Posted on Mar 20, 2019
The pace of smart building construction and upgrades is accelerating and facility operations staff are getting more involved in addressing cyber security risks inherent with attaching networks of sensors and controls to the network via the Internet. It’s no secret that Building Automation Systems are readily found on Shodan making them easy targets for hackers.
How can smart building cyber security go wrong? In at least three ways. Here are the 3 most common signs of failure:
1. Lengthy Project Timelines
Protecting a few hundred sensors and controllers in a building shouldn’t seem very complicated for a typical operations team. They already manage complex and even life-critical systems, from power and water systems to heating and elevators. Yet when they check with their network security partners and terms like “attack surface sprawl, firewall rules, VPN and certificate management” enter the conversation, the sobering reality sinks in.
Securing smart building controls can be downright daunting. For example, some solutions require weeks to months just to reliably connect, isolate, and segment a single building of under 10 controllers. If your team is unable to connect and protect a building regardless of size in a single day or two, the solution you’re attempting to deploy is probably the wrong one.
2. Rising Costs and Complexity
Maybe you’ve been asked to isolate or segment a single smart building network from your shared corporate network. Your existing network security vendor just gave you a massive estimate as high as $250k for a small group of buildings. Chances are that they are the same solutions they already use to protect IT systems and servers. The fact is that traditional IT solutions were never built for OT systems like smart building controls. If you’re trying to address the problem with the wrong technology, your acquisition, deployment, and ongoing management costs will escalate very quickly.
A high estimate is a warning sign that you’re likely trying to fit an out of date IT network and security stack into a new mission. Unfortunately, rising costs will only be part of the problem, as they cannot deliver the right outcomes.
3. Added Headcount Requirements
Given the lengthy deployment time frames and high costs associated with traditional networking and security solutions for connecting and isolating smart building networks, it’s likely you’ll require extra head count to deploy and manage these solutions. Most of our smart building customers projected that they needed to increase net new headcount by at least 25%. This equates to costly overhead because you need people who have advanced IT skills to manage more firewalls and VPNs. Not only is this a big blow to the budget, but it’s really hard to find adequate skills today with the shrinking pool of talent as highlighted in a recent Gartner, Inc. Survey.
This is when the big red warning lights go off, because the number of added headcount needed is directly correlated to the complexity of the solution and the difficulty teams will have in maintaining a highly available and secure state for all of their distributed building controls.
If your team cannot instantly enable or revoke access on-demand, chances are the network and security teams will leave those connections open, protected only by that vendor’s shared password and user names. And if you are required to deploy and maintain control servers at the building level, it’s because those traditional solutions don’t support BACnet multi-cast. This will require additional headcount to support because BACnet mulit-cast will inadvertently create broadcast storms making networks less stable which require the type of staff to triage and troubleshoot the source of these storms.
What to do:
If your team is being told that your smart building cyber security project will take weeks to protect even a single building, or costs will be high, or that you’ll need to hire more experts to properly cloak and isolate your smart buildings sensors and controls, it is very likely you’re being offered the wrong solution. It’s all about the stack.
The most widely deployed network security, firewall and segmentation solutions deployed in IT were architected on protocols created before organizations even contemplated network security let alone understood the exponential scale of building IoT. Smart Buildings IoT endpoints dwarf traditional IT in terms of the number of devices being connected and the number of locations that need to be supported.
Day one, these solutions might work. Day 30, they become extremely complex to deploy, scale, and manage, resulting in network stack fatigue, or the widening gap between security complexity and protection. It is stack fatigue that drives costs, resource and timeline requirements higher and higher as smart buildings are added.
We believe smart building networking should be simple to deploy, radically secure, and not break the bank. Check out this brief on Connecting and Protecting Building Automation Control Networks.
Posted on Mar 13, 2019
In short, stack fatigue is the reverse correlation between the rising complexity and cost of TCP/IP-based security solutions and declining protection: as complexity increases, security protection decreases.
Why it’s important: When the TCP/IP stack was invented network security wasn’t a significant consideration. In the 1990’s basic network security solutions evolved to address the security shortcomings of TCP/IP as networks grew larger and connected more devices to the rapidly growing, early internet. The network security market experienced exponential growth because of TCP/IP shortcomings. Over time, layers of solutions evolved, each out of necessity as new risks appeared and cyber attacks escalated.
