Replace firewalls and VPNs
Isolate building controls from unauthorized systems
Onboard buildings quickly
Segment remote access for predictive maintenance
Simple, non-disruptive network adds, moves, and changes
Enable network communication across any transport
Transfer of building controls
Hundreds of buildings
Thousands of tenants
Shared local networks
Large attack surface due to IoT
Isolated and segmented buildings controls from tenants
Eliminated network attack surface
Onboard new buildings quickly and cost-effectively
BACnet is invisible and unreachable by all unauthorized systems
Segmented remote access to authorized systems only
Can add, move, and revoke network communication instantly
Dodging the Bullet
A high-end commercial real estate developer and property management firm with over 200 properties had experienced a breach of one building’s HVAC system, similar to what occurred at Target. Thankfully the breach didn’t target customer or other sensitive data, only that building's operation, but it did serve as a wakeup call for the CEO and Board.
Large Network Attack Vector
IT knew those systems could have been completely taken offline affecting hundreds of tenants and their business but the real exposure was even bigger. This same network and security infrastructure that had been breached at the one site was in use across all of their properties. They estimated that they had thousands of network attack vectors that could be exploited; from the buildings’ local area networks to the WAN and the Internet.
Ineffective Firewalling and Remote Access
The source of the breach was a publicly exposed VPN and stolen user credentials. Once VPN access was allowed, terminated and then forwarded, the hackers had access to the entire Building Automation Control network (BACnet). The commercial developer’s internal firewalls were configured to restrict access to specific address ranges, ports and Layer 7 inspection rules but the hackers were able to spoof and traverse those non-verifiable controls. They gained access and control over several HVAC systems disrupting operations.
Eliminate Complex and Error Prone Alternatives
Punching holes through firewalls and leaving site-to-site VPN connections open is undesirable but often necessary for temporary or continuous access. Managing firewall rule sets, VPN IPSec tunnels and certificate revocation are complex and prone to error. The same is true of attempting to segment VLANs, ACLs, and locking down ports. Managing this chain of complexity often sets security and networking teams up for failure and exposes organizations to tremendous business risk.
"IDN has transformed our environment from one that was complex, difficult to manage and could still be breached, to a network where only verified and authenticated systems can communicate with one another. By enabling and disabling trust relationships between machines it’s simple for us to control access and segmentation."
Director of Networking
U.S. Commercial Developer
They Can’t Hack What They Can’t Find or See
By fronting each HVAC system with a physical HIPswitch, their HVACs could not be seen or communicated with by non-trusted systems. A HIPswitch will only communicate with other whitelisted systems that must authenticate and authorize network communication before transport can be established. All systems within the IDN are made invisible to hackers.
Universal Access from Anywhere
By deploying a HIPrelay for ID routing, remote communication between individual building controls and their servers in the datacenter was now point and click simple. They eliminated the cost and vulnerabilities of the complexity chain which accelerated their time to provision and de-provision resources on the network.
Remote access by technicians was also easily enabled and controlled instead of opening pinholes in firewalls and managing IPSec tunnels. Today they grant segmented machine-to-machine access, not a device to network access. Network communication is either allowed or denied based on the systems' cryptographic identity and mutual authentication between peers, not addresses, ports, and certificates.
Onboarding New Buildings Fast and Cost-Effectively
They cost of deploying ID networking (IDN) was much less than their annual firewall and VPN maintenance cost. When they included the elimination of ongoing management costs and how quickly they could onboard new buildings, IDN was the clear winner.
Experience the same simplicity, security, and cost-savings