Is your building cybersecure?

Data, privacy, the cloud and security in this age of hyper-connectivity
Cybersecurity and building automation operational technology

By Kevin Callahan, Product Evangelist Alerton, and Pook-Ping Yao, CEO at Optigo Networks

In late 2019, Alerton hosted a conference for its partners in California. There, Eric O’Neill, a former FBI counter-terrorism and counter-intelligence operative, spoke about cybersecurity in our new age of smart technology and connectivity.

A question came from the audience: how do we respond to a customer who doesn’t worry about maintaining their operating system or securing the network, because they aren’t connected to the Internet?

O’Neill threw his head back and laughed. “If they think it’s secure, it’s not secure.”

That’s the attitude we need today: a healthy skepticism to fuel our cyber awareness.

We all know cyberattacks are a real threat in today's hyper-connected world, but so many folks don’t realize just what that entails. Unfortunately, cybersecurity techniques for traditional IT systems may not work for connected Operational Technology (OT) systems, as the National Institute of Standards and Technology (NIST) shared in a paper last year.

It’s a new decade, and technology’s advancing whether we’re ready or not. We must catch up with the cybersecurity demands — now.

What does cybersecurity look like today?

When it comes to cybersecurity, you can’t rest on your laurels. It’s not a one-and-done process, and there are no half-measures or shortcuts.

Cybersecurity’s a perpetual journey of learning and refining and reiterating. Today, where hacks are commonplace and take so many different forms, there’s no getting out of it.

Many attacks — malware, email phishing, distributed denial of service (DDOS), ransomware and the like — capitalize on our connectivity. The NIST cybersecurity framework is a tremendously useful resource in guarding against those cyberattacks.

We shouldn’t discount the power of a confidence trick or social hacking. They might seem more old-fashioned, but they’re no less potent. There have also been cases where someone found sensitive information on a slip of paper, or even went dumpster-diving to get the credentials they needed to hack a system. If a hacker sees an opportunity — whether it’s social, physical, or digital — they won’t hesitate to use it.

Cybersecurity’s an evolving concern, but one tenet remains constant: we cannot take for granted that our system is secure. We must expect the worst in order to prepare for it.

Why should I update my software?

Here’s an oxymoron for you: “My system’s mission critical, so I can’t update the operating system.”

That sentiment is oddly commonplace, and it speaks to a real misunderstanding about the importance of software updates.

Companies don’t push software updates for the heck of it. At the very least, software updates improve on the release that came before for a better user experience. More critically, many software updates address technical bugs and security vulnerabilities that might otherwise keep your system from running properly.

The system being critical isn’t an excuse not to push updates. It’s the exact reason to push them. The danger of cyberattacks makes it even more important to maintain and update the system. While we might think our systems are working just fine, vendors often get feedback from different customers on cybersecurity flaws. By updating our systems, we benefit from the result of many different “penetration tests” on other users’ networks.

Of course, we all know that updating software doesn’t always go smoothly. That’s why most large organizations don’t let software updates get pushed automatically, as a standard policy. They vet the updates first and ensure it won’t mess up the system before they deploy. They still push those updates even if they’re a week or a month behind.

Dealers and integrators need to adopt that process. Blend software screening into your workflows and ensure that updates won’t affect the network before you push them out. Consider setting up a clone of your customers’ systems to test software updates.

Can we trust the cloud?

It’s only in recent years that the perception of the cloud has begun to change, and there’s a long way to go yet. Many people still see the cloud as vulnerable and easily hacked but often the cloud is actually more secure than anything folks are doing on the ground.

Think about it: securing the cloud is Amazon, Google, and Microsoft’s business. They have to be far more diligent about their security than any corporate IT on the ground because, if their cloud services aren’t secure, they’re defunct. That’s why even the government has begun to adopt the cloud.

A few years ago, the U.S. government established a program called FedRAMP, which “facilitates the shift from insecure, tethered, tedious IT to secure, mobile, nimble, and quick IT.”

FedRAMP’s goal is to “promote the adoption of secure cloud services across the Federal government by providing a standardized approach to security and risk assessment.”

There are still lots of holdouts, but the FedRAMP program indicates a real shift for the cloud. People are increasingly placing their trust in the cloud, because they know Google, Amazon, and Microsoft are the experts. From their software to their server rooms and data centers, these companies take security seriously.

The question of securing data centers and server rooms is significant because many of the biggest hacks in recent years have actually been physical hacks, where someone found a way in. Your own server room is less likely to have the level of monitoring, physical security, and digital security that an organization like Amazon or Google has.

