Body

 

 

Customer Needs

Replace firewalls and VPNs

Isolate building controls from unauthorized systems

Onboard buildings quickly

Segment remote access for predictive maintenance

Simple, non-disruptive network adds, moves, and changes

Enable network communication across any transport

Constraints

Transfer of building controls

Hundreds of buildings

Thousands of tenants

Shared local networks

No downtime

Large attack surface due to IoT

Results

Isolated and segmented buildings controls from tenants

Eliminated network attack surface

Onboard new buildings quickly and cost-effectively

BACnet is invisible and unreachable by all unauthorized systems

Segmented remote access to authorized systems only

Can add, move, and revoke network communication instantly

 

Dodging the Bullet

A high-end commercial real estate developer and property management firm with over 200 properties had experienced a breach of one building’s HVAC system, similar to what occurred at Target. Thankfully the breach didn’t target customer or other sensitive data, only that building's operation, but it did serve as a wakeup call for the CEO and Board.

 

Large Network Attack Vector

IT knew those systems could have been completely taken offline affecting hundreds of tenants and their business but the real exposure was even bigger. This same network and security infrastructure that had been breached at the one site was in use across all of their properties. They estimated that they had thousands of network attack vectors that could be exploited; from the buildings’ local area networks to the WAN and the Internet.

 

Ineffective Firewalling and Remote Access

The source of the breach was a publicly exposed VPN and stolen user credentials. Once VPN access was allowed, terminated and then forwarded, the hackers had access to the entire Building Automation Control network (BACnet). The commercial developer’s internal firewalls were configured to restrict access to specific address ranges, ports and Layer 7 inspection rules but the hackers were able to spoof and traverse those non-verifiable controls. They gained access and control over several HVAC systems disrupting operations.

 

Eliminate Complex and Error Prone Alternatives

Punching holes through firewalls and leaving site-to-site VPN connections open is undesirable but often necessary for temporary or continuous access. Managing firewall rule sets, VPN IPSec tunnels and certificate revocation are complex and prone to error. The same is true of attempting to segment VLANs, ACLs, and locking down ports. Managing this chain of complexity often sets security and networking teams up for failure and exposes organizations to tremendous business risk.

 

 

"IDN has transformed our environment from one that was complex, difficult to manage and could still be breached, to a network where only verified and authenticated systems can communicate with one another. By enabling and disabling trust relationships between machines it’s simple for us to control access and segmentation."

Director of Networking
U.S. Commercial Developer


They Can’t Hack What They Can’t Find or See

By fronting each HVAC system with a physical HIPswitch, their HVACs could not be seen or communicated with by non-trusted systems. A HIPswitch will only communicate with other whitelisted systems that must authenticate and authorize network communication before transport can be established. All systems within the IDN are made invisible to hackers.

 

Universal Access from Anywhere

By deploying a HIPrelay for ID routing, remote communication between individual building controls and their servers in the datacenter was now point and click simple. They eliminated the cost and vulnerabilities of the complexity chain which accelerated their time to provision and de-provision resources on the network.

Remote access by technicians was also easily enabled and controlled instead of opening pinholes in firewalls and managing IPSec tunnels. Today they grant segmented machine-to-machine access, not a device to network access. Network communication is either allowed or denied based on the systems' cryptographic identity and mutual authentication between peers, not addresses, ports, and certificates.

 

Onboarding New Buildings Fast and Cost-Effectively

They cost of deploying ID networking (IDN) was much less than their annual firewall and VPN maintenance cost. When they included the elimination of ongoing management costs and how quickly they could onboard new buildings, IDN was the clear winner.

 

 

 

 

 

Experience the same simplicity, security, and cost-savings