraging the cloud, which is only accessible via IP networks, the solutions and intelligence advancements we will see — via AI [artificial intelligence], for example — will help facility managers focus on proactively optimizing their facilities rather than reactively addressing problems. With this, executives will see a bottom-line improvement in their facility costs.

cyber securityWhat are some of the latest innovations you have seen recently that will have the largest impact on building systems in the next three to five years?

Eck: As alluded to above, AI is in the beginning phases of influence. Today, analytics bring intelligence to our industry and we are already seeing many solutions leveraging deep learning in their labs to create smarter deployed algorithms. In three to five years, we would expect to see a growing number of systems leveraging learning-at-deployment technologies thereby creating adaptive building systems. Using multi-tenant cloud intelligence will grow that adaptation exponentially.

Cartrette: A few years ago, facility executives were talking about asset tracking and wayfinding as potential applications that could be beneficial to lighting. And in the last few years there has been actual product that has come out and done it. They’ve realized the vision of a natural grid, permanently installed, powered light fixture as a jumping off point for completely unrelated applications. And so that goes beyond traditional trade boundaries; it goes beyond traditional facility managers’ scope. It really shows what’s possible.

Computer vision is the next area that looks to intersect with building interior systems; the technology that’s been in our smartphones that can recognize faces and auto-focus our cameras. You put that inside a sensing application and you start counting people, looking at posture and then using that data to create building controls. Building controls can be programmed to help with the typical afternoon slump in office spaces, or help fire departments and first responders locate individuals inside a building.

Smart buildings are a huge focus currently. What are some of the ways facility executives can upgrade existing systems and infrastructure to better incorporate these new technologies?

Boriskin: Automation that leverages technologies such as Zigbee and Z-Wave will further allow facilities to take advantage of new ways to integrate security, safety, and sensing technologies. This will stretch not just to doors and lights, but HVAC and temperature, leak detection, glass break detection, and other systems. We are entering a world where you can add a lot of new sensing capabilities without a heavy integration effort or without investing in a huge management platform. It’s now a level playing field for everyone in facilities in terms of budget.

Cartrette: I think lighting has a real advantage here. It’s difficult to upgrade the entire electrical system within a facility, but integrators can use wiring devices, like lighting, to make retrofits and upgrades more accessible.

By using the wiring devices, integrators can easily retrofit or upgrade a facility in different layers or do trials with the facility executive to test out different solutions. This hasn’t been accessible with the built environment before, but the latest wireless technologies and intelligent devices are changing the way buildings are controlled and making that narrative possible.

How has the addition of IoT devices and remote access services changed the role of the facility manager? How has it changed the security needs in facilities?

Boriskin: First, these changes have given facility managers a tremendous reach within their facilities. They can add sensors, locks, lights or other devices into a facility for a fraction of the cost. It’s a new world in terms of monitoring and control.

On the other hand, you definitely have to be on top of the cyber level of security. That’s something that wasn’t a concern before.

I do believe adding these new devices is worth the “price of admission,” but as a facility manager you do need to be thinking about having a new or different relationship with the IT side of your business. Facilities and IT are currently both in a position where they need each other. The IT guys want physical security — there are stories of individuals nefariously accessing servers — and in turn, facilities teams need digital security on top of their IP devices.

It’s actually a really good situation that our industry finds itself in this place where it is forcing us to work together. We as an industry will benefit from that. Our job is to engage in the process and find a way to seamlessly work together.

Cartrette: We’ve got to give the manufacturers credit for making every effort to keep the transition simple, but there is inherently more complexity because there’s more configurability. It’s a bit of an arms race. Facility managers accept the complexity because they’re getting added value, but now there’s all of these features, there’s all of this configuration, and there definitely seems to be an increasing need for remote services.

With so many different systems being installed into buildings, facility managers would have to learn every single thing about every single system to properly maintain the facility. Some buildings can have a dozen different systems, and if even one tenant wants to try something new, it’s up the facility manager to make that happen. That’s where remote service steps in to bridge the gap.

Security is a big concern for facility managers, but the IP platform makes it simpler for them to secure end-to-end connections that allow remote support to dial into the system. IP technology uses standards that are maintained by the same community as those on the Internet. There is credibility behind the standards, and organizations like IEEE, IETF, and ICANN that manage those standards.

What are the security concerns that facility managers should know when installing an IoT device on the network? What are features and benefits that combat those concerns?

Eck: Cyber threats are real: hacks are found daily, and huge data break-ins are reported regularly. Facility managers who leverage IP networks need to have a coordinated defense with their IT staff to ensure secure systems. Consider, however, that there are a lot of attack points beyond the traditional virus protections. From device access to your network, encryption of the data from point-to-point, and ensuring the data is stored securely — the entire data path is at risk of attack. Isolating access to your edge devices from the core systems is an important first step in the protection of that data. From there, leveraging data encryption technologies, certificates or, at minimum, advanced password management are incremental steps in the protection of your data.

Boriskin: Always start by looking at the vendor or manufacturer who you’re working with. Ask what they have done in terms of a third-party, certified verification for their security. The kinds of things you might be looking for is analysis using industry accepted cyber security and testing standards. Penetration testing is generally the way we look at validating these types of things. Further, does the manufacturer have an incident plan? Have they thought about what happens when something does go wrong? Can the integrator help design or implement an incident plan?

Over the past few years you’ve seen some shocking — but preventable — hacks take place on phones, wireless radios, appliances, and other devices. The reality here is that bad stuff happens — so let’s call this what it is and make sure that we have a good, structured way to test devices so that it happens as little as possible. And, if it does happen, ensure we have a plan in place to deal with it.

When thinking about the security on these devices, are there any areas that still need to be addressed on the industry side? Are there any known vulnerabilities to be aware of?

Eck: Cyber security is a dynamic technological sub-genre in industries today. By that I mean it is a part of every IP system in every industry, and it is constantly changing — whether or not we are doing anything about it. Vulnerabilities are constantly found in any system, so manufacturers as well as the customers are addressing those vulnerabilities in product and software updates. Advancements in network computing have empowered the fast deployment of cyber fixes through automation and the direct connectivity between them.

Cartrette: This is one of the hardest questions right now, because the industry is still trying to write and implement standards. The industry is talking about products as being secure based on wildly different implementations. There are multiple types of standards from the technology leaders including ITEF and IEEE, but they aren’t necessarily market standards, like with energy codes that are prescriptive around performance and the methods of achieving performance to some sort of security code — it’s just not there.

Manufacturers are being transparent and doing everything they can to help the market and end-users learn about the IP connected devices space, but it’s difficult to say where the most effective place to start is. Do manufacturers move toward regulatory standards? Do they want to come up with a new energy code that includes security best practices? Manufacturers need to come together to create terms of transparency and education around IoT and security.

Interested in the developments discussed in this Q&A? Please share your questions and observations in the Comments section below.