It’s a sure bet that most new building projects going up today will have devices that connect to the Internet of Things (IoT), whether it’s as simple as digital signage or as complex as a complete building automation system. What’s less certain is whether system designers and installers will take the time upfront to assess possible threats to the IT infrastructure and develop a strategic cybersecurity approach for reducing the risk of these threats.
In this day and age, where hackers can gain access to a company’s financials through fish tank sensors, the lack of a comprehensive IoT security plan is downright negligent. Yet it happens all the time. These devices are an all-too-often unprotected access point to organizations’ broader networks and the critical data that lies just behind the firewall.
Part of the solution begins with recognizing that buildings are filled with IoT security risks. The next step is to put a proactive plan in place to address these risks.
Recognize your IoT security risks
The Palo Alto Networks Unit 42 research team determined that about 98% of all IoT device traffic is unencrypted, an oversight that virtually invites access from cyberattacks. While many organizations are still playing catch-up around standard cybersecurity practices, IoT devices are continuously evolving, adding a new layer to the challenge of system hardening. Many building automation systems, for example, are moving to Bluetooth low-energy (BLE) solutions to communicate across devices. These BLE-based technologies are cost-effective, use less energy, but add a new way for hackers to access data.
What’s more, there is really no way to retroactively “patch” an IOT device weakness once it has been exploited by hackers. With few exceptions, there’s no capability for automatic security updates, such as you get with your PC. In fact, white-hat hackers disclosed a number of such BLE-based security vulnerabilities in the Sept. 2021 BrakTooth hack, and exposed several vendors’ reluctance to address these flaws.
Ensure as-designed IoT performance
To ensure that a building’s network infrastructure provides the connectivity you expect at minimal risk, it’s important to begin to consider your IoT device security as early as possible. The following five steps can help provide a starting point for creating an effective approach to IoT security.
1. Become intentional about IoT cybersecurity. The first step to reducing your risk is to become as intentional about IoT devices as most organizations are about their computer security. Designating responsibility for this area early on and developing processes for keeping cybersecurity up-to-date will be key.
2. Work with a network infrastructure designer who includes hardening recommendations in the specs. Some technology designers and consultants are beginning to include language in their specifications specific to the need for IoT security procedures. After all, these systems won’t meet as-designed performance if breached by a hacker. Responsible technology solutions designers are ensuring that building owners understand the need for a coordinated approach between product installers and their own IT departments to deliver the performance their devices promise.
3. Install products from manufacturers committed to security. Quality IoT product manufacturers have gotten onboard with the importance of cybersecurity, particularly in light of dramatic upticks in cybercrime. More data records were compromised in 2020 alone than in the past 15 years combined, according to a study from analysis firm Canalys. Responsible IoT device manufacturers are now producing hardening guides that include best practices for utilization.
4. Ensure coordination between your IoT device installer and IT experts. In the past, device installers and network managers might have only touched base to exchange IP addresses. Now, they should be communicating upfront to ensure that a strategic cybersecurity approach is in place before any device is connected to the network.
5. Consider working with a certified installer. The security industry itself is taking a more proactive approach to cybersecurity. One result has been the Security Industry Association’s 2021 launch of a Security Industry Cybersecurity Certification focused specifically on the convergence of cybersecurity and physical security. Geared toward installers and designers of security systems, the SICC encourages a comprehensive approach to electronic security and cybersecurity.
A holistic approach to building security
Although awareness of the need for cybersecurity is growing, the threat also continues to grow exponentially. Businesses, government agencies, and other institutions have all felt the pain of cyberattacks. Small businesses, which often give little attention to cybersecurity, are a frequent target of cyberattacks. Vendors’ cyber-weaknesses have served as entry points for larger companies. There’s no organization that isn’t at risk of attack.
The good news is, it’s never been easier to prepare. Awareness is growing, but so too are solutions. Working with proactive partners that can guide decision-making around IoT security is an excellent step to beginning a more holistic approach to building security.
If you’re ready to take a more comprehensive approach to building security, CRUX can help. Contact us today.