With the rapid growth of consumer technology, building automation systems (BAS) have moved considerably from the physical realm to one with IT enabling all aspects of its functioning. As more devices, sensors, and controls vie for inclusion and tie in with building hardware, networking components, and data service elements, operator expectations are pivoting. There’s a growing need to control building systems from any device, anywhere. This also raises new, urgent challenges for native security-enabled features and their ability to protect the BAS-controlled infrastructure of a smart building. It is critical for anyone involved with building management to understand what is changing in the world of information security, what needs to be secured in a building, and how best to do so.
Information Security (InfoSec)
The practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording, or destruction. Key components of InfoSec include confidentiality, integrity, and availability.
The state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this. While InfoSec defends all information (physical or virtual), cybersecurity focuses on electronic data. Given the growth in technology, the two are often used interchangeably, though they are not entirely synonymous.
Commercial building operations at large, and smart buildings specifically, are shifting from systems that rely on onsite, physical, closed-loop data to cloud-connected BAS and BMS systems that offer dynamic environments characterized by open systems and protocols. This integrated network allows building owners, operators, and occupants to experience the benefits of a more holistic and responsive building. Traditional "stovepipe" systems, like siloed mechanical, pneumatic, and electric controls, are being integrated data acquisition and analysis IT systems. This shift to connected systems and data broadens the scope of InfoSec in smart buildings, both in the types of information being secured and the availability of and access points to that information.
At the same time, we are seeing the convergence of operational mechanisms—physical technologies like HVAC, lighting, and keyfobs—and information technologies, such as IoT-related data management systems and even financial and enterprise resource planning systems. This convergence of OT and IT means facility managers and IT personnel are working more and more closely together. Numerous organizations and studies have documented the need for new cybersecurity skills and training for the facilities workforce, as well as system integrators who can help guide building owners and managers through the complex process of choosing a BAS solution—one that can go well beyond just controlling physical pieces of equipment.
Every building, every situation, and every organization is different, so there is no silver bullet for slaying InfoSec threats, but there are some very reasonable precautions and best practices that should be deployed to minimize risk.
Principle of Least Privilege: Every process or program must be able to access only the information and resources that are necessary for its legitimate purpose.
The Onion Model: There should be multiple layers of protection and several points of required authentication before access is granted for sensitive data.
Access Control: It is important to have an enterprise-level approach to determining who in an organization should have access to what information and clear authentication policies, such as strong login requirements and passwords, so that they can prove they are, in fact, who they say they are.
There is no universal InfoSec requirement for smart buildings, but some broad government standards and industry certifications include NIST, ISO, and SOC.
National Institute of Standards and Technology (NIST) Cybersecurity Framework: In February 2013, Executive Order 13636: Improving Critical Infrastructure Cybersecurity was issued, requiring NIST to "lead the development of a framework to reduce cyber risks to critical infrastructure by developing a Cybersecurity Framework"—a set of industry standards and best practices to help organizations manage cybersecurity risks. The Framework consists of three parts: core, profile, and implementation tiers. Learn more at nist.gov.
International Organization for Standardization (ISO) 27001 Certification: ISO 27001 provides requirements for an information security management system (ISMS), a systematic approach to managing sensitive company information so that it remains secure. It applies a risk management process, which includes people, processes, and IT systems. Learn more at iso.org.
Service Organization Control (SOC) Framework: The SOC framework was developed by the American Institute of Certified Public Accountants (AICPA), resulting in three reporting options. A SOC 1 report uses the Statement on Standards for Attestation Engagements (SSAE) 16 standard for reporting on controls. SOC 2 and SOC 3 reports, which are specifically geared towards technology and cloud computing companies, use the Trust Services Principles (TSPs) in accordance with the AT Section 101 attest standard. The five TSPs are security, availability, process integrity, confidentiality, and privacy. Learn more at aicpa.org.
At the end of the day, information security for smart buildings is not too different from information security in other industries. Every industry has undergone, and will continue to undergo, a rapid and constant evolution in how it protects sensitive data. Historically, security in buildings was focused on physical security. Then, during the rapid rise of the Internet, building managers simply plugged into the closest ethernet port switch. We've now come to a point where organizations need to consciously decide on access control in their buildings. It is helpful to keep in mind that, ultimately, building controls are just mini-computers. We can deploy many of the same key concepts and best practices that we use in other areas of computer science to ensure smart buildings are safe.