Pixabay / Myriams-Fotos
Balance Myriams Photos

How to balance the mixture of IT and OT smart buildings technologies

Oct. 27, 2021
Information technology (IT) and operational technology (OT) are quite different – yet both must be properly secured and managed within smart building operational frameworks.

Information technology (IT) and operational technology (OT) are quite different – yet both must be properly secured and managed within smart building operational frameworks.

In recent years, OT systems, which have traditionally been physically segregated and managed separately from IT, are now beginning to be placed together on a single converged network. Because of this, many building operators are presented with new questions on how they can best secure this mixture of IT and OT within a single network architecture.

Let’s look at a few methods that can help with this task.

Logical segmentation

Just because IT and OT equipment shares the same physical network doesn’t mean that traffic flows cannot be securely segmented. The use of network firewalls or access lists configured on routers/switches are two common methods that can be used to logically separate IT from OT systems on the wired Ethernet network.

Similarly, IT and OT components that connect to networks using WI-Fi can use separate SSID’s and associated access rules to logically separate IT from OT traffic so that a compromised system on one side will not impact the other.

Granular remote access controls

In many cases, third-party managed service partners are responsible for the overall maintenance and upkeep of smart building technologies. As such, these partners typically request remote access in the form of VPN connectivity. This way, the partner can monitor and manage the technologies from afar as opposed to coming on site each time maintenance or upgrades need to be performed.

While remote access VPN has been around for years, it’s often been implemented in a way that’s less than secure. In many cases, access is far too open and allows these third party service providers the ability to access the entire network as opposed to just the specific network subnets and IT/OT components they are responsible for. This can lead to a situation where if VPN credentials were compromised, bad actors could gain full access to the entire smart building infrastructure. In turn, this could lead to a situation where the entire network is compromised as opposed to just a small subset.

To counter this, remote access configurations should include the use of granular access controls that limit what networked components can be accessed. In many cases, access to only a handful of IT/OT devices is required. Thus, access control lists should be created that allow remote access users the ability to reach those specific IP addresses with a “deny any” rule at the end to restrict all other access across the smart building network.

End-to-end visibility

Cybersecurity is an incredibly difficult task without the proper levels of infrastructure visibility. Basic network monitoring that leverages ICMP (ping), the simple network management protocol (SNMP) and flow-based monitoring is the absolute minimum when it comes to monitoring devices from an operational standpoint.

However, there are also several security-focused tools that can provide further insights into whether devices or networks have been compromised. Examples of these types of tools include security information and event management (SIEM), security orchestration, automation and response (SOAR) and network detection and response (NDR). These tools collect pertinent security-related information such as device logs, event errors and network telemetry information that is then analyzed to identify possible security threats.

More advanced systems incorporate artificial intelligence (AI) to identify the root cause of an issue and even go so far as to recommend how security administrators can quickly remediate a cybersecurity incident.

Beware: IT is ahead of OT from a cybersecurity perspective

It’s important to note that in 2021, operational technologies lag enterprise information technology from a cybersecurity perspective. OT vendors are not yet experts in the field of data security – and it certainly shows.

That means that extra planning must be performed to wrap additional security around OT. Failing to do so can not only risk a breach of OT equipment, but it could also potentially bleed over into IT, causing even more harm.

Thus, be aware that while co-mingling of IT and OT can ultimately save time and money within a smart building, it must be done in a way that considers the inherent flaws of OT that still exist today.

About the Author

Andrew Froehlich | Contributor

As a highly regarded network architect and trusted IT consultant with worldwide contacts, Andrew Froehlich counts over two decades of experience and possesses multiple industry certifications in the field of enterprise networking. Andrew is the founder and president of Colorado-based West Gate Networks, which specializes in enterprise network architectures and data center build-outs. He’s also the founder of an enterprise IT research and analysis firm, InfraMomentum. As the author of two Cisco certification study guides published by Sybex, he is a regular contributor to multiple enterprise IT-related websites and trade journals with insights into rapidly changing developments in the IT industry.

Voice your opinion!

To join the conversation, and become an exclusive member of Buildings, create an account today!

Sponsored Recommendations

Building Better Schools

Download this digital resource to better understand the challenges and opportunities in designing and operating educational facilities for safety, sustainability, and performance...

Tips to Keep Facility Management on Track

How do you plan to fill the knowledge gap as seasoned facility managers retire or leave for new opportunities? Learn about the latest strategies including FM tech innovations ...

The Beauty & Benefits of Biophilic Design in the Built Environment

Biophilic design is a hot trend in design, but what is it and how can building professionals incorporate these strategies for the benefits of occupants? This eHandbook offers ...

The Benefits of Migrating from Analog to DMR Two-Way Radios

Are you still using analog two-way radios? Download this white paper and discover the simple and cost-effective migration path to digital DMR radios that deliver improved audio...