Avoiding Some of the Pitfalls of the Internet of Things How to deploy remote access to building control devices without compromising your client’s security

Chris Topham Abtec Building Technologies Ltd ct@abtecbt.com

The Internet of Things isn’t a movement or technology phase that will happen in the future.  It is happening now.  Some estimate that by the end of this decade over 75 billion devices will be network connected¹, and much of that growth is taking place in the building services industry.  We are all contributing the Internet of Things, by connecting building control devices and systems to a network for remote monitoring.  This is IoT in its most simple form, adding remote connectivity and automation to building control systems.  But in the rush to capitalise on smart buildings and connected cities are we leaving our clients and reputations open to abuse?  Our industry has examples² where weak security has opened the space for malicious attack.  Recent research estimates that there are 2.2 million SCADA and BACnet devices directly or indirectly exposed to hacking over the internet³.  So are we, as project managers or contractors providing building control services, the weakest link in this IoT chain?

This article explores the methods and technologies of deploying remote access connections.  It provides useful guidance on the type of network and network service provider for your projects.  Implementing the conclusions of this article will help you provide remote access connections that are both easier to manage and much more secure.

The Rise of Remote Connections

Whether your project involves lighting controls, building management systems, air conditioning or monitoring energy use, there’s a strong chance you’ll want to access building control devices remotely.  Providing a remote access connection may be a small element of your project.  Get that element wrong and it can cause large problems for you and your client.  Recent building control security breaches highlight the risks associated with providing remote access without appropriate thought to security.  Summer 2013, cybersecurity researchers hacked into the BMS of Google’s new offices in Sydney, Australia⁴.  The BMS was connected to the Internet with a standard broadband DSL line.  December 2013, hackers stole 40 million credit cards from the US retail superstore Target.  It is believed that the hackers gained access to Target’s network via a remote connection for a third party HVAC company⁵.

____________________________

¹ www.businessinsider.com/75-billion-devices-will-be-connected-to-the-internet-by-2020-2013-10
²  It’s only more recent iterations of the open standard KNX that has implemented embedded security; http://www.knx.org/knx-en/news/2014/entries/2014-08-08_KNX-Security-Statement.php.  Security issues have been raised with older BMS, http://www.wired.com/2013/05/googles-control-system-hacked.
³ Project SHINE report, October 2014.  http://www.slideshare.net/BobRadvanovsky/project-shine-findings-report-dated-1oct2014 ⁴ http://www.wired.com/2013/05/googles-control-system-hacked/
⁵ http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/

Benefits of remote connectivity
There are many reasons why building services companies require remote connectivity to customer sites.  During the construction or refit process, access to building information modelling (BIM) data may be necessary; enabling changes to plans in real time.  Without some kind of network connectivity this would be impossible.

Post commissioning, contractors will want to support their BMS (Building Management Systems) or building control installations; either for the defect liability period or as part of a maintenance contract.  The ability to diagnose and resolve issues remotely can eliminate expensive site attendances.  Contractors can respond faster to client requests, enhancing customer relationships.
Another remote connectivity application is energy data harvesting. This typically involves connecting to single devices at the customer site and transferring small amounts of data.

But, are we providing those remote connections with the appropriate technology?

The Problems with Internet Connections

Many of these remote connectivity applications can be achieved with standard Internet connections such as broadband or 3G/4G mobile SIM cards.  These are popular among building services contractors due to their wide availability and simplicity to order.  However, those benefits come at a cost.

Not Scalable
Some contractors use VPN (Virtual Private Network) technologies to create a private tunnel through the Internet to the remote site. This is acceptable for a small number of sites but VPN solutions do not scale well and become difficult to manage for larger numbers of sites.  There are also other issues with using the internet as transit mechanism.

Security Concerns
Modern building control systems, more often than not, have web, file transfer and network management protocols enabled by default.  Connecting these systems to the Internet, even with VPN technology, can expose customers to security threats.  As mentioned above there have been many breaches of network security due to poorly configured Internet connections into BMS networks.  Many clients are sensitive to security concerns and will not accept Internet facing connections into their premises.

Standard SIM Problems
Standard mobile 3G/4G SIM cards can be problematic too.  These SIMs are intended for outbound connections, typically downloading content from the web to a mobile device, firewalls within the cellular networks will often prevent VPNs connecting to these SIMs.

