Erik Giesa profile picture

Erik Giesa

Wednesday, March 20, 2019


The pace of smart building construction and upgrades is accelerating and facility operations staff are getting more involved in addressing cyber security risks inherent with attaching networks of sensors and controls to the network via the Internet. It’s no secret that Building Automation Systems are readily found on Shodan making them easy targets for hackers.

How can smart building cyber security go wrong? In at least three ways. Here are the 3 most common signs of failure:

1. Lengthy Project Timelines

Protecting a few hundred sensors and controllers in a building shouldn’t seem very complicated for a typical operations team. They already manage complex and even life-critical systems, from power and water systems to heating and elevators. Yet when they check with their network security partners and terms like “attack surface sprawl, firewall rules, VPN and certificate management” enter the conversation, the sobering reality sinks in.

Securing smart building controls can be downright daunting. For example, some solutions require weeks to months just to reliably connect, isolate, and segment a single building of under 10 controllers. If your team is unable to connect and protect a building regardless of size in a single day or two, the solution you’re attempting to deploy is probably the wrong one.

2. Rising Costs and Complexity

Maybe you’ve been asked to isolate or segment a single smart building network from your shared corporate network. Your existing network security vendor just gave you a massive estimate as high as $250k for a small group of buildings. Chances are that they are the same solutions they already use to protect IT systems and servers. The fact is that traditional IT solutions were never built for OT systems like smart building controls. If you’re trying to address the problem with the wrong technology, your acquisition, deployment, and ongoing management costs will escalate very quickly.

A high estimate is a warning sign that you’re likely trying to fit an out of date IT network and security stack into a new mission. Unfortunately, rising costs will only be part of the problem, as they cannot deliver the right outcomes.

3. Added Headcount Requirements

Given the lengthy deployment time frames and high costs associated with traditional networking and security solutions for connecting and isolating smart building networks, it’s likely you’ll require extra head count to deploy and manage these solutions. Most of our smart building customers projected that they needed to increase net new headcount by at least 25%. This equates to costly overhead because you need people who have advanced IT skills to manage more firewalls and VPNs. Not only is this a big blow to the budget, but it’s really hard to find adequate skills today with the shrinking pool of talent as highlighted in a recent Gartner, Inc. Survey.

This is when the big red warning lights go off, because the number of added headcount needed is directly correlated to the complexity of the solution and the difficulty teams will have in maintaining a highly available and secure state for all of their distributed building controls.

If your team cannot instantly enable or revoke access on-demand, chances are the network and security teams will leave those connections open, protected only by that vendor’s shared password and user names. And if you are required to deploy and maintain control servers at the building level, it’s because those traditional solutions don’t support BACnet multi-cast. This will require additional headcount to support because BACnet mulit-cast will inadvertently create broadcast storms making networks less stable which require the type of staff to triage and troubleshoot the source of these storms.

smart buildings

What to do:

If your team is being told that your smart building cyber security project will take weeks to protect even a single building, or costs will be high, or that you’ll need to hire more experts to properly cloak and isolate your smart buildings sensors and controls, it is very likely you’re being offered the wrong solution. It’s all about the stack.

The most widely deployed network security, firewall and segmentation solutions deployed in IT were architected on protocols created before organizations even contemplated network security let alone understood the exponential scale of building IoT. Smart Buildings IoT endpoints dwarf traditional IT in terms of the number of devices being connected and the number of locations that need to be supported.

Day one, these solutions might work. Day 30, they become extremely complex to deploy, scale, and manage, resulting in network stack fatigue, or the widening gap between security complexity and protection. It is stack fatigue that drives costs, resource and timeline requirements higher and higher as smart buildings are added.

We believe smart building networking should be simple to deploy, radically secure, and not break the bank. Check out this brief on Connecting and Protecting Building Automation Control Networks.