Skip to main content

SECURITY

Smart-Building Security: Beyond Access Control

IoT security, IoT vulnerability

Many modern buildings are carefully designed to protect occupants from physical harm but are far less guarded against digital intrusion that can compromise their less-tangible assets. And even with cyber defenses in place, they are typically focused on PCs and servers, not the IoT endpoints and legacy control systems that turn a structure into a “smart building.”

A deeper conversation around cybersecurity infrastructure is required to prevent an increase in widely publicized cyber incidents like the retailer Target data breach and the infamous casino fish tank attack. Part of that conversation starts with recognizing that securing the various interconnected systems in a modern building is a very real challenge. That’s why one company, Veridify, a developer of security IP and tools, created the Device Ownership Management and Enrollment (DOME) platform to deliver a comprehensive security solution to address the range of challenges buildings face.

Smart Building Security: Detecting Things That Go Bump in the Wire

The task of securing a building-wide heterogeneous network with several thousand potentially vulnerable edge devices ranges from daunting to practically impossible. The different vendors that provide elevators, lighting, fire monitoring, and HVAC equipment all have their own systems.

Add the specialized IoT platforms now being deployed across many companies, and you’ve got a wide range of assets, each with its own standards, communication protocols, and supported features.

Of course, the greater the number of different systems and devices the more impractical it becomes to implement unique security measures for each. One alternative would be to use a single security blanket that covers all the connected systems in a smart building. In that case, a small-footprint software agent capable of establishing secure communications tunnels between systems and a security-as-a-service (SaaS) solution could be loaded onto the device at the time of manufacture.

Unfortunately, most of the connected security systems in smart buildings existed before the building became “smart”. This means that such an agent would likely have to be added to each system individually and then integrated with the larger security platform, which is a non-trivial endeavor.

But instead of attempting to secure every edge device individually, smart building operators could secure the communication lines of connected devices themselves using what’s known as bump-in-the-wire (BITW) technology.

A BITW is a security tool that can be inserted into a communication channel between two or more pieces of equipment, without impacting performance. In a network security context, a BITW would sit between a group of endpoints or edge devices and the rest of the building network, authenticating messages as they pass by.

To work effectively, BITWs can reside within a smart building system that is compatible with multiple network protocols, support industry standards for IoT security, and implement strong cryptography without compromising latency. It can ensure that any device being used to access the building network has the authority to do so by working in tandem with a database of unique identifiers for every device within the building’s network.

The DOME plus BITW topology allows legacy controllers and older systems to exist alongside more modern #SmartBuilding systems without being left vulnerable. @Veridify via @insightdottech

Under the DOME Security-as-a-Service Solution

Veridify’s DOME solution operates similarly to a combined VPN service and device authentication platform: Endpoints do not need to connect directly to a cloud, BACnet, or any other type of operational technology (OT) network, only to their respective BITW owners.

Through these, DOME offers a secure, encrypted tunnel for smart building device authentication over a range of protocols, including BLE, BACnet, KNX, OBIX, Wi-Fi, and others.

The platform security starts with devices that have been provisioned with a security library, including Public-key credentials. These credentials are signed in an immutable blockchain that provides each endpoint with the ability to authenticate its owner and an unalterable identity, stored and managed by a DOME Interface Appliance (DIA).

The DIA can support both legacy and quantum-resistant protocols used by these endpoints, building automation controllers, and the central building management system (Video 1). This allows it to deliver secure firmware updates, building-specific configuration changes, device status reporting, and any attempts on the cyber infrastructure.

Video 1. DOME provides comprehensive smart building security, even if they aren’t directly secured by DOME. (Source: Veridify)

For newer systems that have yet to be deployed, the DOME Client library can be installed on endpoints while consuming only 12 KB of ROM. This allows it to be deployed on even severely resource-constrained systems.

But certain devices are not candidates for direct protection under DOME because they can’t be updated, are legacy systems, or for other reasons. In these cases, DOME can be extended through a BITW architecture and hardware security controllers like Intel® Max® 10 FPGAs that reside on the communications path between the endpoints and the network.

The DOME plus BITW topology allows legacy controllers and older systems to exist alongside more modern smart building systems without being left vulnerable. And thanks to the performance and flexibility of MAX 10 devices, security can be delivered at ultra-low latency over a variety of communications transports, even under load.

Make Smarter Security the Standard

Of course, this is just one aspect of the overall smart building cybersecurity conversation. Other talking points include threat modeling and assessment, physical device security, and cloud security access controls, to name just a few.

In the long term, cybersecurity standards for buildings will need to be defined, possibly in a manner analogous to the Leadership in Energy and Environmental Design (LEED) certification process in use today. This could provide a framework for securing smart building systems, and rate facilities by how well their networks are protected in the same way they’re rated for physical safety and environmental standards.

When these standards emerge, technology like BITW and DOME will provide a path for older facilities with an array of automation systems to comply with evolving security requirements—without needing to replace the entire system.
 

This article was edited by Christina Cardoza, Associate Editorial Director for insight.tech.

This article was originally published on April 28, 2021.

About the Author

Brandon is a long-time contributor to insight.tech going back to its days as Embedded Innovator, with more than a decade of high-tech journalism and media experience in previous roles as Editor-in-Chief of electronics engineering publication Embedded Computing Design, co-host of the Embedded Insiders podcast, and co-chair of live and virtual events such as Industrial IoT University at Sensors Expo and the IoT Device Security Conference. Brandon currently serves as marketing officer for electronic hardware standards organization, PICMG, where he helps evangelize the use of open standards-based technology. Brandon’s coverage focuses on artificial intelligence and machine learning, the Internet of Things, cybersecurity, embedded processors, edge computing, prototyping kits, and safety-critical systems, but extends to any topic of interest to the electronic design community. Drop him a line at techielew@gmail.com, DM him on Twitter @techielew, or connect with him on LinkedIn.

Profile Photo of Brandon Lewis