Despite the recent surge of Remote-First and Remote-Only work policies, many companies are still conducting much of their business and operations from within office buildings. Many of these buildings have leveraged technological innovations to respond to various economic, societal, and environmental pressures. Now, they face additional challenges in securing their premises while providing stable interconnectivity between satellite offices and remote workers. The emerging Smart Building becomes an asset and a strategic factor for both the owner and the tenant in supporting their business missions, values, and goals.
The scope of enterprise architecture, and therefore that of enterprise security, has expanded beyond traditional IT to encompass Operational Technology (OT) and Internet of Things (IoT) subsystems. Enterprise security permeates all these Smart Building domains and continues to have a critical role in business practice.
Smarter Buildings provide better business support
Recent health mandates prompted many businesses to adapt in order to support new physical workflows for both customers and employees. Perhaps the most prevalent examples are seen in stores delineating social distancing spaces and creating dedicated take-away parking spots to continue serving customers safely.
Similarly, buildings can undergo digital transformations and become Smart Buildings by incorporating technologies such as digital sensors, advanced analytics, and AI/ML information synthesis. These, in turn, allow new applications and services to emerge: Occupant detection, remote operations, and predictive maintenance, among many others.
Smart Buildings provide building owners and tenants the opportunity to offer differentiating services, while also reducing overall operating expenses. Businesses leveraging Smart Building capabilities often turn these potential liabilities into assets through holistic management, with a system of systems approach, where Digital Twins, actionable analytics, and dashboards give visibility and control into all building aspects. While this approach provides a competitive edge for businesses now, it will be considered table stakes in the coming years when it comes to service differentiation, employee satisfaction and retention, as well as brand reputation.
Enterprise security in Smart Buildings
Smart Buildings aggregate and derive data from their integrated subsystems. In addition to traditional IT infrastructure, they may have dozens of OT/IoT subsystems, each with potentially tens of thousands of sensors and endpoints, not only “read-only” devices but also “read-write” actuators and feedback loops. With larger numbers of connected devices and failure modes, IT security concerns are vastly augmented along all aspects of enterprise security.
The IT domain and the built environment differ significantly; building OT usually has an entirely different set of stakeholders, standards, and product lifecycles. Converging networks may expose poor OT security management, given some of these systems, traditionally, were not easily accessible and security by obscurity was often a de facto approach. Concurrently, increasingly popular IoT solutions add exponential growth of endpoints and in-building networks. Beyond common IT practices (e.g., access control, network segmentation, and data and communications encryption), IoT adds additional maintenance costs for over-the-air-activations, firmware upgrades, and end-of-life device retirement. Finally, Supply Chain Security (SCS) also adds new concerns (e.g., backdoors) to the building ecosystem that enterprise security now needs to be prepared to address. OT, IoT, and SCS bring ecosystem-specific security vulnerabilities; this results in a wider attack surface, increased operational complexity, and new challenges for both building owners and security managers.
Buildings get hacked too
The IT sector has long been exposed to cyberattacks; it manages these in part by relying on industry-wide collaboration and enterprise security best-practices, including vulnerability disclosures, conferences, training, and certifications. Real-estate operational systems have been increasingly attacked as well. This is a serious issue for building owners and operators and, in addition to being a safety concern, can also represent a public relations disaster if, for example, an elevator is remotely disabled, or a water supply is tainted, or a medical device is tampered with.
Buildings are often adding devices and networks faster than they are able to properly vet and secure them. The exponential increase of endpoints and pervasive use of cloud services expand the attack surface for OT and IoT subsystems, which may expose sensitive data and give unauthorized access to operational systems. This adds new challenges for enterprise management in securing Smart Building facilities. Increased awareness as well as robust monitoring and control are needed. Experienced security managers rely on frameworks, standards, and certifications as important tools in managing enterprise security operations.
Enterprise security redefined
As traditional buildings transition to Smart Buildings, it follows that enterprise security needs to change to also address the building environment.
Businesses, in general, can lean on NIST CSF for security risk management and to build an enterprise security strategy that supports their mission and goals. Enterprise IT security has its own set of standards and certifications (e.g., CIS, COBIT, ISO, ITIL). IT frameworks and protocols have many more counterparts in building IoT and OT subsystems, typically with less governance, fewer processes, and more nascent discipline than the IT sector.
Standardization is key for building subsystem integration, especially when non-proprietary standards are used. For example:
- ISA/IEC 62443 provides a framework and a certification roadmap for the security and monitoring of OT networks.
- The BACnet Secure Connect, an open protocol, represents the most significant advance since the BACnet/IP release; it offers valuable security enhancements to older versions, heavily used in HVAC systems control.
Running a business in a Smart Building context means operating in an environment where IT, OT, and IoT domains are merging under the same umbrella of security operations. Advanced data technologies, including systems modelling and trending with ML applied to analyzing building data, will enable more effective enterprise physical and network security convergence. They will offer security managers automated monitoring and control tools that address both business and Smart Building security.
References
