{{Article.Title}}

{{Article.SubTitle}}

By {{Article.AuthorName}} | {{Article.PublicationDate.slice(6, -2) | date:'EEEE, MMMM d, y'}}
{{TotalFavorites}} Favorite{{TotalFavorites>1? 's' : ''}}
{{Article.Caption}}

As connectivity is an essential part of nearly every industry, it’s no surprise that it has become an important element of building design and construction. While its popularity is on the rise—it is estimated the smart buildings market will grow from $66.3 billion in 2020 to nearly $109 billion by 2025—there are some security risks that come with implementing these connected systems in buildings and could jeopardize financial and other private information.

When building designers decide to add a collective suite of connected products to building designs, including building automation systems for indoor and outdoor lighting controls, audiovisuals, HVAC and fire alarms, it makes it difficult to know which devices are connected to the network and the risk that come with each individual system. This also creates more concerns for manufacturers, building managers and cybersecurity professionals, but many of these concerns are not being addressed, which leaves openings for hackers to access building controls and sensitive data. This means that it is important for those in charge of managing these systems and controls to fully understand the maintenance and security updates behind them before an unsecure system is installed, causing more problems down the line that could have been prevented.

Before installation and connection

To save time, contractors will buy and install devices directly from stores rather than directly ordering them from manufacturers. While convenient, this is often the core problem to faulty security in building control systems. By pulling these devices from distribution, contractors run the risk of having a device with outdated firmware that won’t work with the other devices, even if it’s from the same manufacturer. As a result, the firmware will need to be updated through an offline cache, or a cell phone hotspot; alternatively, the update could be deployed from a remote location beforehand. And to add to the complexity and frustration, if the firmware update is available via USB flash drive or cache, manufacturers will need to add additional layers of security, such as restricted access and availability or encryption, to prevent hackers from finding security vulnerabilities. However, all of these options leave too much leeway for manufacturers to decide what the appropriate solution should be.

Problems faced with hardwired devices

There are two main challenges present for devices hardwired into building systems.

  1. Most specifications for building projects lack the identification of a possible internet connection and this information often falls on the wayside. This leaves manufacturers questioning the hardware they need to provide to ensure that existing system controllers communicate harmoniously, while still abiding to security best practices.
  2. System controllers are sometimes installed in parking garages or other public, unsecure environments that are riddled with physical barriers and uncontrollable environmental conditions. Yet, to overcome this, wireless controllers are used in easily accessible areas, thus creating the need for additional security measures—physical and digital—from remote antennas and hinge locking enclosures to uncommon wireless frequencies and added encryption. This gives manufacturers few parameters and regulations to follow, making it difficult to determine the proper next steps.
Security and interoperability at the campus level

There are typically numerous systems across the buildings at a campus level since installations take place over a course of time. In theory, the different systems should communicate through a common physical layer or common language for the systems to be managed holistically. However, in practice, one building ends up having a control system with its own set of requirements while the other buildings operate on a completely different setup.

With these differences, a list of every manufacturer and its contact are needed to maintain each individual, yet somewhat connected installation. While this could be resolved through a shared ethernet connection and open standards, this option is seldom accounted for, leaving each system to be maintained individually. However, with the guidance of industry professionals, these challenges could be accounted for prior to installation.

The need for transparency and global standards

With more internet-connected control systems coming to the market, stakeholders and decision-makers need to understand the importance of increased cybersecurity visibility. Manufacturers need to be transparent about security updates and vulnerabilities among their devices, provide regular device updates and push for security to be a part of their regular reporting process, rather than an afterthought.

But the transparency needs to also go beyond the manufacturers and extend industry-wide. It is important that there are universal security standards that stakeholders and manufacturers can adhere to to increase end-user safety and protect networks from cyberattacks. These organizations, such as the ioXt Alliance, are leading the charge to create and adopt standards by working with industry leaders across markets. The ioXt Alliance is backed by some of the most prevalent technology companies in IoT along with commercial building control companies, and is creating universal standards to provide security guidelines, which include security built in from inception, regularly issued firmware updates, and security transparency for a product’s lifecycle—ultimately preventing security vulnerabilities—ensuring products work as intended, and providing security for end-users.

Print

 Comments ({{Comments.length}})

  • {{comment.Name}}

    {{comment.Text}}

    {{comment.DateCreated.slice(6, -2) | date: 'MMM d, y h:mm:ss a'}}

Leave a comment

Required!
Required! Not valid email!
Required!