Reduce the Cyber Risks to Your Buildings with Proactive Management

Kevin T. Smith, Chief Technology Officer, Tridium

Less than five minutes! This is the  average time between an IoT device being connected to the Internet and the first cyberattack on that devicel While this commonly-known statistic should be alarming to anyone connecting Internet-capable edge devices to their networks, and while it should give pause to anyone looking to deploy the latest generation of building automation system (BAS), this should not be a reason to turn back time and disconnect altogether.  With a holistic, defense-in-depth security approach - involving people, processes and technology, building owners and their property management teams can plan for and then manage the risk of cyberattack.

What does this mean? From an organizational perspective, it means that everyone needs to be involved in and focused on cyber awareness and defense. It means that when you select your products, you need to make sure that your product manufacturers bake-in strong cybersecurity controls and support the product with patches when vulnerabilities are detected. The teams (IT working together with OT) who design and set up the building networks upon which your BAS will be installed. play a major role in your building’s cyber defense, as do the systems integrators install and configure your BAS and all other connected products on those networks. The facility managers who maintain, operate, and proactively monitor your building’s networks also need to be cyber-savvy.  It is up to cyber-aware owners to put the right incentives and enforcements in place to ensure selection of the right products and to encourage effective communication about cyber issues is covered among all these teams.  Across the entire chain of roles, no person should ever allow any process or enable any technology whereby a BAS is directly exposed on the Internet.  When implemented correctly, you will have foiled those five-minute attackers and cut your cyber risk significantly.

Utilizing an outdated BAS greatly increases cyber risk. In our fast-paced world of technological advancement, your building’s networks – and the devices attached to them – are rapidly changing, and this is having significant ramifications on the cybersecurity of building networks.  Not keeping up with current expectations of actively and proactively managing these technology changes carries risk, and this can affect your building systems.  Today’s challenges require continuous management because while your network is changing, the threats are dynamically changing as well. More and more IP-connected devices are being introduced into buildings, and many of these are connected to upgraded networking infrastructures overseen by IT cyber teams.  Other stakeholders – like occupants, HR departments, and the finance team responsible for energy bills – are becoming aware of the value locked in building equipment data. To share this data, someone in your organization may quietly try to do an “end-run” around proper security policies and procedures attempting to get at the data by connecting your BAS to special-purpose networks, which can significantly increase your cyber risk. In today’s connected world, every organization needs a proactive cyber defense strategy that revolves around best practices and updated technology.

Not meeting the cybersecurity requirements of your BAS that are necessary in today’s world can put your entire organization in jeopardy. Perhaps the greatest risk of falling behind in BAS is the business risk to the building owner when the property is perceived as energy wasting, not comfortable, or simply "behind the times" because building operational data is not being collected or leveraged via a current BAS. It is preferable to align around a proactive cyber defense strategy, rather than suffer these risks.

Tridium developers and the greater Niagara community have worked for decades to evolve an open and extensible integration engine to connect to, control, and monitor devices in your building, and by doing that, organizations can make sense of all the new digital data that buildings are generating. Today, the Niagara Framework® is the de-facto-standard in open-protocol BAS, and the Niagara product line now extends to lightweight edge devices and cloud services. In the face of the fast-multiplying number of Niagara instances that our customers must manage inside a multi-story office building, across a multi-building campus, or across a geographically distributed building portfolio, Tridium has continued its focus on  cyber defense. For example, the current release of Niagara Framework, Version 4.8, features a new Security Dashboard. This easy-to-read and actionable central console allows users to quickly assess the security posture of every Niagara instance in a deployment so that they can quickly make configuration changes to reduce cyber risks to their organization.  

Niagara’s Security Dashboard is just the latest way Niagara has evolved to promote cyber-security best practices. Over the past five years, Tridium has invested a significant amount of time, energy, and resources into re-evaluating and redesigning the Niagara Framework®, specifically focused on cybersecurity.  Niagara is designed to be customizable to the security policy of any customer organization, while enforcing good “cyber behavior.”  Built-in technology controls make it easier for the end-user configuring Niagara to operate within cyber best practice guidelines.

One of the principles that we used in the design of the security of Niagara 4 is the principle of “secure by default.” The security of our products depends on the way that integrators configure them, so we want their first default option to be the most secure option. For this reason, we designed the user interface in Niagara to default to the most secure configuration, making it easier for the user configuring Niagara to do so securely. To further enforce good cyber behavior, we make administrators create a non-default password before commissioning and deploying a Niagara system. At the same time, Tridium provides security that happens automatically and that does not need configuration at all.  All sensitive data is encrypted at rest.  The core Niagara Framework code is digitally signed and validated for integrity at runtime. Our JACE® 8000 and Edge 10 controllers are shipped with “secure boot” and a hardware root of trust which validates the integrity at boot time.  As a result of these controls, all owners should have strong assurance that our devices and the core software that runs on them have not been manipulated or altered by malicious software. To conform to IT cyber security norms, we also make security configurable: all Niagara instances can be customized to adhere to organizational security policies related to user account management, password policies, and more. Niagara provides the ability for users to integrate with organizational PKI, LDAP, and SAML-based systems related to identity management.  With each update to the framework, we have been adding cybersecurity features currently in demand - such as 802.1x network authentication and two-factor authentication, and we will continue to add new functionality with every release.

[an error occurred while processing this directive] While Tridium is doing what it can to mitigate cyber risk for our products, a successful cybersecurity program encompasses far more than what can be accomplished by focusing on a particular asset or technology. From a technology perspective, it’s important that IT network professionals design organizational networks in a way such that they are separated and segmented into various zones to provide defense-in-depth. Up-to-date technology controls such as firewalls, intrusion detection systems, intrusion-prevention systems and malware and virus prevention software are also necessary. Automated backups of systems and devices also can be critical to prevent data loss and device failure easing recovery in the event of a ransomware or other attacks. All systems need to be actively managed, patched and continuously monitored.

For all these reasons, it’s important that care be taken when choosing a building automation system and all devices that you will connect to your network. For each device or each system that you are potentially connecting to your network, key cyber questions need to be asked, such as: Is the manufacturer cyber aware? What cybersecurity processes does the vendor employ? Will the vendor patch the product in a timely manner? Once you feel comfortable with the answers, then ask more questions. Who will be connecting the device to my network, and are they cyber-aware, and will they configure it with best practices? Finally, who will be managing these devices? Who will be patching the devices? Who will be monitoring these devices? 

As Tridium continues to build products beyond the Niagara Framework, we are dedicated to supporting strong cybersecurity best practices and controls in our products. The security of our products will continue to be based on the principle of “secure by default.”  We will continue to embrace open standards as well as closely follow emerging standards and best practices in IoT cybersecurity, focusing on such concepts as secure device identity, identity federation and delegated authorization, data encryption at rest and in transit, and much more. Cybersecurity is a journey, and we are along this journey with our partners, business partners, and customers. Only together – united in the mission to proactively manage cybersecurity risks – can we be successful. And we can.