Photo 119292075 © Melpomenem | Dreamstime.com
65a697de4d8c78001e29ac55 Buildingsiotsecurity Dreamstime Xl 119292075

Trust no one: 3 steps to secure IoT devices and building IT and OT networks

Sept. 14, 2022
To avoid security breaches, companies and their consultants should understand and implement IoT building security best practices and protocols to protect their facilities and their tenants and occupants.

The need for increased security measures is multiplying each day. As technology grows and methods of infiltrating networks and computer systems evolve, recognizing bad actors online is becoming more difficult. This is particularly critical in today’s world of remote access to corporate data, operational technology (OT) networks, and smart building systems composed of controllers, sensors, and data aggregators.

Universal network connectivity and deploying sensors or Internet of Things (IoT) devices in commercial buildings have been gaining traction for some time now, as building owners, facility managers, and contractors seek opportunities for increased efficiency, more robust operational performance, and improved occupant comfort.

However, with more endpoints comes more vulnerabilities. As such, stakeholders need to consider security concerns to ensure that these new devices do not become attack vectors, injecting risk not only into the operations of the building, but also into those of the tenants.

Stakeholders need to consider security concerns to ensure that these new devices do not become attack vectors, injecting risk not only into the operations of the building, but also into those of the tenants.

A security compromise in networks with control-related devices can have severe consequences. As a result, understanding IoT building security best practices and protocols is essential to securing facilities and, by extension, to protecting the facilities’ tenants and occupants. 

IoT devices: New points of vulnerability

IoT systems embedded with software, sensors, and advanced technologies enable connectivity and communication among building systems, but they can also introduce points of vulnerability and security threats. Networks should be designed and deployed with both functionality and security in mind.

Because the design and implementation of network class equipment are not the core competencies of a controls contractor, they will often install the underlying network for operational controls along with a supervisory controller. Their key objective is getting the project done, but perhaps not in a way that accounts for modern security threats. While they will verify that the control values work, their focus, unfortunately, is not to make the network secure.

A perfect storm of vulnerabilities is then unintentionally created. No hardware manufacturer or building contractor wants to introduce vulnerabilities on purpose.

Partnering with a systems integrator with in-depth building IoT expertise is invaluable for implementing a properly designed security architecture that keeps systems up to date, safe, and protected from risks. They should understand work together with a building’s IT department in a team-based approach to develop a range of security solutions.

Best practices for building security

To conform to best practices and protocols, system integrators and their IT collaborators should take these three critical steps:

1. Perform a vulnerability assessment

First, to baseline the building’s security posture, teams need to undertake a security evaluation, looking at the directional flow of data traffic to better understand the operational risks from end to end and to identify weaknesses in the default settings of IoT devices. Part of that baseline should be to determine if best practice methodology has been followed in the design and implementation of the operational technology network. This can become the starting point for you to insist that vendors are to use the principle of least privilege when configuring network access. The principle of least privilege, which limits information access to the minimum of what a user needs to conduct their work, is one of the pillars of “zero trust.”

Zero trust is the idea that all users or devices outside and inside an organization’s applications, software, networks, or systems, must be authenticated and validated before being given access to the requested resource; an example might be a controls technician who needs access to a BMS system.  Even if they previously could access a system, they are not automatically granted access the next time: they must authenticate each and every time to the zero-trust access platform.

Based on the assessment, a systems integrator can then work with building management to design and install a security system that physically secures IP-enabled devices and offers extended protection against unauthorized entry. This may include biometric locks, exterior surveillance monitoring, storage access control, and visitor access management.

2. Improve access control for better organizational security

A systems integration company should require all its employees and contractors to sign confidentiality agreements before gaining access to a building’s systems. Remote access to servers should be protected using an encrypted tunnel with two-factor or multifactor authentication and limited strictly to users authorized to access IoT devices or applications for specific projects.

All access must be logged by IP address to further ensure strict security; system access must be configured to limit access to only specified and necessary portions of the system. Smart analytics can be deployed to enforce access roles and user permissions in real-time within the facility’s systems.

3. Apply security automation features and encryption

A system that monitors and automatically flags security risks—such as excessive failed logins—and suspicious activity—such as malware or a virus—is critical to IoT building security best practices and protocols. Network behavior anomaly detection can become a key component of a network security solution.

Additionally, encryption is necessary for all data sent over the building’s operational technology network. This means developing an effective approach to managing encryption certificates and using modern encryption standards, such as Triple DES, AES, or RSA, which offer the highest level of security.

Deploy the zero-trust model for both OT and IT

The “guilty until proven innocent” methodology of zero trust keeps dangers at bay far before threats must be addressed; it also is equipped to respond to those threats when they are identified. Traditional data security strategies have formed strong perimeters to keep attackers out. Unfortunately, this lacks consistency and can often fall behind the constantly evolving methods of data theft.

Previously, cybersecurity focused on protecting information technology rather than operational technology. With zero-trust, the organization’s IT and OT portions are protected simultaneously, encompassing everything from verifying employee authenticity in a remote workforce to protecting highly sensitive infrastructure across the organization.

The zero-trust model has been gaining widespread acceptance. Earlier this year, the White House mandated a zero-trust strategy in place for all federal agencies by the end of the fiscal year 2024.

While IT is essential and should be protected as such, OT is where much of a company’s bottom line lives. If an attack on OT causes significant changes, the company and its stakeholders face an incredible loss of time, resources, trust, and reputation.

Creating more effective security strategies and policies

IoT and its associated technologies have introduced continuously evolving security concerns in commercial buildings.

The recent passage of the Internet of Things (IoT) Cybersecurity Improvement Act of 2020 affirms the significance of these concerns. The act outlines new security standards designed to address vulnerabilities in IoT devices, offers guidelines for reporting vulnerabilities, and provides requirements for vulnerability disclosure.

But while these efforts are a step toward better security, they are not enough to offer reliable security. As cyberthreats continue to emerge, developing robust strategies for managing system vulnerabilities related to advanced IoT technologies will remain critical.

The security of a network used for IoT devices hinges on our ability to build a solid foundation of best practices, including models like zero-trust, for our buildings and portfolios.

For more news, projects, and profiles in the smart buildings ecosystem, subscribe to the SBT newsletter and follow us on LinkedInTwitter, and Facebook.

About the Author

Richard Miller

Based in the San Francisco Bay Area, Richard Miller is vice president of sales and information technology at Buildings IOT, which helps building owners and managers set and achieve their goals at any phase of a smart building implementation. Richard focuses on providing secure and robust IT foundations for operational controls networks that are the lifeblood of a smart building, following the principles of least privilege and zero trust.

Voice your opinion!

To join the conversation, and become an exclusive member of Buildings, create an account today!

Sponsored Recommendations