Cybersecurity

Cybersecurity needs for connected building systems

Connected building systems offer exciting opportunities for the industry, but they also bring cybersecurity risks designers and manufacturers may not expect.

By Wayne Stewart July 14, 2021
Image courtesy: Brett Sayles

Connected capabilities offer a great deal of potential for building systems. Connected HVAC, lighting, alarms, fire protection and more are all key components of smart buildings currently in demand. These capabilities offer exciting opportunities for the industry, but they also bring cybersecurity risks that may be new or unfamiliar to designers and manufacturers. Cybersecurity concerns may be new for these industries, but they are very real.

Cybersecurity influences more than just an individual system, its related products or or devices. Connected systems have the potential to act as a gateway to other “internet of things” products, servers, networks and and important data. Issues with one system or a product within it, can expose other systems and devices. A compromised lighting system can expose and put at risk HVAC, security, information technology and more.

In commercial settings, client or customer data and information could be exposed and in a residential setting, personal information could be in danger.

Breaches in building systems could present in any number of ways. A 2013 data breach where 40 million credit cards were exposed, for example, started with a compromised HVAC system. Reported flaws in lighting systems have shown it was possible to compromise Wi-Fi networks, in turn putting personal data at risk, particularly on unprotected networks. Authorization bypasses, network/data exposure and vulnerability to hackers are all real concerns when it comes to desirable, technologically advanced connected products and systems.

To help mitigate risks from connected systems, engineers and manufacturers must take proactive cybersecurity measures to keep individual products and the connected ecosystem as safe and secure as possible. Cybersecurity should be integrated into the product at all stages—from concept to ongoing use.

The problem is many connected products and systems are not designed with cybersecurity in mind and they aren’t independently assessed for cybersecurity very often. Instead, connectivity is often introduced as an add-on or upgrade to existing products not originally designed for the online world. Then they are sent out into a connected world without proper protections in place.

Proactive cybersecurity measures are a must for connected building systems. This includes risk management, testing, certification, continued vulnerability assessments, patches and security updates. The first step to ensuring a functional and secure system is understanding the various cyber threats present in today’s landscape. These threats are becoming more sophisticated, complex and and prevalent, all at a time where concerns around data protection and privacy are growing.

The threat landscape

Cybersecurity threats can range from various types of malicious software (malware) to human activities—both attacks and human error. Add to the mix increasingly sophisticated technology, like artificial intelligence or machine learning, as well as the ability to run high-volume attacks and the risks increase. To best combat the threat, it is essential to understand what the risks are and where they come from. Familiarity with the threat landscape is the first step in ensuring system security.

Malware

Malware includes executable code, scripts, active content and other software designed to damage a computer, server or or network. It is often encountered in the online space, with many high-profile breaches and hacks having links and origins in malware. Several subsets or types of malware commonly affect IoT products:

  • Botnets: A network of compromised devices remotely controlled by an attacker to conduct attacks such as distributed denial of service or to steal data, send spam or access other devices and/or connections on internal networks.
  • Ransomware: Malware that holds data, systems or or devices “hostage” unless a ransom is paid. These incidents are on the rise, with critical industries like health care and infrastructure being especially vulnerable as seen with recent attacks on US gas pipelines. In extreme cases, ransomware attacks on critical systems could even result in injury or death. The Director of the FBI has compared the recent ransomware activity in the U.S. to the 9/11 terror attacks.
  • Worms/viruses: A worm or virus is malicious software that replicates itself. Replication does not necessarily rely on any human interaction; it is often spread using the network. Impact can vary from mild inconvenience to significant damage, including system failure, data corruption, wasted virtual resources, increased costs or or data/information theft.
  • Spyware: Spyware infiltrates devices and networks to steal data and other sensitive information. Spyware is one of the most common threats on the internet with individuals, businesses and and organizations vulnerable to attack.

Human activity

Behavior by humans is also an important consideration for connected products and systems. This might include malicious activities such as coordinated attacks where perpetrators seek out a vulnerability or weakness to access networks, devices, information or or services. Examples include denial of service — an attack that has grown in popularity where an attacker looks to make a device or network unavailable by disrupting services of a connected host — and web-based attacks, where security holes in websites, applications or or application programming interfaces are exploited to get unauthorized access to devices, networks or or servers.

Phishing, a fraudulent act that accounts for nearly 90% of social attacks, can be used to harvest credentials, access IoT devices and data or otherwise infiltrate a connected ecosystem. Phishing is not only a coordinated attack, it is also brought about due to user error because the perpetrator has tricked a target into sharing information. Lost or stolen devices and inadequate cybersecurity measures also are examples of how human activity can make connected systems and their networks vulnerable.

Whether a coordinated attack, an honest mistake or or a viral threat, cybersecurity concerns are very real and can have impact ranging from mild inconvenience to major disruptions and damage. However, these risks can be countered with secure products that undergo comprehensive testing and, in some cases, certification.

Peace of mind

Secure products are a key component of combating cybersecurity risks. Thorough testing and certification of systems helps ensure connected systems, their components and their data are as safe and secure as possible. Manufacturers can have products and systems assessed to a range of industry standards; optional assurance tests can also be critical to ensuring and illustrating cybersecurity.

