Michael C. Skurla, chief product officer of Radix IoT, looks at managing IoT security in smart, connected buildings.
The current $80.62 billion global smart building market is expected to reach $328.62 billion by 2029. These connected, smart buildings are a complicated web of controls, chips, sensors, and most importantly legacy systems. Most recently this web has also been layered with IoT devices that add to the facilities’ operators’ ability to manage all aspects of buildings performance–from security to tenants’ needs, remote operations controls, HVAC, access control, lighting solutions, to the more advanced geolocation services now entering the market.
From a tertiary view these systems help lower ever-rising OpEx costs. Spikes in commercial natural gas prices, which are up 42% over a two-year period and are used in electricity production (up 15% in two years)–are an exceptional starting point of where data merged with operations data can offer savings, according to one CBRE report.
The Internet of Things (IoT) offers a vast global economic and societal significance, yet there are major security concerns. Though there’s been a focus for decades on security and the idea of protecting networks, IoT brings confusion given its diverse and often haphazard deployment. There is an uneasiness to the idea that building technology, operational technology, as well as business information technology are now sharing space. Much of this comes down to pricing. For better or worse, IoT has democratized technology and brought the price of automation and monitoring to a level that is now accessible to both people and industries that never thought technological improvement of this scope would have been possible.
This of course comes at an expense. The proliferation of devices opens vectors of attack that are no longer umbrellaed by typical I.T. security provisions, and the market has proven that it is unwilling to pay significant premiums for IoT security. A dilemma that is yet to be resolved.
Consider the Business Aspects of IoT Security
Technology is moving at a rapid speed for regulators and governing bodies to catch up. But one thing is definite: The cat is out of the bag, it's had litters, and the cats have figured out how to outsource and clone themselves.
In September, the European Commission proposed EU’s first cybersecurity regulation Cyber Resilience Act for the IoT industry, worth nearly €1.5 trillion, to mandate “stronger cybersecurity protections for IoT devices.”
In October, the White House announced plans for a product labeling system to alert consumers to the security risks “associated with connected devices” which will involve stakeholders, companies, and trade associations to offer "a common label for products that meet U.S. government standards” tested by vetted and approved entities.
These are only trivial starts, and even with these advances it is clear regulations can’t keep up with the pace of technology. The market is the only answer here, yet we have spent so much time on trying to protect against attacks we have almost forgotten that protecting against something is less important than detecting an attack, and even more importantly, gracefully mitigating a problem.
For years we’ve run the fool’s errand of trying to protect. This is not sustainable. The enemy has the advantage. Instead, everyone should be talking about what we do when there is a breach, and the answer used to be ‘stop, shut down, and wait for a fix’. The world, however, is now beyond this, and it’s a terrible answer to a problem in IoT, where devices are operating in cars on road, and in healthcare in people’s life support devices. Triage of the inevitable is the far better path of investment to ‘protect and pray’.
In the end, IoT security lies in a deeper place than I.T. It comes to memory access–software defects exploited by hackers to control a device or system at a hardware level. It’s different from IT equipment security. A recent research study by Microsoft and Google shows that 70% of vulnerabilities are actually memory safety issues. Also, 53 out of 95 bugs could have been completely prevented by using a memory-safe language. Consider Morello’s CHERI architectural extensions, which help mitigate memory safety vulnerabilities–by pointing to the variables in computer code that reference where data is stored in memory. This limits how those references (pointers) are used, the address ranges they “touch”, and their overall functionality.
From a market perspective, the industry’s most ambitious cybersecurity project to date is a collaboration between the University of Cambridge (UK), Google and Microsoft. Last year, IT Governance discovered 1,243 security incidents, accounting for over 5,126,930,507 breached records–an 11% increase in security incidents from the previous year. Hospital and healthcare providers were among the top sites of the over 300 million global ransomware attacks on devices last year.
