Cybersecurity or Something Better The buildings industry has almost fully transitioned from pneumatic to DDC software control. But, there is a lingering sense that software should work reliably forever, just like the physics it replaced.

Therese Sullivan, Customer Marketing Leader, Tridium Inc. Contributing Editor

For decades now, the vision of intelligent buildings that self-correct when they are wasting energy and self-adjust when they are providing anything less than a healthy, comfortable and productivity-enhancing indoor environment for occupants has been driving the building automation industry forward. Today, advancements in cloud computing and machine learning, as well as greater adoption of common standards for network connectivity and data interoperability, are making the full vision a reality for some showcase buildings. At the same time, connected devices are seeping into all types of buildings in less visionary, more piecemeal ways and sometimes without sufficient IT/OT oversight. Is this moving us faster toward the intelligent-buildings-for-all future we expect? Or, is this trend simply creating a larger and more attractive cyber-threat landscape for attackers, with consequences that will slow our progress?

IT/OT are converging, as is often said. But, on the issue of how often the controls software used to operate buildings should be updated there is a definite difference. Apple, who sets the high bar for mobility IT, has an approximate rhythm of introducing major version upgrades every year and incremental upgrades with critical bug fixes every quarter. For both Apple and Android devices, if a cyber vulnerability is discovered, the patch is issued right away and applied while your phone is on the bedstand overnight. Many of the most popular brands in enterprise software have transitioned from software-as-a-product to software-as-a-service, in part, to keep ahead of cyber threats. Opting for SaaS makes it easier for IT administrators to ensure that all endpoints are up-to-date on software versions and patches that innoculate against any known viruses and malware.

Recently, government and media cyber-threat watchers have issued warnings that a significant number of control systems, including those in commercial buildings, are configured in an insecure manner and exposed on the Internet. They see vulnerabilities that were addressed by software upgrades and new versions introduced to the market over a half-decade ago. In too many cases, best practices haven’t been followed, and upgraded software just hasn’t been deployed. The buildings industry has almost fully transitioned from pneumatic to DDC software control. But, there is a lingering sense that software should work reliably forever, just like the physics it replaced.

There is a good reason for controls software developers to aim for a longer upgrade rhythm than is typical of mobile devices and enterprise SaaS. But, facilities teams that publish guide specifications that ask all building engineers and controls contractors to be standardized on control software that is a generation behind the state-of-the-art, equivalent to half-a-decade or more in time, are risking cyber trouble. Such examples, on the part of major institutional and commercial property owners, are out there. Moreover, if the history of mobile-device IT and SaaS adoption in the enterprise  is any indication, there is a business advantage in continuously equipping users with tools that incorporate the latest features and functions. When attempting to quantify the ROI, the ‘stick’ of avoiding a cyber attack is not as significant as all the ‘carrots’ related to higher productivity and better business outcomes.

Over the last 20 years, Tridium has made major investments in continuously improving the cyber-defenses native to Niagara Framework and all of our software products. We’ve kept pace with the latest approaches to user authentication, encryption and incident response, working in partnership with government cyber-defence teams like ICS-CERT. Because cybersecurity is as much about people and processes as technology, we’ve also provided guidance to Niagara systems integrators, business partners, and facility managers to deploy control systems with a cybersecurity mindset. Now you can power control devices at the supervisory level, the field device level and at the network edge with Niagara Framework, which means Niagara customers have  a unified means of managing cyber-defense at all levels. This makes it easier to enforce cyber-security best practices. (Read Tridium’s Cybersecurity White Paper to learn more about these.)

Of course, such a multi-tiered cyber-defense approach works best when all Niagara instances are assured of the latest security features, enhancements, and updates through a Software Maintenance Agreement (SMA). To draw upon the stick-and-carrot metaphor above, the answer to the question “What do you get with an SMA?” might start with “Cybersecurity.” But, the fact that an SMA also assures access to our latest technology for graphics visualization, provisioning, tagging and analytics, certifications and compliance, and more – it is the carrots that will have the greatest impact when quantifying Return on Investment.

The data-driven Intelligent Building is within our reach today but has a lot of software dependencies. Addressing the issue of cybersecurity by embracing the use of standard IT software practices  like SMAs is going to get us there faster.