Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Cybersmart Buildings: Securing Your Investments in Connectivity and Automation
Jason Rosselot, CISSP, Director Product Cyber Security, Johnson Controls
AIA Quality Assurance
The Building Commissioning Association is a Registered Provider with The American Institute of Architects Continuing Education Systems (AIA/CES). Credit(s) earned on completion of this program will be reported to AIA/CES for AIA members. Certificates of the Completion for both AIA members and non-AIA members are available upon request.
This program is registered with AIA/CES for continuing professional education. As such, it does not include content that may be deemed or construed to be an approval or endorsement by the AIA of any material of construction or any method or manner of handling, using, distributing, or dealing in any material or product.
Questions related to specific materials, methods, and services will be addressed at the conclusion of this presentation.
2
Learning Objectives
3
1. List the applicable Federal and State Standards for Cybersecurity that must be adhered to in the commissioning of a new or retrofit building systems.
2. Describe the steps to become compliant to the applicable Federal and State building security standards.
3. Understand the underlying connectivity and automation value proposition for smart buildings.
4. Establish a realistic view of current threats and business risks associated with smart buildings, across both the private and public sectors.
Why are we here today?
4
Yesterday:PartialConnectivity
Today:SmartBuildings
Tomorrow:SmartCities
1. Allindustriesaremakingsmartbuildinginvestments (seekingreward)
2. Cyberincidentsthreaten thesmartbuildingvalueproposition
3. Cybersecuritymustbecomeacoretenant ofbuildingdesignandoperations(toguaranteethatinvestment)
BOTTOMLINE
5
BUILDINGS ARE EVOLVING
ONTHEOUTSIDE,SMART,DATA-DRIVENSOLUTIONSMAYNOTBEAPPARENT.
BUTCONNECTIVITYISCREATINGVALUEFORBUILDINGOWNERSANDOPERATORS.
Infographiccredit:JohnsonControls
6
CONNECTING OCCUPANTS TO SOLUTIONS
ACROSSINDUSTRIES,TECHNOLOGYISREDEFININGHOWBUILDINGSANDOCCUPANTSINTERACT– SAVINGENERGY,INCREASINGSECURITYANDOPTIMIZINGOPERATIONS.
HEALTHCARE GOVERNMENT
HIGHEREDUCATION TRANSPORTATION
K-12EDUCATION COMMERCIALBUILDINGS
• Real-TimeLocationSystems(RTLS)• Criticaltemperaturecontrol• Operatingroomenvironments• Electronicrecord-keeping• Integratedpatientcare
• Streamingvideomanagement• Campus-widesystemalerting• Mobile-friendlypresentationspaces• Integratedclassregistration• Optimizedlighting
• Smartwhiteboards• Optimizedlighting• HVAC,data-drivenbuildingmanagement• Spaceschedulingintegration• District-wideperformancetracking
• Accesscontrols&physicalsecurity• Energymanagement• Sensitiveenvironmentmonitoring• Smartinfrastructure• Integratedassettracking
• Real-TimeLocationSystems(RTLS)• HVACtemperaturecontrol• Physicalsecurity• Passengeridentificationsystems• Arrival/departureprediction
• Accesscontrols&physicalsecurity• HVACtemperaturecontrol• Energymanagement• Real-timedataanalysis• Meetingspaceoptimization
7
INVESTMENT AT RISK
NEWVALUEPROPOSITION
ANTICIPATEDINVESTMENTBREAKS
APART
CYBERRISKS
DenialofServiceAttack
VendorIoTProductCompromise
OccupantDataTheft
HijackofCommand&ControlApp
AutomatedManagement
PredictiveMaintenance
EnergyEfficiency
AssetLocationFinding
SECURITYIMPERATIVE§ Pervasiveconnectivitymeansmorevulnerabilitiesacrossalargerattacksurface
§ Manythreatvectors canpotentiallyharmconnectedinfrastructure
§ Occupanthealth/safetyand environment nowdependsoncybersecurity
8
FACING OUR CURRENT REALITY
Source:KasperskyLabICSCERT,ThreatLandscapeforIndustrialAutomationSystemsintheSecondHalfof2016
SOURCESOFTHREATS TOINDUSTRIALCOMPUTERS
RELEVANTCYBERINCIDENTS
LARGEINTERNETSEARCHPROVIDERResearchershackbuildingcontrolsystemofkeyfacility;abletoobtaincommandandcontrol
CHINESEHOTELHackerinfiltratedhotelroomautomationsystemviaWiFi;establishedabilitytomanipulateroomcontrolsystemsandstealcustomerdata
INTERNETDOMAINNAMESYSTEMPROVIDERLargestdistributeddenial-of-service(DDoS)attackinhistoryusesmassivenumberofcompromisedIoTdevicestoswarmitstargetandcausemajorinternetoutages
REPORTEDINDUSTRIALCONTROLSYSTEMVULNERABILITIES
Source:ICS-CERT2015AnnualVulnerabilityCoordinationReport
9
EvolvingGuidance:
BUILDINGS NEED TO BE CYBERSMART
1. Securitybydesign fornew;retrofit optionsforestablishedbuildings
2. ITandoperationaltechnology(OT)assetsaremapped andzonedforriskmanagement
3. Vulnerabilitymanagement functioninplaceforconnecteddevicesandinfrastructure
4. Passivemonitoring forcriticalassetstounderstandnon-baselineanomalies(e.g.,networkscanning,controllerre-flash)
5. Cyberincidentresponse planisdevelopedandexercisedbyrelevantstakeholders
WHAT’SACYBERSMARTBUILDING? WHOPLAYSAROLE?
10
LifecyclePhase CyberCapabilities
AcquisitionConsiderSecurityRequirements
Assess
Deployment Buildin Security
Operations&Maintenance
UpdateRegularly
Test,Monitor, &Respond
KEY CONSIDERATIONS FOR TAKING ACTION
Observeandorientaroundyourspecificchallenge1
Forgetoldsilos— cybersecurityrequirescross-functionalteaming2
Changetheculture— speakupforcybersmart buildings3
Buildtherightcapabilitiestoenable– nothinder– smart
buildingadoption4
Finally,getoperational5
WHATTODO
Jason Rosselot, CISSPDirector Product Cyber SecurityJohnson [email protected]
www.johnsoncontrols.com/productsecurity
THANK YOU