Building automation systems are but one aspect of a much, much larger issue engineers are dealing with right now: When different smart devices all talk with one another, how do you prevent data leaks?
Automated buildings could be especially vulnerable to data breaches or hacking because smartphones are becoming such useful interfaces for them. Just imagine an office in which employees can adjust the lights above them via an app they download to their own smartphones. This means a person’s own phone would communicate with the BAS, potentially opening up a digital pathway between their iPhone and the building’s data.
Even if these connections were designed to be as safe as possible, there are unforeseeable issues that arise when personal devices communicate with any system. This brings up some important questions that our industry is currently trying to answer:
- Is this an IT concern or an FM concern? Or both?
- How can you align companies’ bring-your-own-device policies with BAS security, especially as smartphones become the most convenient interfaces occupants have?
- How can you plan for future personal devices that might not exist yet?
Here is a snapshot of how BAS security is currently evolving to accommodate this aspect of building occupant convenience.
The Bring-Your-Own-Device Movement
A company’s employees already expect to be able to do some of their work via their personal laptops, tablets and phones. “1 in 4 Americans already use a smartphone or tablet as their primary work device,” Katherine Buchholz writes at DialogTech. “And this number will only grow as Gen Y continues to expand in the workforce.”
In fact, her research suggests that by 2017, 70% of people whose work allows them to be mobile will do work from their own devices. In that same year, Gartner research predicts that half of employers will simply ask employees to do work from their own devices. After all, a BYOD policy can certainly save companies overhead costs.
So, if an employee already feels comfortable accessing company emails and documents via his or her smartphone, controlling a personal office space’s lighting and temperature via that same device feels like a natural progression.
How Buildings and Companies Are Vulnerable
This kind of access could potentially open up numerous points that a malicious actor could exploit. As Jim Sinopoli writes at AutomatedBuildings.com, such an attack could have dire consequences:
“For the other building systems such as HVAC control, electrical distribution, lighting, elevators, etc., the threat is disruption of critical building infrastructure which also impedes or can halt normal operations. Depending on the building use and building control system, a security threat may be related to life safety, for example disrupting emergency power, lighting and HVAC in a critical healthcare space. The threat to building systems is not hypothetical; the infamous Stuxnet cyber-attack in 2010 eventually affected programmable logic controllers (PLC), a controller that is often used in industry, commonly in building elevators, pumps, drives, and lighting equipment.”
And as Target found out in 2013, access to a building’s controls can provide someone a backdoor to sensitive company data, Jaikumar Vijayan writes at Computerworld. “The massive data theft at Target for instance, started with someone finding a way into the company’s network using the access credentials of a company that remotely maintained the retailer’s heating, ventilation and air conditioning (HVAC) system,” he says. “In Target’s case, the breach appears to have happened because the company did not properly segment its data network.”
How Applicable Are BYOD Policies to Building Controls, Anyway?
An easy fix would be to simply not grant building occupants any kind of access to building controls, right? If their devices are not talking to the the automation system, then those vulnerabilities become non-issues.
That’s not the direction building automation is headed, however.
Stacey Higginbotham has an excellent piece at Fortune that explores how facilities managers are currently facing the questions IT departments dealt with in recent years regarding BYOD policies.
She spoke with Digital Lumens CEO Tom Pincince, who predicted personalized lighting for individual employees is on its way. “Your lights might talk to your HVAC system before your phone talks to your lights or HVAC,” Pincince told her.
And this, he said, opens up an interesting question of jurisdiction: Is IT responsible for securing this connection, or are FMs? “Now we’re going to have BYOB, or bring your own building, and the IT managers are going to have to deal with it,” Pincince said. “Right now, there is a divide. The facilities guys look at IT as technocrats, and the CIOs don’t want to deal with the physicality of the building automation.”
Futurist and former Gigaom managing director Stowe Boyd branches off from Higginbotham’s reporting in a blog post of his own that explores the future of smart devices in automated buildings.