Standards-based security

There are several standards that can be used to assess connected devices, depending on product type and the desired market. These standards can vary based on product type, intended use, testing goals and and overall situation, so it is important to understand which standards may apply to a given system, as well as which certifications may be required for a market. Potential standards for connected systems include:

  • Internet of Things standards: The IEC 62443 and UL 2900 families of standards apply to connected products (and systems) used in the home, commercial settings, medical devices and security and life safety. They provide a framework for assessing cybersecurity vulnerabilities, including requirements for technical assessments and acceptable standards. Connected products must be tested to the requirements established in the relevant standards. Products shown to meet the requirements can be certified, illustrating their compliance.
  • Cryptography: The Federal Information Processing Standard 140 is a U.S. standard for secure cryptographic implementations. Though it is a U.S. standard, it has gained worldwide recognition as a de facto cryptography standard and certification, making it a good guide for other markets. FIPS certification is a required for products or systems intended for the U.S. federal government and it is recommended for the Canadian government.
  • Common criteria: Also known as ISO 15408, the common criteria set of standards often focuses on more traditional information communication technology products. The standard, which is internationally used and accepted, is designed to specify and IT security through functional and assurance requirements, as well as product and system specifications and evaluation. Common Criteria certification is recognized by more than 30 countries, including the U.S., Canada and many countries within the EU. It is recommended for IT products used by government entities and for critical infrastructure.
  • ISO 27001: Organizations using a risk management system focused on information security are eligible for certification under ISO 27001, which covers people, processes, technologies and facilities used in daily activities. Compliance requirements include conducting a gap analysis, as well as creating and implementing an Information Security Management System.
  • Standards that are uniquely targeted at consumer products and are built upon a widely accepted security baseline. An example is ETSI EN 303 645, which covers safety-relevant products like smoke detectors, door locks, alarm systems and automation systems and includes 13 provisions for security and five specific data protection provisions.

Assurance testing

Optional assessments can also be used to illustrate security and resiliency by testing based on industry best practices. Often, these voluntary evaluations provide peace of mind and enhance a product’s appeal. They include:

  • Private certification schemes can help manufacturers demonstrate robust, on-going security over the life of a product or system, by monitoring new, emerging risks that relate to the product. Other cybersecurity testing schemes can also be used to illustrate cybersecurity considerations have been made in developing the product. As a voluntary assessment, the requirements and provisions for each scheme can vary.
  • Vulnerability assessments, which evaluate susceptibility to known weaknesses and vulnerabilities, using specialized tools and detailed examinations to test systems, networks and and cloud-based services. Assessments can also include evaluations against well-known communication protocols and applications. Results are interpreted in the context of a product’s intended environment to understand risks at a practical level.
  • Penetration testing, also known as ethical hacking, sees experts attempting to infiltrate networks, systems, products and and applications. The approach provides an attacker’s perspective and a detailed report identifies exploitable vulnerabilities and recommends mitigation, as well as strengths as successes.
  • Security design review: Considering cybersecurity early in the design process is more cost-effective and efficient than trying to add security later in the process. Assessing security controls or network design for effectiveness and adequacy regularly throughout the design phase will help to ensure product security.
  • Privacy impact assessment: A detailed review of organizational or product privacy policies and controls to ensure compliance to legislation and security standards. Assessments address the risks to privacy or privacy-related security that have been identified and considered, along with mitigation protocols.
  • Threat risk assessment: A threat risk assessment identifies assets that need to be protected, the value of those assets and associated threats/vulnerabilities. It considers the impact of damage or loss and, most importantly, how to mitigate exposure or damage. A typical assessment will deliver a prioritized list of issues to be addressed.

Best practices

For any connected device, best practices, industry-specific standards, testing and certification should all be used to ensure a secure product. First and foremost, keep cybersecurity risks and methods of mitigation in mind from the start. Include these considerations in mind throughout product design and development.

Adding security after the fact seldom works and ends up being more expensive over time. Instead, a product should be built to be intrinsically secure. Define all security requirements for a product, including what types of threats might exist to the product and vulnerabilities that might reside in the product. Then, consider what safeguards should be implemented.

Test for cybersecurity early and often whenever possible. This helps mitigate risks along the way, as opposed to saving it for the end. Testing throughout the development process will help to ensure you are not introducing security risks along the way. Independent testing and security certification illustrate compliance with regulatory or industry requirements. An independent opinion confirms controls are working as intended, offering a competitive advantage. It also outlines roadmaps for security improvement, improved operating processes and identification of key business assets.

Creating a connected device can be a challenging task in a world where technology continues to evolve at a rapid pace. Ensuring adequate measures are in place to ensure the protection, integrity and resilience of products, systems, information and data is critical to success and building a brand. A proactive approach to leverage existing standards and undertaking additional assurance assessments, can mean the difference between a success and a failure.

– Edited by Chris Vavra, web content manager, CFE Media and Technology, cvavra@cfemedia.com.

References

https://www.msn.com/en-us/news/world/fbi-director-christopher-wray-compared-the-latest-spate-of-ransomware-attacks-against-the-us-to-911/ar-AAKHNV


Wayne Stewart
Author Bio: Wayne Stewart is vice president of cybersecurity at Intertek, a CFE Media content partner.