Cybersmart Buildings: Securing Your Investments in Connectivity and Automation Jason Rosselot, CISSP, Director Product Cyber Security, Johnson Controls
AIA Quality Assurance The Building Commissioning Association is a Registered Provider with The American Institute of Architects Continuing Education Systems (AIA/CES). Credit(s) earned on completion of this program will be reported to AIA/CES for AIA members. Certificates of the Completion for both AIA members and non-aia members are available upon request. This program is registered with AIA/CES for continuing professional education. As such, it does not include content that may be deemed or construed to be an approval or endorsement by the AIA of any material of construction or any method or manner of handling, using, distributing, or dealing in any material or product. Questions related to specific materials, methods, and services will be addressed at the conclusion of this presentation. 2
Learning Objectives 1. List the applicable Federal and State Standards for Cybersecurity that must be adhered to in the commissioning of a new or retrofit building systems. 2. Describe the steps to become compliant to the applicable Federal and State building security standards. 3. Understand the underlying connectivity and automation value proposition for smart buildings. 4. Establish a realistic view of current threats and business risks associated with smart buildings, across both the private and public sectors. 3
Why are we here today? BOTTOM LINE 1. All industries are making smart building investments (seeking reward) 2. Cyber incidents threaten the smart building value proposition 3. Cybersecurity must become a core tenant of building design and operations (to guarantee that investment) Yesterday: Partial Connectivity Today: Smart Buildings Tomorrow: Smart Cities 4
BUILDINGS ARE EVOLVING ON THE OUTSIDE, SMART, DATA-DRIVEN SOLUTIONS MAY NOT BE APPARENT. BUT CONNECTIVITY IS CREATING VALUE FOR BUILDING OWNERS AND OPERATORS. Infographic credit: Johnson Controls 5
CONNECTING OCCUPANTS TO SOLUTIONS ACROSS INDUSTRIES, TECHNOLOGY IS REDEFINING HOW BUILDINGS AND OCCUPANTS INTERACT SAVING ENERGY, INCREASING SECURITY AND OPTIMIZING OPERATIONS. HEALTHCARE Real-Time Location Systems (RTLS) Critical temperature control Operating room environments Electronic record-keeping Integrated patient care HIGHER EDUCATION GOVERNMENT Access controls & physical security Energy management Sensitive environment monitoring Smart infrastructure Integrated asset tracking TRANSPORTATION Streaming video management Campus-wide system alerting Mobile-friendly presentation spaces Integrated class registration Optimized lighting Real-Time Location Systems (RTLS) HVAC temperature control Physical security Passenger identification systems Arrival/departure prediction K-12 EDUCATION COMMERCIAL BUILDINGS Smart whiteboards Optimized lighting HVAC, data-driven building management Space scheduling integration District-wide performance tracking Access controls & physical security HVAC temperature control Energy management Real-time data analysis Meeting space optimization 6
INVESTMENT AT RISK NEW VALUE PROPOSITION CYBER RISKS ANTICIPATED INVESTMENT BREAKS APART Automated Management Predictive Maintenance Denial of Service Attack Vendor IoT Product Compromise Energy Efficiency Asset Location Finding Occupant Data Theft Hijack of Command & Control App SECURITY IMPERATIVE Pervasive connectivity means more vulnerabilities across a larger attack surface Many threat vectors can potentially harm connected infrastructure Occupant health/safety and environment now depends on cyber security 7
FACING OUR CURRENT REALITY REPORTED INDUSTRIAL CONTROL SYSTEM VULNERABILITIES RELEVANT CYBER INCIDENTS LARGE INTERNET SEARCH PROVIDER Researchers hack building control system of key facility; able to obtain command and control Source: ICS-CERT 2015 Annual Vulnerability Coordination Report SOURCES OF THREATS TO INDUSTRIAL COMPUTERS CHINESE HOTEL Hacker infiltrated hotel room automation system via WiFi; established ability to manipulate room control systems and steal customer data INTERNET DOMAIN NAME SYSTEM PROVIDER Largest distributed denial-of-service (DDoS) attack in history uses massive number of compromised IoT devices to swarm its target and cause major internet outages Source: Kaspersky Lab ICS CERT, Threat Landscape for Industrial Automation Systems in the Second Half of 2016 8
BUILDINGS NEED TO BE CYBERSMART WHAT S A CYBERSMART BUILDING? 1. Security by design for new; retrofit options for established buildings WHO PLAYS A ROLE? 2. IT and operational technology (OT) assets are mapped and zoned for risk management 3. Vulnerability management function in place for connected devices and infrastructure 4. Passive monitoring for critical assets to understand non-baseline anomalies (e.g., network scanning, controller re-flash) 5. Cyber incident response plan is developed and exercised by relevant stakeholders Evolving Guidance: 9
KEY CONSIDERATIONS FOR TAKING ACTION WHAT TO DO 1 Observe and orient around your specific challenge 2 3 Forget old silos cybersecurity requires cross-functional teaming Change the culture speak up for cybersmart buildings Lifecycle Phase Acquisition Deployment Cyber Capabilities Consider Security Requirements Assess Build in Security 4 Build the right capabilities to enable not hinder smart building adoption Operations & Maintenance Update Regularly Test, Monitor, & Respond 5 Finally, get operational 10
Jason Rosselot, CISSP Director Product Cyber Security Johnson Controls jason.r.rosselot@jci.com THANK YOU www.johnsoncontrols.com/productsecurity