Manufacturers and integrators must prioritize holistic system designs and adhere to emerging security requirements for connected building systems.
As the integration of smart building technology continues to grow, so does the risk of cyber threats to the connection between IT and operational technology (OT) systems. In fact, data shows that over 4,145 publicly disclosed breaches in 2021 have exposed a staggering 22 billion records, and reports of data breaches in the U.S. have increased by 10 percent.
In 2013, the retail industry witnessed a watershed moment when Target’s corporate cybercrime breach exposed a staggering 40 million credit/debit card numbers. This event not only highlighted the need for robust security parameters but also brought to the forefront the vulnerabilities of email phishing and remote building management and monitoring systems. Target’s spotlight on “smart” buildings’ remote operations underlined the critical importance of employee training on supply chain security, edge-device security policies, capability credentials and network segmentation. Target’s proactive approach to addressing these issues revolutionized the security posture for the retail industry. By openly acknowledging the breach, Target set a new standard for transparency, one that should be considered a valuable lesson for all sectors.
Manufacturer’s Role in IoT Security
In recent years, the technological advancement of buildings has moved towards a more IT-friendly standard. This shift is particularly prominent in the lighting and electrical sectors. However, this progress has proven to be a double-edged sword. In one sense, it opened the door to users to better understand their systems and building performance and allow for integration that was far from easy previously. On the other side, this opened the door to manufacturers having to understand IT security, which was a fairly foreign space previously. Manufacturers had to learn and often invest in a security system that meets the industry standards of IT professionals. This started as a slow adoption since the building technology and IT worlds were forever separate.
By the end of 2023, there will be 13.1 billion connected devices around the globe–with installed devices reaching 42.62 billion. While Ethernet is at the forefront of commercial building systems, IoT security complications remain multi-layered and more complex. This has led to network security specialists’ heightened awareness of IoT’s expanded reach–leading to a revamped security design that limits the attack surface. (Defined as the areas of potential penetration).
Lighting, HVAC and building systems professionals can’t rely solely on the security of a single system. Given that these new styles of systems integrate many traditionally disjointed systems; integrators require a deeper understanding of risks associated with converged networks. Often the systems themselves are not the attack surface, but rather the interconnection of the systems, via networking means, pose the greatest risk. This becomes particularly acute not at initial system commissioning, but down the road when devices are inevitably added to a building system.
Mitigating security gaps by implementing proven IT security measures is imperative. It requires identifying potential weaknesses deeply embedded into communications network systems of commercial facility lighting systems–including sensors, lighting devices and user interfaced lighting controls.
Researchers during the 2017 IEEE Symposium on Security and Privacy, demonstrated how hackers can take control of smart lamps, creating a city-wide chain reaction. Bridging gaps between the physical IoT network lamps, hackers can infiltrate from a home computer, to offices, to an entire city infrastructure.
While most commercial networked lighting control technologies are still typically proprietary, they interface with the Internet and other building systems via bridging or gateways. Ethernet and the TCP/IP stack are the common connectivity mediums of system-to-system communication. Beyond just wired mediums, wireless connectivity has become commonplace, using short-range, low-power communications devices integrated into light fixtures or controls. With the lighting industry adopting Zigbee, Wi-Fi, and Bluetooth standards, a gateway or bridge encodes upstream communications into Ethernet before entering the public, or semi-public, network. In the end, the old saying “buildings are on another network” is simply impossible. IT and building systems must live as one to enable efficiency, convenience, automation, sustainability, and proper building management in the modern, digitized age.
The California Bill SB-327, which went into effect in 2021, requires connected devices’ manufacturers to eliminate default passwords–often not updated by users–and extend the scope into healthcare, automotive and commercial building systems. The bill defines an IoT device as “any device, or other physical object connected to the internet, directly, or indirectly–assigned an internet protocol address or Bluetooth address”–clearly applying to lighting systems and their connectivity to the outside world.
The IoT Cybersecurity Improvement Act (HR1668) sets standards and guidelines on the use and management of IoT devices controlled by any U.S. government agency to be published by the National Institute of Standards and Technology (NIST). It prohibits federal agencies from procuring or using IoT devices not meeting the new standard. While NIST has yet to complete this obligation, it will (in some cases already is) driving the purchasing behavior for federal, state and most likely private sectors. A specific interest in this work is around building components–cross-connecting with IT systems–to enter the world of IT standards, including the requirement of secure hardware booting and TPM (Trusted Platform Module) support.
Joint Efforts of Manufacturers and Building Designers
Manufacturers must be responsible for the security of the solutions they provide to the market. That is very clear, but the responsibility also extends to the holistic systems design across a project (and in the case of large clients, many projects). Before adding any systems to connected building systems, integrators must ensure their device and system manufacturers adhere to not only the emerging government security requirements but integrates with IT security norms– not just for now, but to flexibly adapt over time.
Buildings and IT are now one, which comes with immense advantages. Security is no longer just the responsibility of one party, but a team of systems working in tandem to provide comfort, safety and efficiency. Only through collaboration of lighting manufacturers, installers, service providers, other building trades, and IT professionals can have a long-lasting solution be designed for a security smart building infrastructure.
Michael C. Skurla is Chief Product Officer of Radix IoT– offering limitless monitoring and management rooted in intelligence–and has over 25 years’ experience in control automation and IoT product design with Fortune 500 companies. He is a contributing member of CABA, ASHRAE, IES Education, and USGBC and a frequent lecturer on the evolving use of analytics and emerging IT technologies to foster efficiency within commercial facility design.