Decades later billions of IIoT devices are connecting to enterprise networks, rapidly expanding the attack surface of networks and creating new varieties of attack vectors--ways in which networks can be compromised. Those security solutions based on TCP/IP have corresponded with layers of new policies and scripts (lines of code) and new generations of solutions, most managed manually. But that has given rise to complexity--especially in the form of rising security costs and personnel shortages—with an eroding security posture.
The result: an inverse correlation between increasing complexity and cost and effective protection.
Posted on Feb 5, 2019
Typically, we are deploying our product into existing network environments. Whether this is due to a new rule that requires secure access or the failure of an audit, it is always an existing network with all of the issues incumbent in modifying an existing thing. Deploying into these networks requires a more complicated design and potentially several phases of deployment to be successful.
While TCP/IP may be long in the tooth, it is still the foundation of the Internet and all current corporate networks. Even a newly-built network will use Ethernet and TCP/IP as the foundation protocols of operation. However, with the addition of Host Identity Protocol (HIP) on top of the new network, it can be possible to alleviate many of the issues that plague TCP/IP.
HIP uses a cryptographic identity instead of just the IP address to identify the parties in the communication. The advantage is that HIP uses the IP address as the locator, and a strong cryptographic identity as the identity. This allows the creation of secure policies without complex deep-packet inspection rules that will need to change over time.
A new network deployed with HIP over the top of TCP/IP would look more like the following:
By using HIP to provide a layer of identity management and encryption over the top of TCP/IP, it is possible for networks to continue to use traditional networking tools and methods and still gain the advantage of encryption and manageability as well as identity-based [link] control.
With a HIPserver on the domain controller, all of the Active Directory services (authentication, name lookup, printing, etc.) are available inside the HIP tunnels. Access can be granted through Active Directory groups, just like it is now, but in the case of HIP, any resource you do not have permission to is not reachable. There is no tunnel from your device(s) to resources unless you are a member of a group with access to that device.
Onboarding a new device on the network is a matter of connecting and adding it to the Overlay. Once there, the group permissions take over, and the routing table is set up to allow access to all the resources assigned.
From file server to printers and more exotic network resources, what you see is strictly what you have permission to see. Any unregistered device on the network can see only the DHCP traffic, name resolution for the HIP Service peer, and encrypted traffic. A scan of any of these devices shows the only thing listening is HIP.
The benefits are not only in the realm of security but also in manageability. To update the routing and access of a group, add them to the correct overlay group, and routing is automatically propagated to all members.
TCP/IP was not designed for the modern network and is showing its age. Putting a layer of HIP over the top of the IP network allows for the use of Identity instead of just IP address for accessing resources as well as providing encryption for all data in motion. The new networking has to be secure while remaining as easy as possible to configure, and with HIP as the security layer on top of TCP/IP, it can be made so.
Want to see how we’ve applied HIP to secure and connect hundreds of Smart Buildings for a top 50 university? You can read our case study here.
Posted on Jan 24, 2019
We recently welcomed Marta, our new Sales Operations Analyst, to the Tempered Networks team. She’s here to get all of our ducks in a row! Keep on reading to learn more about her.
Where is your hometown?
I spent most of my life in Warsaw, Poland, except for short trips to England and Reno, NV. There was a government program for work and travel, so I would work in Reno for five months and then travel for one month.
Before working at Tempered, what was the most unusual or interesting job you’ve ever had?
When I was in Reno, I was working as a change person. The biggest jackpot I ever had to pay out was $29,000. It took about an hour just to count and recount everything…
How do you balance your career and personal life?
I’m waking up super early every morning. My normal alarm time is 4:30am to get into the office at 6:00am, and then I leave around 3:00pm to avoid traffic. Weekends are house and family time, mostly with my son. I also find some activities for myself. I have a group of 10-15 crazy moms that all our families connect. We go on trips together, go to the bar for trivia, and our kids play together.
Best vacation you’ve had?
Reno. Even though I was working, I was making money and having fun—it was the vacation of my life. Coming from Poland, the students there don’t work like students here. We were renting a car to go visit different places every weekend. It was also a huge lesson for how to be an adult. Even my parents said when I came back that I was older and more independent.
If Hollywood made a movie about your life, who would you like to see cast as you?
Melissa McCarthy – she is so funny.
What do you do for fun?