Given the lackluster response of market forces to date, regulators are focusing on what they can (though mostly in Europe and the UK), and almost all the standards are based around EN-303-645– the globally applicable standard for consumer IoT cybersecurity. Though fairly wordy this can be summed up to:
- No default passwords.
- Vulnerability product reporting mechanisms.
- Transparency on the security lifecycle of a product.
The final one, transparency, being most likely the most important. As we move to a world of ‘everything connected’, the idea that–say our fridge–stops getting updates at some point, should scare us.
The National Institute of Security and Technology (NIST) Framework recommended best practices are: Identify, Protect , Detect, Respond and Recover. While security will never be absolute, prescriptive standards have failed to date. Even if you wanted standards (which would be out of date in a month), those standards would cost $9000 GBP, and come in 61 different documents. No manufacturer cares to deal with that, and certainly no user.
The industry answer seems to say we are hiring more cyber-security professionals. The problem is we don’t need more cyber-security specialists. We need more cyber-security competency in trades and vendors.
What’s Security vs Privacy
The security precautions across connected, smart buildings focus on security vs. privacy.
While the best way to assure privacy is not to have data in the first place, we know data is ubiquitous.
According to the 2019 “State Of Enterprise IoT Security In North America: Unmanaged And Unsecured” study by Forrester Consulting, while 67% of enterprises have experienced an IoT security incident, only 16% of security managers say they have adequate visibility to the IoT devices in their environments. It’s also worth noting that:
- 69% of enterprises have more IoT devices on their networks than computers. (Actually, there is a 3:1 ratio: For every 1 employee there are 3 IoT devices).
- 84% of security professionals believe IoT devices are more vulnerable than computers.
- 93% of enterprises are planning to increase their spending on security for IoT and unmanaged devices.
- 5% of companies are willing to curb their operational and business data in the name of IoT security.
We can establish most security measures through collaborative, systematic, and multi-disciplinary methodologies. But security falls beyond just an IT problem–it’s an organization-wide problem involving all stakeholders–operators, tenants, visitors, shareholders and all the vendors involved.
The interlink between security and privacy is clear. Without security we can’t have privacy. Small security weak points can become major attack areas. Keep in mind 96% of attacks are not sophisticated - simple things like an employee jotting down a password on a piece of paper accessible to anyone walking by a desk or entering a password on an unsecure website where information is gathered and misused.
The Shadow World
Remote work has brought millions of personal– “shadow IoT devices”–into the enterprise networks, expanding the attack surfaces. Employees don’t consider the security precautions and network managers lack visibility into shadow devices, which means security breaches can come from:
- An open Wi-Fi access point on your facility’s network opening browsing access to your network.
- An unsecured, un-managed ethernet port on a switch provides access–allowing anyone to plug in and access your network.
- Leaving an unlocked computer in an office, or a public site, allows access to files on the network.
Companies often overlook the existing systematic IoT penetration from the building they are located in. You then take into account remote workers, and their connected networks, and it becomes very complex.
Often unthought of by facility operators about devices that get added to networks (typically unknowingly):
- What does your device connect to on the network?
- How is it configured?
- What does it speak to – and how does it speak?
- What are the Trusted and Untrusted surfaces?
- What actions vs observations are needed?
- What are the main potentials of its interaction?
- Who are the manufacturers – software or hardware?
- What level of operational transparency is currently in place?
The Shared Path Toward IoT Security
Improved IoT security should be an industry Trustmark program. Normalizing open standards and manufacturer’s transparency with minimum viable policies can offer interoperability as a norm across all industries involved. To date, this is not a thing in IoT, though there are efforts outside of the United States.
In the IoT world, building systems require both the drive and ease of security as their foundation (and sadly a price-point to match). We are now getting data from more sources than ever. How we secure that must be analyzed by each organization. There is no one size fits all, but at the same time saying IoT isn’t something that impacts a business is a lie for those that simply want to keep it. IoT is here, and it’s staying, and it’s already in your facility…. You can’t really stop it now.