CYBERSMART BUILDINGS. Securing Your Investments in Connectivity and Automation

Transcription

1 CYBERSMART BUILDINGS Securing Your Investments in Connectivity and Automation JANUARY 2018

2 WELCOME STEVE BRUKBACHER Application Security Manager Global Product Security Johnson Controls 1

3 WHY ARE WE HERE TODAY? BOTTOM LINE 1. All industries are making smart building investments (seeking reward) 2. Cyber incidents threaten the smart building value proposition 3. Cybersecurity must become a core tenant of building design and operations (to guarantee that investment) Yesterday: Partial Connectivity Today: Smart Buildings Tomorrow: Smart Cities 2

4 BUILDINGS ARE EVOLVING ON THE OUTSIDE, SMART, DATA-DRIVEN SOLUTIONS MAY NOT BE APPARENT. BUT CONNECTIVITY IS CREATING VALUE FOR BUILDING OWNERS AND OPERATORS. Infographic credit: Johnson Controls 3

5 CONNECTING OCCUPANTS TO SOLUTIONS ACROSS INDUSTRIES, TECHNOLOGY IS REDEFINING HOW BUILDINGS AND OC CUPANTS INTERACT SAVING ENERGY, INCREASING SECURITY AND OPTIMIZING OPE RATIONS. HEALTHCARE Real-Time Location Systems (RTLS) Critical temperature control Operating room environments Electronic record-keeping Integrated patient care HIGHER EDUCATION GOVERNMENT Access controls & physical security Energy management Sensitive environment monitoring Smart infrastructure Integrated asset tracking TRANSPORTATION Streaming video management Campus-wide system alerting Mobile-friendly presentation spaces Integrated class registration Optimized lighting Real-Time Location Systems (RTLS) HVAC temperature control Physical security Passenger identification systems Arrival/departure prediction K-12 EDUCATION COMMERCIAL BUILDINGS Smart whiteboards Optimized lighting HVAC, data-driven building management Space scheduling integration District-wide performance tracking Access controls & physical security HVAC temperature control Energy management Real-time data analysis Meeting space optimization 4

6 INVESTMENT AT RISK NEW VALUE PROPOSITION CYBER RISKS ANTICIPATED INVESTMENT BREAKS APART Automated Management Predictive Maintenance Denial of Service Attack Vendor IoT Product Compromise Energy Efficiency Asset Location Finding Occupant Data Theft Hijack of Command & Control App SECURITY IMPERATIVE Pervasive connectivity means more vulnerabilities across a larger attack surface Many threat vectors can potentially harm connected infrastructure Occupant health/safety and environment now depends on cyber security 5

7 FACING OUR CURRENT REALITY REPORTED INDUSTRIAL CONTROL SYSTEM VULNERABILITIES RELEVANT CYBER INCIDENTS LARGE INTERNET SEARCH PROVIDER Researchers hack building control system of key facility; able to obtain command and control Source: ICS-CERT 2015 Annual Vulnerability Coordination Report SOURCES OF THREATS TO INDUSTRIAL COMPUTERS CHINESE HOTEL Hacker infiltrated hotel room automation system via WiFi; established ability to manipulate room control systems and steal customer data INTERNET DOMAIN NAME SYSTEM PROVIDER Largest distributed denial-of-service (DDoS) attack in history uses massive number of compromised IoT devices to swarm its target and cause major internet outages Source: Kaspersky Lab ICS CERT, Threat Landscape for Industrial Automation Systems in the Second Half of

8 BUILDINGS NEED TO BE CYBERSMART WHAT S A CYBERSMART BUILDING? 1. Security by design for new; retrofit options for established buildings WHO PLAYS A ROLE? 2. IT and operational technology (OT) assets are mapped and zoned for risk management 3. Vulnerability management function in place for connected devices and infrastructure 4. Passive monitoring for critical assets to understand non-baseline anomalies (e.g., network scanning, controller re-flash) 5. Cyber incident response plan is developed and exercised by relevant stakeholders Evolving Guidance: 7

9 KEY CONSIDERATIONS FOR TAKING ACTION WHAT TO DO 1 Observe and orient around your specific challenge 2 3 Forget old silos cybersecurity requires cross-functional teaming Change the culture speak up for cybersmart buildings Lifecycle Phase Acquisition Deployment Cyber Capabilities Consider Security Requirements Assess Build in Security 4 Build the right capabilities to enable not hinder smart building adoption Operations & Maintenance Update Regularly Test, Monitor, & Respond 5 Finally, get operational 8

10 Q&A 9

11 THANK YOU FOR MORE INFORMATION: STEVE BRUKBACHER BOOZALLEN.COM/CYBERSMART JOHNSONCONTROLS.COM/PRODUCTSECURITY 10