Photo 566476 © Indiansummer | Dreamstime.com
65a69f70ff568d001e08160f Logical Net Segmentation Dreamstime Xl 566476

Securing smart buildings through logical network segmentation

May 31, 2022
Don't miss this important first step to protect projects that have IT and OT systems moving to a unified IP-based network.

As IT and OT systems continue to be merged onto a single unified IP-based network, smart-building owners are increasingly becoming concerned about inherent cybersecurity weaknesses. These weaknesses can allow hackers to gain lateral access to all other systems and platforms on the network. To deter hackers, owners can look into logically segmenting their networks.

IT and OT consolidation creates potential cybersecurity issues

Until recently, in-building information technologies (IT) and operational technologies (OT) were physically separated to prevent a cyber breach from one network bleeding to the other. Unfortunately, building and managing separate networks is not cost effective and can lead to its own set of security issues—such as improperly managed remote access—that can increase the chance of a breach. Thus, the latest trend in smart building networks is to consolidate IT and OT networks while fortifying the network perimeter with modern cyber and visibility tools.

But even with the latest tools and processes in place, no network is immune to cyber threats. Thus, when security breaches occur, building networks run the risk of hackers being able to access both IT and OT systems using lateral movement. If not properly addressed, a consolidated IT/OT network may present a greater risk than keeping them physically separate.

Security solution

Fortunately, IT and OT can be consolidated on a combined network while also eliminating much of the risk of east-west movement when a data breach occurs. How? Depending on the complexity and skill requirements, in-house staff or professional consultants can implement logical network segmentation.

Network segmentation can be deployed within a building in a few ways, based on factors such as the level of data sensitivity, building size, cost, and performance requirements. The easiest and lowest cost method of logically segmenting application traffic on IP networks is to combine the use of virtual LANs (VLANs) with access control lists (ACLs). Creating VLANs breaks a network into separate broadcast domains and IP subnets. The result is a framework for logical segmentation. From here, ACLs can be applied to permit or deny which traffic between VLANs.

For example, a smart building HVAC system and supporting sensors and management platforms can be placed into a separate VLAN and IP subnet. Communication among devices within this VLAN operates unobstructed. However, inter-VLAN communication can be restricted when it is occurring between the HVAC VLAN and the VLANs created for other IT/OT systems. Thus, a breach of an HVAC component will isolate the threat to only HVAC devices.

Though this method works well, it requires a great deal of manual configuration and upkeep. Thus, from a scalability perspective, this option may not be the best choice. Instead, the use of layer 4-7 firewalls or secure workload access tools within virtualized environments may be a better choice.

However, these security logical segmentation architectures are more costly and add additional technical complexities to operate effectively. Thus, no one-size-fits-all model exists when it comes to network segmentation. Instead, each building must be evaluated by competent network architects to determine which option would be preferred based on current and existing smart building needs.

Start small and increase over time

In most cases, implementing basic VLANs/ACLs to segment specific application traffic is a sound first step. Then owners and project teams can examine more advanced architectures to see which fit best from a scalability, complexity, and cost perspective. This roadmap will help to immediately reduce lateral movement risk while providing the breathing room necessary to adopt more advanced segmentation technologies moving forward.

For more news, projects, and profiles in the smart buildings ecosystem, subscribe to the SBT newsletter and follow us on LinkedInTwitter, and Facebook.

About the Author

Andrew Froehlich | Contributor

As a highly regarded network architect and trusted IT consultant with worldwide contacts, Andrew Froehlich counts over two decades of experience and possesses multiple industry certifications in the field of enterprise networking. Andrew is the founder and president of Colorado-based West Gate Networks, which specializes in enterprise network architectures and data center build-outs. He’s also the founder of an enterprise IT research and analysis firm, InfraMomentum. As the author of two Cisco certification study guides published by Sybex, he is a regular contributor to multiple enterprise IT-related websites and trade journals with insights into rapidly changing developments in the IT industry.

Voice your opinion!

To join the conversation, and become an exclusive member of Buildings, create an account today!

Sponsored Recommendations