Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
CYBERSMARTBUILDINGSSecuring Your Investments in Connectivity and Automation
JANUARY 2018
WELCOME
1
STEVE BRUKBACHERApplication Security ManagerGlobal Product SecurityJohnson Controls
2
WHY ARE WE HERE TODAY?
Yesterday:Partial Connectivity
Today:Smart Buildings
Tomorrow:Smart Cities
1. All industries are making smart building investments (seeking reward)
2. Cyber incidents threaten the smart building value proposition
3. Cybersecurity must become a core tenant of building design and operations (to guarantee that investment)
BOTTOM LINE
3
BUILDINGS ARE EVOLVING
ON THE OUTSIDE, SMART, DATA-DRIVEN SOLUTIONS MAY NOT BE APPARENT.
BUT CONNECTIVITY IS CREATING VALUE FOR BUILDING OWNERS AND OPERATORS.
Infographic credit: Johnson Controls
4
CONNECTING OCCUPANTS TO SOLUTIONS
ACROSS INDUSTRIES, TECHNOLOGY IS REDEFINING HOW BUILDINGS AND OC CUPANTS INTERACT – SAVING ENERGY, INCREASING SECURITY AND OPTIMIZING OPE RATIONS.
HEALTHCARE GOVERNMENT
HIGHER EDUCATION TRANSPORTATION
K-12 EDUCATION COMMERCIAL BUILDINGS
• Real-Time Location Systems (RTLS)• Critical temperature control• Operating room environments• Electronic record-keeping• Integrated patient care
• Streaming video management• Campus-wide system alerting• Mobile-friendly presentation spaces• Integrated class registration• Optimized lighting
• Smart whiteboards• Optimized lighting• HVAC, data-driven building management• Space scheduling integration• District-wide performance tracking
• Access controls & physical security• Energy management• Sensitive environment monitoring• Smart infrastructure• Integrated asset tracking
• Real-Time Location Systems (RTLS)• HVAC temperature control• Physical security• Passenger identification systems• Arrival/departure prediction
• Access controls & physical security• HVAC temperature control• Energy management• Real-time data analysis• Meeting space optimization
5
INVESTMENT AT RISK
NEW VALUE PROPOSITION
ANTICIPATED INVESTMENT BREAKS
APART
CYBER RISKS
Denial of Service Attack
Vendor IoT Product Compromise
Occupant Data Theft
Hijack of Command & Control App
Automated Management
Predictive Maintenance
Energy Efficiency
Asset Location Finding
SECURITY IMPERATIVE
▪ Pervasive connectivity means more vulnerabilities across a larger attack surface
▪ Many threat vectors can potentially harm connected infrastructure
▪ Occupant health/safety and environment now depends on cyber security
6
FACING OUR CURRENT REALITY
Source: Kaspersky Lab ICS CERT, Threat Landscape for Industrial Automation Systems in the Second Half of 2016
SOURCES OF THREATS TO INDUSTRIAL COMPUTERS
RELEVANT CYBER INCIDENTS
LARGE INTERNET SEARCH PROVIDERResearchers hack building control system of key facility; able to obtain command and control
CHINESE HOTELHacker infiltrated hotel room automation system via WiFi; established ability to manipulate room control systems and steal customer data
INTERNET DOMAIN NAME SYSTEM PROVIDERLargest distributed denial-of-service (DDoS) attack in history uses massive number of compromised IoT devices to swarm its target and cause major internet outages
REPORTED INDUSTRIAL CONTROL SYSTEM VULNERABILITIES
Source: ICS-CERT 2015 Annual Vulnerability Coordination Report
7
Evolving Guidance:
BUILDINGS NEED TO BE CYBERSMART
1. Security by design for new; retrofit options
for established buildings
2. IT and operational technology (OT) assets
are mapped and zoned for risk
management
3. Vulnerability management function in
place for connected devices and
infrastructure
4. Passive monitoring for critical assets to
understand non-baseline anomalies (e.g.,
network scanning, controller re-flash)
5. Cyber incident response plan is developed
and exercised by relevant stakeholders
WHAT’S A CYBERSMART BUILDING? WHO PLAYS A ROLE?
8
Lifecycle Phase
Cyber Capabilities
Acquisition
Consider Security Requirements
Assess
Deployment Build in Security
Operations & Maintenance
Update Regularly
Test, Monitor, & Respond
KEY CONSIDERATIONS FOR TAKING ACTION
Observe and orient around your specific challenge
1
Forget old silos — cybersecurity requires cross-functional teaming
2
Change the culture — speak up for cybersmart buildings3
Build the right capabilities to enable – not hinder – smart
building adoption4
Finally, get operational5
WHAT TO DO
9
Q&A
THANK YOU
10
FOR MORE INFORMATION:
BOOZALLEN.COM/CYBERSMART
JOHNSONCONTROLS.COM/PRODUCTSECURITY
STEVE BRUKBACHER