Their facilities are locked down with cameras everywhere. The moment someone adds a device to the network, they know. In fact, they can ensure that no outside, unregistered computers can connect to the network or system. They might even design the facilities so that the comms room is kept separate from the data center, and anyone doing maintenance on the comms room can’t access the data center.

The best of the best makes sure these cloud service companies deliver on their promise of security. How confident are you in your security systems?

Talk with experts about cybersecurity. Learn all you can about best practices and ways to safeguard your systems. And, approach cybersecurity with an attitude of humility: as Eric O’Neill so eloquently said, the moment you’re confident that your systems are secure, they aren’t.


Originally published on Automated Buildings

Recent Blog Posts

Do you waste time on repetitive tasks, like entering in static IP addresses? Do you wait forever to get a block of IP addresses from IT that you can use? 

By Kevin Callahan, Product Evangelist Alerton, and Pook-Ping Yao, CEO at Optigo Networks

Whether it’s building a new piece of furniture or setting up some slick new tech, we’ve all been there: you’re ready to go, you pull up the instructions… and find that it’s way more complicated than you originally thought.

By Kevin Callahan, Product Evangelist at Alerton, and Pook-Ping Yao, CEO at Optigo Networks

Optigo Connect has long been a powerful solution for Operational Technology (OT) network management.

Recent Projects

Data center expansion with OTI and Optigo Connect

DATA CENTER EXPANSION

Stack Infrastructure is a portfolio of hyperscale computing data centers. OTI completed work on Phases I and II, and returned for the Phase III build-out of a 4-megawatt data hall and brand new central plant. The Optigo Connect network put in place in Phases I and II was expanded on this project. The team achieved quick roll-out of a large, multi-service redundant network using the Optigo OneView management interface. Going forward, the facility management team can use OneView to remotely monitor equipment, manage power usage, and meet up-time goals.

Optigo Connect MR Soluciones The Landmark

THE LANDMARK

The Landmark is a sophisticated mixed-use high-rise in Mexico. The owners wanted to integrate all OT systems in the skyscraper, while maintaining separate networks for each application. The Landmark is the fourth joint project between Optigo Networks and MR Soluciones. Together, these companies provide robust services to meet any challenge.

Australian Bureau of Statistics at 45 Benjamin Way with Delta Building Automation

45 BENJAMIN WAY

Delta Building Automation (Australia) had a big job renovating the Headquarters for the Australian Bureau of Statistics (ABS) at 45 Benjamin Way. The building owner wanted to improve the building’s energy use and increase their National Australian Built Environment Rating System (NABERS) score to more than 4.5 stars, out of a possible total of six. Securing the network both internally and externally was a big priority, as well.

Penn State University Optigo Networks Visual BACnet

PENN STATE UNIVERSITY

When Tom Walker looked at Penn State University’s Navy Yard network, he saw huge issues. The system was busy and loud, to the point where the overrun network was bringing down the entire building. Because this was happening on the MS/TP network, pinpointing the problem would mean boots on the ground to segment and test the chain, piece by piece.

Penn State University Optigo Networks Visual BACnet

PENN STATE UNIVERSITY

When Tom Walker first started working at Penn State University four years ago, there were a lot of network issues. Buildings were dropping offline. Broadcast traffic was pushing 90,000 packets per hour. Walker was on the phone almost every single night because devices were down or had to be reset.

 

Torre Manacar Mexico City Optigo Connect

TORRE MANACAR

When MR Soluciones began work on Torre Manacar, they knew they needed a flexible and scalable network infrastructure to support a wide array of integrated systems. Optigo Networks was a natural fit for the massive project, designing a robust network at a competitive cost.

short

SHORT PUMP TOWN CENTER

Short Pump Town Center, an upscale retail center, underwent a complete renovation in 2014. The flexibility of Optigo Networks’ solution meant the retail center’s unknown final design was not a barrier to placing IP surveillance equipment in the field.

BOULEVARD MALL

BOULEVARD MALL

Optigo Networks connected New York-based Boulevard Mall’s security surveillance devices in December 2015, using a Passive Daisy Chain topology.

Visual BACnet tech support team

TECH SUPPORT TEAM

One tech support team at a manufacturer purchased an account with Visual BACnet in April 2017, for technical problems around the world.

Aster Conservatory Green Optigo Connect

ASTER CONSERVATORY GREEN

The Aster Conservatory Green is a community comprising 352 residences across 24 low-rise buildings. The buildings use advanced surveillance and access control technology, including 40 HD video cameras and 60 FOB-access-tele-entry points for access control.