A Better Way

Private networks are designed to address all of these issues. A private network is not linked to the Internet in any way.  It uses fixed private IP addressing and infrastructure not visible to the Internet.  They are easy to provision and manage because the complexity of dealing with many VPN tunnels is removed.
There are many types of connectivity into private networks, as we’ll explore shortly, including broadband and 3G/4G cellular access.  It is important to note that although we associate these connection technologies with the web these versions don’t connect to the Internet.

Private Networks Explained
Using the Internet as a mechanism to provide remote access to building control systems is problematic.  Security is a major concern; Internet VPNs don’t scale beyond a handful of clients; and standard 3G/4G SIMs don’t allow VPNs or remote access.  A more secure way of providing remote connectivity can be achieved using a private network.  These remove the need to provide VPN technologies, as they are already part of a private network.  They’re also easier to manage; multiple clients and sites can be managed from a single point, rather than having to connect to each site individually. 

Both cellular and fixed line connections, for example DSL broadband, can be used to connect to a private network.  Private cellular connections can be achieved using a Private APN (Access Point Name) network. These are networks which are linked to the cellular carrier networks.  They route the data generated by building control devices through to a private network. This means that each SIM has a private, static IP address and full transparent IP routing through the private network.  DSL connections typically connect to a service provider’s private network via a national service provider’s backbone network, again avoiding the internet.

Private Networking Connection types
Different sites and applications will require different types of connections to the network.  The table below describes the types of connections available and the characteristics of each link.  A ‘mix and match’ approach can be taken when selecting the network connections; they don’t all have to be the same type of connection.

The most popular types of connection for building control systems are the cellular 2G/3G/4G and ADSL broadband connections.  This reflects that fact that many building control systems use small amounts of data.

Sourcing private networks

There are many suppliers of private networks across the world.  However, only a handful of these service providers actively support remote connections for building control systems.  Selecting the right service provider will be an important factor in ensuring that your project goes smoothly.  Using a service provider familiar with the building services industry will have several benefits:

• Support: Their understanding the nature of the traffic over the network will help them select the most appropriate network connection for your project
• Specialist hardware: They will be able to supply the specialist hardware required for building control systems
• Reliability: A good service provider will preconfigure the hardware enabling engineers to ‘connect-and-go’ to the private network

Specialist Hardware
Unlike standard Internet connections, where there’s little choice of the routing equipment supplied, connections to a private network present you with a choice of networking hardware to route through.  The choice of routing equipment will depend upon the nature of the project and the type of private network connection.  For example, an energy metering project whose equipment is in the basement of a building maybe best served by a DIN rail 3G/4G cellular router, with an extension antenna to get a good cellular signal.

A network service provider familiar with the building services industry should be able to identify the right equipment for the project.

Private network prices
[an error occurred while processing this directive] The cost of a connection to a private network will depend on the type of network connection required.  In general the greater the bandwidth speed the greater the cost.  Private network broadband and 3G/4G cellular connections tend to be a similar cost to their internet connected equivalents.  Network connections are rented from the service provider, the costs accrued are usually charged on a monthly basis.

Conclusion

Remote access connections are becoming an integral element of many building services projects.  Their benefits are clear; helping contractors and consultants cut costs from their operations by enabling the remote resolution of problems; and creating new revenue streams, such as enhanced maintenance offerings or energy monitoring.

Providing remote access connections over the internet is fraught with security risks and problems.  It’s not just hackers that are an issue it’s also the problem of managing multiple VPN connections.  Using a private network instead of the internet can eliminate many of these problems.  Private networks avoid the internet, mitigating many of the issues associated with hackers, and provide a platform that makes managing multiple remote connections easier.

Specialist service providers offer private networks that are tailored for the building services industry.  These service providers understand your market, have access to the specialist hardware required, and can help you identify the right type of network connection.  Using a specialist service provider for private network connections can help ensure that your remote connections and fit for purpose and secure.

About Abtec

We are a UK based IT, networking and BMS business with over two decades of experience.  One of our specialisms is the provision IT hardware and networks for the construction industry.  We help mechanical and electrical engineering contractors deliver their building control projects over IP networks and provide secure remote connections to building control systems.

Our recent projects include:

• Providing the KNX building controls infrastructure for one of the world’s greenest buildings, The Crystal, London
• Designing and deploying the IT and communications infrastructure at National Grid’s new, award winning offices
• Providing the lighting control and BMS for the world’s first digital car showroom, Audi City, London
  

Website: www.abtecnet.com

[an error occurred while processing this directive]
[Click Banner To Learn More]

[Home Page]  [The Automator]  [About]  [Subscribe ]  [Contact Us]