How to approach IoT cybersecurity for smart buildings

The Internet of Things (IoT) requires a sound strategy when applying it to smart buildings because of the many different systems that need to be connected.

By Erin Anderson April 15, 2021
Image courtesy: Brett Sayles

The proliferation of the Internet of Things (IoT) is making buildings more complex and dynamic, with hundreds of devices connecting to disparate systems to perform a wide range of functions like energy management, physical security and occupancy optimization. Operating IoT devices on the scale needed at facilities such as hospitals, ports, or universities can devolve into a zoo of technology that no single group can understand or supervise. Because of this, many facilities teams are turning to centralized IoT management platforms that connect and monitor different building systems and devices, thus making buildings “smart.”

What exactly is the IoT? It’s a pretty broad term that is thrown around often today. According to Facility Executive, “The IoT is the concept of connecting any device with an on/off switch to the internet and/or to each other. IoT uses one common internet protocol (IP) to connect devices, which include everything from smartphones, tablets and digital assistants to various types of sensors and systems such as HVAC, lighting, and security.”

Although using a single IoT platform to regulate multiple systems and devices delivers important benefits like improved energy efficiency, increased productivity and better predictive maintenance, this centralization of device management also opens the door to widespread cyberattacks. The public and private sectors are taking notice of the expanding attack surface, with the United States government enacting the IoT Cybersecurity Act of 2020. The act states that the National Institute of Standards and Technology (NIST) must develop and publish standards and guidelines for the management of IoT device risks at the federal level, which they did in December of 2020. We can expect that many in the private sector will embrace these new IoT standards from NIST, given the popularity of the NIST Cybersecurity Framework.

Three factors for creating a risk management program

When creating a security and risk management program for the IoT in smart buildings, IT and facilities teams should consider these three factors:

1. People

First and foremost, organizations should clearly designate responsible parties for the supervision and administration of cybersecurity processes and tools for building systems. Many companies are converging physical security and cybersecurity functions under a Chief Security Officer, which can help achieve better collaboration between the traditionally siloed departments of facilities management and IT. If you’re not sure where to begin, you can check out the Cybersecurity & Infrastructure Security Agency’s guide on how to best converge physical and cybersecurity functions. If you’re a smaller company that doesn’t have in-house expertise to efficiently manage a cybersecurity program, consider outsourcing the task to an experienced managed services provider.

You should also design cybersecurity trainings for everyone working in your buildings, whether they are employees, contractors, or students. To create a “culture of security”, everyone needs at least a basic awareness of why cybersecurity is important, what the IoT is and how they play a role in keeping it secure, and clear risk mitigation actions for them to complete.

2. Process

Choosing a risk management standard to abide by will make your cybersecurity program a whole lot simpler. Whether it’s the NIST Cybersecurity Framework or the 20 CIS Controls, having well-defined benchmarks to manage and measure your progress is critical. Every framework always begins with one crucial element: asset inventory. Make sure you gather complete hardware, software and configuration data, as well as information about who is authorized to access which systems before you do anything else. A framework can guide the development of effective policies and procedures, such as creating rules for secure device configurations and the validation of administrative accounts. Vendors coming onsite to perform system maintenance should also be expected to meet minimum security requirements.

Don’t overlook threats from the supply chain. As we saw with the SolarWinds hack, third parties will continue to be a sizeable risk vector in every industry. This problem is complex, and there is no silver bullet to solve it, but doing things like requiring password changes for new devices, performing regular vulnerability monitoring, and including strong language in your vendor agreements (especially for cloud vendors) that addresses their cybersecurity levels can all help reduce your risk.

3. Technology

Trying to manually manage devices with spreadsheets or even an army of technicians is a losing battle. There are too many, and they are constantly changing. Some devices are and will always be insecure by design. Instead, you should monitor the central systems that are managing IoT devices to collect data about them and detect anomalous activity much more efficiently than doing it on a device-by-device basis. It’s critical to find a solution that offers comprehensive monitoring for all your IoT platforms, building management systems and network traffic. To get the most complete cybersecurity coverage, you should use a combination of agent, agentless and passive methods to implement a layered approach to anomaly detection.

Deploy the right technology in the right places. Leverage passive methods to start understanding simply what you have in your environments and what protocols they are using, which will tell you how big of a visibility problem you have. Monitor the traffic patterns of your endpoint to determine who talks to who and if they are connected to the public internet. If they are, do they need to be? Once you find all your endpoints, determine the best way to monitor them. Active agents are best when a device has an open operating system, and you need to know what patches, software and ports are open. Agentless is best when a device lacks an operating system but has an interface like SSH or a webpage to gather data from.

Applying the right tools to take inventory of your systems and devices, enforce policy compliance, and detect vulnerabilities and anomalies will be critical for IT and facilities teams in the 2020s and beyond.

– This article originally appeared on Industrial Defender’s websiteIndustrial Defender is a CFE Media content partner.

Erin Anderson
Author Bio: Erin Anderson, Industrial Defender