Gardening. I love flowers. Growing up, my mom loved gardening too. Whenever I’d see my mom in the garden, I’d think, “Why is my mom always in the dirt?” But now I find that as soon as I get home, I’m changing my clothes and getting the in the dirt. My yard has a green wall. I love watching the flowers bloom—I have a lot of roses.
People would be surprised if they knew:
There’s a lot of things, but you might think I’m too crazy.
Posted on Jan 16, 2019
Caston Thomas of InterWorks and Rob Goss of Tempered Networks had the opportunity to discuss “Zero Trust” and “Software Defined Parameter” with the Detroit-based podcast, ITintheD. ITintheD is a long-established weekly podcast with over 150K subscribers and over 300K weekly plays.
During the podcast, Rob introduced Tempered’s Identity Defined Networking and the benefits of Host Identity Protocol which was developed to address the vulnerabilities of TCP/IP. No other commercial solution leverages HIP, which lets network managers easily connect, segment, move, revoke, cloak, and manage any networked ‘thing’. HIP is the only protocol designed for zero trust segmentation by eliminating the pitfall of tying network communication to IP addresses.
They talked about how organizations are looking for ways to enhance their network security without a lot of complexity and hardware, thereby accelerating deployment. They also introduced HIPnet which lets users set up their own private, secure networks in minutes – at no cost. Skepticism turned into excitement during the episode, which has led to a follow-up episode for the week on January 14th – this is this week.
You can find the podcast here. Our segment begins at the 52 minute mark.
Posted on Jan 3, 2019
If you had told me a year ago that our Front Desk Receptionist would come back a year later as an Inside Sales Representative, I don’t think I would have believed you. Not that he’s incapable by any means, but just because that doesn’t usually happen.
Miguel (or Mickey) left Tempered last year to work in Sales for a different tech company. When we opened up an opportunity in Sales, we knew we wanted to get Mickey back. I was able to sit down with him to hear more about the journey from his perspective.
How did you get into Sales in the first place?
Mickey: Because of where I worked at Tempered, I had the opportunity to get to know everyone in the office. When I knew it was time to grow from my position, a VP in Sales asked what I was doing next. I had told her I was looking for sales positions and she really took the initiative to sit down with me and tell me everything I needed to know to get into the industry. She even set me up with other folks in Sales to learn more from their perspective. These acts really emphasized the small family vibe Tempered has. It was even through networking with people here that I got my job at the next place and was a shoe-in.
How do you feel like your previous job prepared you for the Inside Sales role here?
Mickey: It definitely helped that it was a firewall company, so I was able to learn a lot about the cybersecurity industry. That combined with the background knowledge I picked up from Tempered has really boosted me.
How are you doing in the role now?
Mickey: My new role at Tempered has a lot more responsibility, and I feel it more. There’s a lot more ownership. I’ve gotten a lot of leads, but I know I need to keep going because I want more!
Mickey is definitely an achiever. It sounds like he’s doing a lot of work already to me, but he’s the type of person that always wants to keep going and getting better.
How do you balance your career and personal life?
Mickey: It’s difficult. I like to work. I want to do the best I can, but I live with five guys so even if I wanted to work at home it would not happen. I try to stay to myself on weekends.
What do you do for fun?
Mickey: Food and eating out. I’m competitive, and I love soccer.
We are so happy to have Mickey back! He adds so much personality and gusto to our team.
Posted on Dec 13, 2018
This month a European water utility found its SCADA/ICS equipment had been compromised in a cryptojacking attack. The mining attack, which happened in an unspecified utility facility, was discovered after three weeks. The attack was discovered by a security firm and likely stemmed from an operator opening a phishing e-mail.
Cryptojacking is the process by which malicious actors install code, either through a website or phishing email, into the user’s computer. This code then uses compute cycles to perform the complex mathematical equations necessary to mine for cryptocurrency, degrading server speed. In this case, hackers were mining for Monero, a notably private and untraceable form of digital currency. This type of attack has gained popularity lately, owing partially to a higher success rate than ransomware payouts.
Tempered Networks can utilize zero trust protocols and microsegmentation to head off such attacks before they start. Within a flat network, such as the one above, bad actors can traverse networks once they gain access at any endpoint. Zero trust protocol requires mutual authentication before any communication can take place, leaving malware unable to operate. Microsegmentation further restricts communication to network segments that are specifically allowed between devices.
Want to see how we’ve applied our solution to other utilities networks? Check out our case study here.