“I’m anticipating a day in the not-too-distant future where artificial intelligence agents will track people’s location and movements through smart buildings, and adjust lighting, heat, blinds, noise, desk height, and other controllable environmental variables wherever we are, optimized for what we are doing,” Boyd writes.
That brings the conversation right back to personal devices, which would presumably be the sensor by which the AI would track someone’s movements. How do you build systems that allow for inputs from personal devices without creating major security flaws?
Some existing industry best practices might help illuminate that path.
How to Bake Security Into Building Controls That Work With Personal Devices
1. Get IT On Board
As Pincince noted, many IT departments would like to take a hands-off approach to building controls. Computerworld’s Vijayan argues that simply introducing IT to an automated building’s infrastructure can help cooperation between their department and FMs.
Vijayan spoke with John Pescatore, director of emerging security trends at the SANS Institute, who says IT often doesn’t realize the scope of the technology involved in building controls.
Vijayan also spoke with Information Systems Audit and Control Association (ISACA) president Robert Stroud, who underscored the importance of having IT and facilities work together on security.
“Many of the devices integrated in smart buildings have little security built into them and come from vendors that are unfamiliar to most IT organizations,” Vijayan reports from that conversation. “Suppliers in the building automation world don’t have the same kind of processes in place that IT vendors do for responding to vulnerabilities in their products. Few have any notification process to let customers know about security threats to their products.”
2. Have Systems in Place to Detect and Mitigate Threats
Schneider Electric has a helpful paper on securing building management systems, and one of the company’s recommendations is a two-part set of best practices that can detect and limit the impact of security breaches:
1. Establish a system for logging possible threats. “Create logs to monitor all aspects of the system, including physical access, network activity, device activity and firewall configuration. Consider system performance when setting logging parameters, and collect log files in a central location to prevent unauthorized modification.”
2. Understand the strengths and weaknesses of your intrusion detection before configuring alerts and active responses. “Configuration rules should reflect the operating behavior of your network, which may differ significantly from those of a typical enterprise network.”
3. Make Sure You Have the Infrastructure to Support Secure Data Sharing
James L. Bindseil at ITProPortal offers suggestions for any company implementing a BYOD policy for any network:
“Before any sort of company-wide BYOD policy is introduced, it is important that you have a means to share data securely on personal devices. These three questions are a good starting point to determining what else needs to be addressed before BYOD can be implemented:
- Do you have a file sharing solution that is secure?
- Is the proposed mobile technology easy to use?
- Will the solution be compatible and effectively integrate with existing networks, platforms and applications?”
4. Data Encryption is Key
Tom Smith, VP of Business Development at CloudEntr, tells Digital Guardian that all data should be encrypted “so you are prepared for the inevitable breach.”
“Beyond that, you should have a BYOD policy in place that includes mobile device management (MDM), which gives IT access to any devices that may access your business network along with the capability to revoke access or even wipe a device if it is lost or stolen, and outlines policies and protocols for accessing company data from remote locations,” Smith writes.
5. Look For Ways to Wall Off Data
In the lighting examples above, the ideal end-user application would wall off that system-device interaction from anything else on the user’s phone. “Employers should also consider the use of a sandbox or ring-fencing of data, such as by keeping data contained within a specific app, as well as ensuring that, if the device is lost, the data on it is kept confidential and retained via a backup facility,” William Long at Computer Weekly writes.
6. Create a Policy for Personal Devices
Ken Hess at GFI has a helpful set of 10 BYOD policy guidelines that apply to company data systems as well as to building controls. Two important takeaways:
1. Jailbroken and rooted devices cannot be permitted. “Most, if not all, mobile security suites consider jailbroken and rooted devices to be ‘security compromised.’ These compromised devices are exposed to security vulnerabilities, malware, viruses, and hacks that secured devices are not.”
2. Devices need screen-lock passcodes. “A basic security measure that many device owners neglect is the screen lock password. Screen lock passwords are simple to setup and yet provide a high level of data theft protection. Write your policy to include this powerful deterrent. Mobile security suites can enforce the use of a screen lock password on any user device.”
Credits:
ThomLee Aik Soon
