As IT and OT systems continue to be merged onto a single unified IP-based network, smart-building owners are increasingly becoming concerned about inherent cybersecurity weaknesses. These weaknesses can allow hackers to gain lateral access to all other systems and platforms on the network. To deter hackers, owners can look into logically segmenting their networks.
IT and OT consolidation creates potential cybersecurity issues
Until recently, in-building information technologies (IT) and operational technologies (OT) were physically separated to prevent a cyber breach from one network bleeding to the other. Unfortunately, building and managing separate networks is not cost effective and can lead to its own set of security issues—such as improperly managed remote access—that can increase the chance of a breach. Thus, the latest trend in smart building networks is to consolidate IT and OT networks while fortifying the network perimeter with modern cyber and visibility tools.
But even with the latest tools and processes in place, no network is immune to cyber threats. Thus, when security breaches occur, building networks run the risk of hackers being able to access both IT and OT systems using lateral movement. If not properly addressed, a consolidated IT/OT network may present a greater risk than keeping them physically separate.
Fortunately, IT and OT can be consolidated on a combined network while also eliminating much of the risk of east-west movement when a data breach occurs. How? Depending on the complexity and skill requirements, in-house staff or professional consultants can implement logical network segmentation.
Network segmentation can be deployed within a building in a few ways, based on factors such as the level of data sensitivity, building size, cost, and performance requirements. The easiest and lowest cost method of logically segmenting application traffic on IP networks is to combine the use of virtual LANs (VLANs) with access control lists (ACLs). Creating VLANs breaks a network into separate broadcast domains and IP subnets. The result is a framework for logical segmentation. From here, ACLs can be applied to permit or deny which traffic between VLANs.
For example, a smart building HVAC system and supporting sensors and management platforms can be placed into a separate VLAN and IP subnet. Communication among devices within this VLAN operates unobstructed. However, inter-VLAN communication can be restricted when it is occurring between the HVAC VLAN and the VLANs created for other IT/OT systems. Thus, a breach of an HVAC component will isolate the threat to only HVAC devices.
Though this method works well, it requires a great deal of manual configuration and upkeep. Thus, from a scalability perspective, this option may not be the best choice. Instead, the use of layer 4-7 firewalls or secure workload access tools within virtualized environments may be a better choice.
However, these security logical segmentation architectures are more costly and add additional technical complexities to operate effectively. Thus, no one-size-fits-all model exists when it comes to network segmentation. Instead, each building must be evaluated by competent network architects to determine which option would be preferred based on current and existing smart building needs.
Start small and increase over time
In most cases, implementing basic VLANs/ACLs to segment specific application traffic is a sound first step. Then owners and project teams can examine more advanced architectures to see which fit best from a scalability, complexity, and cost perspective. This roadmap will help to immediately reduce lateral movement risk while providing the breathing room necessary to adopt more advanced segmentation technologies moving forward.