Photo 142438201 © Maren Winter | Dreamstime.com
Security It Dreamstime Xxl 142438201 Hero

Physical security for your smart building IT and OT systems

Feb. 17, 2023
Here are common challenges and recommendations for safeguarding in-building data centers, network closets, and associated IoT and cabling.

Smart buildings are full of critical technologies that create an always-connected environment that aims to be efficient, safe, informative, and welcoming to all occupants and visitors. With this increase in technology, however, comes the responsibility to ensure these technologies are operating safely and are secured from tampering. Let’s look at common challenges in safeguarding in-building data centers, network closets, and associated IoT and cabling.

Securing on-site data centers

When physically securing mission-critical IT and OT infrastructure housed within on-site data centers, security and IT experts must take an outside-in approach. First, all entry/exit points must be secured and monitored starting from the data center perimeter. One tip: Move away from the use of physical keys or combination locks because key copies and combination codes can be easily shared or leaked. Instead, intelligent door controller systems provide far greater levels of control over who can access what and when. They also provide a historical and searchable timeline of access into or out of data centers when physical security incidents occur. At a minimum, the implementation of key card access should be used. For more sensitive environments, the use of biometrics for physical access is gaining in popularity.

Move away from the use of physical keys or combination locks because key copies and combination codes can be easily shared or leaked.        

Once the perimeter is secure, data center access should be segmented further using a multilayer strategy. This includes restricting mission-critical areas, such as network infrastructure hardware and servers that house sensitive data. In many cases, cages are built around critical infrastructure that relies on intelligent access control systems. Securing individual equipment racks will restrict access further, allowing only authorized individuals to physically interact with the hardware. This layered approach to data center access allows for granular control over who can access what.

Finally, the planners should deploy surveillance cameras to provide wall-to-wall coverage with multiple, overlapping views within a data center. Modern surveillance cameras produce high- and ultra-high–definition video as standard, but the cost of the equipment has also dropped significantly over the past decade. For new deployments, look for surveillance cameras with a minimum resolution of 1080 pixels.

Securing network closets

Throughout large buildings or campuses, planners should strategically locate network closets to provide network access to end users and devices. The physical location of these closets is largely based on distance limitations of standard copper and fiber Ethernet cabling. For new construction, network closets are included as part of the building design process. For older buildings and campuses, however, network closet space must be retrofitted.

One problem with network closets is that they are a great way to gain unauthorized access to a smart building network. In older buildings, when physical security was not top of mind, network closets were often built as afterthoughts. This leads to closets with multiple entry points, such as doors and windows; it also leads to the distinct possibility that a network closet is used as a “shared space” for the storage of office furniture and cleaning supplies.

[Network closets] are a great way to gain unauthorized access to a smart building network.

Keeping people away from network edge switches should be a priority. That means that the network closet should be designated as an IT-only room and access should be restricted to only network operations (NetOps) team members. The same door controller and surveillance systems should be installed in each closet.

Importantly, NetOps teams should program switches so that all unused ports are placed into a disabled state. This ensures that network access is denied even if unauthorized access to the closet is gained. MAC-based whitelists, 802.1x authentication, and micro-segmentation can also be incorporated at network closet switches will further deter users from plugging in unauthorized devices.

Protecting Wi-Fi and IoT hardware

Access to and tampering of devices that are in public and semipublic areas must also be limited. These devices include Wi-Fi access points, IoT sensors, surveillance cameras, and operational technology (OT) systems, such as industrial control systems and HVAC controllers.

In some cases, manufacturers include anti-tampering features within endpoint devices and mounting brackets. This includes tamperproof screws so the hardware cannot be easily removed, and physical locks or catches that make it difficult to unplug Ethernet cables from building technologies. In most cases, the use of manufacturer-provided anti-tampering tools is sufficient. However, additional protections may be required, including the use of wall-mountable and lockable equipment racks.

The physical placement of these types of devices also makes a huge difference when working to secure IT/OT systems. For example, mounting access points or IoT sensors higher on ceilings (10 feet or higher) can deter most tampering attempts. The same can also be said for network cabling; be sure that cabling is run high up in ceilings, preferably hidden by suspended ceiling tiles, in areas where tampering may occur.

Finally, in less trafficked but more vulnerable areas such as where OT systems are located, surveillance cameras can be configured to alert security staff in real time when motion is detected. Not only do motion-based surveillance cameras in these areas help discourage device tampering, but they also can detect and offer alerts on other building issues, such as broken or leaky pipes. 

For more news, projects, and profiles in the smart buildings ecosystem, subscribe to the SBT newsletter and follow us on LinkedInTwitter, and Facebook.

About the Author

Andrew Froehlich | Contributor

As a highly regarded network architect and trusted IT consultant with worldwide contacts, Andrew Froehlich counts over two decades of experience and possesses multiple industry certifications in the field of enterprise networking. Andrew is the founder and president of Colorado-based West Gate Networks, which specializes in enterprise network architectures and data center build-outs. He’s also the founder of an enterprise IT research and analysis firm, InfraMomentum. As the author of two Cisco certification study guides published by Sybex, he is a regular contributor to multiple enterprise IT-related websites and trade journals with insights into rapidly changing developments in the IT industry.

Voice your opinion!

To join the conversation, and become an exclusive member of Buildings, create an account today!

Sponsored Recommendations

Building Better Schools

Download this digital resource to better understand the challenges and opportunities in designing and operating educational facilities for safety, sustainability, and performance...

Tips to Keep Facility Management on Track

How do you plan to fill the knowledge gap as seasoned facility managers retire or leave for new opportunities? Learn about the latest strategies including FM tech innovations ...

The Beauty & Benefits of Biophilic Design in the Built Environment

Biophilic design is a hot trend in design, but what is it and how can building professionals incorporate these strategies for the benefits of occupants? This eHandbook offers ...

The Benefits of Migrating from Analog to DMR Two-Way Radios

Are you still using analog two-way radios? Download this white paper and discover the simple and cost-effective migration path to digital DMR radios that deliver improved audio...