Secured by Design in a Connected World
28 September 2019
Intelligent building management systems are increasingly becoming embedded into the built environment as technology evolves and the demand for reduced operating costs and greater monitoring, control and operability continues to grow. This growth also comes with a substantial set of security vulnerabilities potentially leading to becoming a major headline. How much of a concern is cybersecurity in commercial buildings?
A look at a few headlines from 2019 provides a quick and definitive answer.
Why Cybercriminals Are Eyeing Smart Buildings – WeLiveSecurity
Mission Possible: ICS Attacks on Buildings Are a Reality – Security Today
Should You Send Your Security Staff to a Hacker Conference? – InformationWeek
Proof-Of-Concept Malware Reveals Smart Building Vulnerabilities Your Business Needs To Deal With – Forbes
These aren’t just a few outliers. A five-minute Google search turns up a mountain of material to read and reference. As telling as the headlines are, so are the sources of the editorial. The need for secure systems hasn’t been lost on facility and operations-focused publications and practitioners. But it’s now prominently on the radar of outlets such as InformationWeek. These are IT-centric folks who are also concerned with interference by hostile nation stations and data jacking. In other words, buildings are swimming in the security mainstream.
That’s because the threat isn’t theoretical. Hackers have already exposed gaps in facility automation. In 2014, the entry point for an attack that led to credit card information being stolen from a major national retailer was the company’s HVAC subcontractor and system. And from the Forbes piece highlighted above: Attacks could bring hospitals to a standstill by rendering medical devices unusable, disrupt traffic by disabling ventilation in tunnels or completely halt production within mines.
Plus, a search in February 2019 by WeLiveSecurity for building automation systems that were reachable from the public internet uncovered 35,000 potential targets globally. That’s a concerning number when you are responsible for your building’s infrastructure.
The reason for the increased focus and exposure is the prevalence of IoT devices for operational technology (OT) such as facility and industrial controls. The volume of connected OT hardware is expected to rise exponentially — from 1.3 billion devices in commercial buildings in 2017 to 3.3 billion in 2022, according to smart buildings researcher Memoori. More connectivity inevitably means more potential vulnerabilities, entry points that could provide access to dream marks for hackers like data centers, which means attempts will only escalate. (Read “Putting ‘O’ in Cybersecurity” for more.)
It’s not an all-hope-is-lost scenario, however. It’s simply time for additional vigilance, especially from facility software and hardware providers. At Honeywell that means progress on a couple fronts. To start: We’re hiring and training people to build a specialized cybersecurity skillset. It may be a digital problem at the core, but a key part of the solution is human, not binary. We are also simplifying the equation and deploying a lifecycle approach to improving cybersecurity maturity in the building’s environment. This means having the right balance of solutions dependent on the business risk appetite and the development of clear guidelines for improvement.
In parallel, we’re accelerating proactive development efforts. Much like quality, security and privacy are foundational, considered at the genesis of new products and services, not when a vulnerability is exposed and exploited. “Secure by design” is the widely-used engineering term, and it entails rigorous adherence to a framework that addresses the secure software development lifecycle, patch management and encryption, among other elements.
Expertise combined with process is a clear path to minimize would-be issues, by design.
So is collaboration across the industry, a necessity since risk doesn’t discriminate, and there are important endeavors underway to that end. For example, the International Society of Automation (ISA) recently introduced its Global Cybersecurity Alliance (ISAGCA), a cooperative that will bring technology providers, end users, government agencies and other stakeholders together.
The goal is to build awareness, provide education, share best practices, and promote the development and adoption of cybersecurity standards. As a founding member of the ISAGCA, Honeywell will bring the knowledge and experience of its more than 250 cybersecurity specialists to further these efforts, and help solve today’s and tomorrow’s challenges.
You can help shape the future of automated buildings too. The ISAGCA is looking for additional members to support its initiatives and make the places where we live and work safer. End-user companies, asset owners, automation and control systems providers, IT infrastructure providers, services providers, system integrators and other cybersecurity stakeholder organizations are all invited to join.
Smart, connected buildings provide immense value — from reduced consumption of energy and natural resources to advanced fire detection and prevention. To capture these benefits, though, it’s critical that all involved in making buildings smarter ensure that cybersecurity is a priority. Fortunately, there is a recognized need that now extends far and wide, as well as immense will and ways forward.