The importance of IoT security
February 13, 2019 - Over the past few years, commercial building managers have been racing to deploy Internet of Things (IoT) devices to help optimize operations and improve the occupant experience. In their haste, however, many of them have (a) ignored the best practices of other industries and (b) selected devices that only provide incremental improvements over legacy systems and, more importantly, entail massive security flaws, which could cause huge problems for true IoT-connected applications.
As a result, many commercial buildings’ IoT systems are far from secure. And it has been this way for a while now.
In the U.S., the state government for California has determined this security issue is pressing enough to warrant new legislation. Introduced in 2017 and passed in 2018, SB-327 is an IoT cybersecurity law that will come into effect on Jan. 1, 2020. It will require ‘smart’ device manufacturers to ensure reasonable security features are in place to protect against intrusion, private data leaks and other risks.
It should be clear California will not be the only jurisdiction to pass such a law. Its new security requirements must be taken seriously, as they will eventually have an effect elsewhere, as well.
This is important to the electrical and lighting industries, which could be said to sit at the cornerstone of the IoT revolution in the built environment. As demand for smarter buildings grows, the competencies and roles of the electrical contractor will shift dramatically.
Seeking the middle ground
The first step in preparing for this shift is learning enough about cybersecurity as it pertains to the products you install. Getting basic-level knowledge of what security components go into IoT devices for the built environment is essential before working in this rapidly growing section of the electrical market, so as to ensure you can proficiently review specification sheets and manufacturers’ claims.
While all of the new lingo and acronyms may sound daunting in a channel where there are already so many, resources exist to help you fully understand the claims being made on behalf of these products.
You will not need to earn a computer science degree to understand core aspects of these products. Rather, there is a spectrum of learning on the topic. At one end is a basic understanding of how IoT devices communicate. At the other is ‘provisioning,’ i.e. network installation and setup, which relies on well-engineered systems. In between are all of the details about how such a network is secured.
Electrical contractors should seek out this middle ground, as it is where they are already well-positioned to speak intelligently on the matter and advocate for the right solutions, yet not take on any additional undue risk or responsibility for their operation.
Finding this middle ground comes down to working with the right manufacturers, whose products will best mitigate risk. Transparency is key at this stage and, with that in mind, the following are some issues to consider:
• Open standards—Relying on collaboratively developed and broadly used open-source tools is the most reasonable approach to avoid risk over the long term. Network security efforts within the Internet Protocol (IP) standards community are already doing more on your behalf that you likely realize. Driven by a combination of governments, academia and businesses, open-source development has proven the most successful method for creating best practices and repeatable methodologies for communication.
• Testing—Be sure to ask manufacturers about the testing they (a) have run their systems through and (b) intend to undertake in the future. Any manufacturer that has taken security seriously will expect you to inquire on these points and will have answers backed by data to help you make the right choice. Such testing is driven by the larger IP standards community, which views security as an arms race.
• Support—Who is taking on the risk in the deployment of the solution: the manufacturer, the customer or you? It is best to find a manufacturer who will partner not only with you, but also with your client’s facility. There are levels of support and upkeep available that will greatly alleviate your exposure. This has been true with corporate enterprise software for decades and it is now becoming true for building control systems, as well. Software security must be maintained just like lighting ballasts, boilers, thermostats and valves.
• Impact on your work—Some solutions will demand extreme alterations to your typical workflow. Others will make little impact on the installation process and the system’s ability to perform, while still offering a robust level of security.
Advocating for the right system
While it is important to minimize the level of risk you are taking on as a contractor, it is also important to expose the building owner, your client, to as little risk as possible. At times, this will mean actively advocating for products that fully address security issues.
As mentioned, legislators are just now beginning to address the security risks inherent in smart devices and connected systems. And such problems existed long before the move to IoT. There remains a need for a paradigm shift in both attitude and approach.
Just as regulations to drive compliance are starting to emerge, so too is awareness of the full costs and risks of many of the systems in play. This is new territory.
Seek out manufacturers that are striving to meet emerging standards, even if it means significant revamps of legacy products to prepare for the future. The ‘bolt-on’ option is no substitute for the ‘built-in’ approach!
Facility managers, meanwhile, tend to rationalize the lack of security for their building control systems. They assume either that (a) their system is segmented in a way that it can’t be a vulnerability or (b) it is sufficiently integrated that it does not require its own level of security. Both assumptions are incorrect.
A networked system simply does not allow for a ‘do nothing’ approach. Whether or not it connects to another network or to the Internet, it is an inherently exploitable jumping-off point for cybersecurity attacks, as it is in contact with occupants, facility managers and their devices.
As an electrical contractor seeking to add IoT devices to a facility, you must get comfortable being uncomfortable and take the ‘do nothing’ approach off the table.
Reaping the benefits
All of the aforementioned caution with regard to security should not scare you or your clients away from the world of IoT. The benefits of such systems are absolutely worth the considerations laid out here.
One such benefit, for example, is remote access. The ability to allow the contractor or the manufacturer to connect from anywhere to the facility for upgrades, maintenance or support is a boon to the building owner—and it can absolutely be facilitated in a secure way if you plan for it.
So, the appropriate approach for contractors looking to effectively deploy IoT solutions is to educate themselves about the technology and its security implications, to ask plenty of tough questions of manufacturers who will partner with them in their success and, fundamentally, to advocate for the correct level of security with building owners.
This advice is likely to become law beyond just California. The momentum behind regulation increases with every security breach. While it can be argued whether this will take two years or 10, vendors who aren’t preparing and treating the situation with the seriousness it deserves will saddle everyone else with the risks of poor device cybersecurity.
Just as you already know where you fit in the chain of electrical certification, so too could you soon have a place in the cybersecurity chain. Understanding that now will prepare you to confidently approach the topic when it becomes an industry standard.
Jonathan Cartrette is senior systems architect for Legrand’s building control systems (BCS) division. For more information, visit www.legrand.ca.
This article originally appeared in the February 2019 issue of Electrical Business magazine.
EFC Atlantic Region Golf Tournament
August 8, 2019
IES Annual Conference
August 8-10, 2019
NETCO Annual Training Conference
August 10-11, 2019