Smart buildings are full of critical technologies that create an always-connected environment that aims to be efficient, safe, informative, and welcoming to all occupants and visitors. With this increase in technology, however, comes the responsibility to ensure these technologies are operating safely and are secured from tampering. Let’s look at common challenges in safeguarding in-building data centers, network closets, and associated IoT and cabling.
Securing on-site data centers
When physically securing mission-critical IT and OT infrastructure housed within on-site data centers, security and IT experts must take an outside-in approach. First, all entry/exit points must be secured and monitored starting from the data center perimeter. One tip: Move away from the use of physical keys or combination locks because key copies and combination codes can be easily shared or leaked. Instead, intelligent door controller systems provide far greater levels of control over who can access what and when. They also provide a historical and searchable timeline of access into or out of data centers when physical security incidents occur. At a minimum, the implementation of key card access should be used. For more sensitive environments, the use of biometrics for physical access is gaining in popularity.
Move away from the use of physical keys or combination locks because key copies and combination codes can be easily shared or leaked.
Once the perimeter is secure, data center access should be segmented further using a multilayer strategy. This includes restricting mission-critical areas, such as network infrastructure hardware and servers that house sensitive data. In many cases, cages are built around critical infrastructure that relies on intelligent access control systems. Securing individual equipment racks will restrict access further, allowing only authorized individuals to physically interact with the hardware. This layered approach to data center access allows for granular control over who can access what.
Finally, the planners should deploy surveillance cameras to provide wall-to-wall coverage with multiple, overlapping views within a data center. Modern surveillance cameras produce high- and ultra-high–definition video as standard, but the cost of the equipment has also dropped significantly over the past decade. For new deployments, look for surveillance cameras with a minimum resolution of 1080 pixels.
Securing network closets
Throughout large buildings or campuses, planners should strategically locate network closets to provide network access to end users and devices. The physical location of these closets is largely based on distance limitations of standard copper and fiber Ethernet cabling. For new construction, network closets are included as part of the building design process. For older buildings and campuses, however, network closet space must be retrofitted.
One problem with network closets is that they are a great way to gain unauthorized access to a smart building network. In older buildings, when physical security was not top of mind, network closets were often built as afterthoughts. This leads to closets with multiple entry points, such as doors and windows; it also leads to the distinct possibility that a network closet is used as a “shared space” for the storage of office furniture and cleaning supplies.
[Network closets] are a great way to gain unauthorized access to a smart building network.
Keeping people away from network edge switches should be a priority. That means that the network closet should be designated as an IT-only room and access should be restricted to only network operations (NetOps) team members. The same door controller and surveillance systems should be installed in each closet.
Importantly, NetOps teams should program switches so that all unused ports are placed into a disabled state. This ensures that network access is denied even if unauthorized access to the closet is gained. MAC-based whitelists, 802.1x authentication, and micro-segmentation can also be incorporated at network closet switches will further deter users from plugging in unauthorized devices.
Protecting Wi-Fi and IoT hardware
Access to and tampering of devices that are in public and semipublic areas must also be limited. These devices include Wi-Fi access points, IoT sensors, surveillance cameras, and operational technology (OT) systems, such as industrial control systems and HVAC controllers.
In some cases, manufacturers include anti-tampering features within endpoint devices and mounting brackets. This includes tamperproof screws so the hardware cannot be easily removed, and physical locks or catches that make it difficult to unplug Ethernet cables from building technologies. In most cases, the use of manufacturer-provided anti-tampering tools is sufficient. However, additional protections may be required, including the use of wall-mountable and lockable equipment racks.
The physical placement of these types of devices also makes a huge difference when working to secure IT/OT systems. For example, mounting access points or IoT sensors higher on ceilings (10 feet or higher) can deter most tampering attempts. The same can also be said for network cabling; be sure that cabling is run high up in ceilings, preferably hidden by suspended ceiling tiles, in areas where tampering may occur.
Finally, in less trafficked but more vulnerable areas such as where OT systems are located, surveillance cameras can be configured to alert security staff in real time when motion is detected. Not only do motion-based surveillance cameras in these areas help discourage device tampering, but they also can detect and offer alerts on other building issues, such as broken or leaky pipes.