Cybersmart Buildings: Securing Your Investments in Connectivity and Automation

Jason Rosselot, CISSP, Director Product Cyber Security, Johnson Controls

AIA Quality Assurance

The Building Commissioning Association is a Registered Provider with The American Institute of Architects Continuing Education Systems (AIA/CES). Credit(s) earned on completion of this program will be reported to AIA/CES for AIA members. Certificates of the Completion for both AIA members and non-AIA members are available upon request.

This program is registered with AIA/CES for continuing professional education. As such, it does not include content that may be deemed or construed to be an approval or endorsement by the AIA of any material of construction or any method or manner of handling, using, distributing, or dealing in any material or product.

Questions related to specific materials, methods, and services will be addressed at the conclusion of this presentation.

2

Learning Objectives

3

1. List the applicable Federal and State Standards for Cybersecurity that must be adhered to in the commissioning of a new or retrofit building systems.

2. Describe the steps to become compliant to the applicable Federal and State building security standards.

3. Understand the underlying connectivity and automation value proposition for smart buildings.

4. Establish a realistic view of current threats and business risks associated with smart buildings, across both the private and public sectors.

Why are we here today?

4

Yesterday:PartialConnectivity

Today:SmartBuildings

Tomorrow:SmartCities

1. Allindustriesaremakingsmartbuildinginvestments (seekingreward)

2. Cyberincidentsthreaten thesmartbuildingvalueproposition

3. Cybersecuritymustbecomeacoretenant ofbuildingdesignandoperations(toguaranteethatinvestment)

BOTTOMLINE

5

BUILDINGS ARE EVOLVING

ONTHEOUTSIDE,SMART,DATA-DRIVENSOLUTIONSMAYNOTBEAPPARENT.

BUTCONNECTIVITYISCREATINGVALUEFORBUILDINGOWNERSANDOPERATORS.

Infographiccredit:JohnsonControls

6

CONNECTING OCCUPANTS TO SOLUTIONS

ACROSSINDUSTRIES,TECHNOLOGYISREDEFININGHOWBUILDINGSANDOCCUPANTSINTERACT– SAVINGENERGY,INCREASINGSECURITYANDOPTIMIZINGOPERATIONS.

HEALTHCARE GOVERNMENT

HIGHEREDUCATION TRANSPORTATION

K-12EDUCATION COMMERCIALBUILDINGS

• Real-TimeLocationSystems(RTLS)• Criticaltemperaturecontrol• Operatingroomenvironments• Electronicrecord-keeping• Integratedpatientcare

• Streamingvideomanagement• Campus-widesystemalerting• Mobile-friendlypresentationspaces• Integratedclassregistration• Optimizedlighting

• Smartwhiteboards• Optimizedlighting• HVAC,data-drivenbuildingmanagement• Spaceschedulingintegration• District-wideperformancetracking

• Accesscontrols&physicalsecurity• Energymanagement• Sensitiveenvironmentmonitoring• Smartinfrastructure• Integratedassettracking

• Real-TimeLocationSystems(RTLS)• HVACtemperaturecontrol• Physicalsecurity• Passengeridentificationsystems• Arrival/departureprediction

• Accesscontrols&physicalsecurity• HVACtemperaturecontrol• Energymanagement• Real-timedataanalysis• Meetingspaceoptimization

7

INVESTMENT AT RISK

NEWVALUEPROPOSITION

ANTICIPATEDINVESTMENTBREAKS

APART

CYBERRISKS

DenialofServiceAttack

VendorIoTProductCompromise

OccupantDataTheft

HijackofCommand&ControlApp

AutomatedManagement

PredictiveMaintenance

EnergyEfficiency

AssetLocationFinding

SECURITYIMPERATIVE§ Pervasiveconnectivitymeansmorevulnerabilitiesacrossalargerattacksurface

§ Manythreatvectors canpotentiallyharmconnectedinfrastructure

§ Occupanthealth/safetyand environment nowdependsoncybersecurity

8

FACING OUR CURRENT REALITY

Source:KasperskyLabICSCERT,ThreatLandscapeforIndustrialAutomationSystemsintheSecondHalfof2016

SOURCESOFTHREATS TOINDUSTRIALCOMPUTERS

RELEVANTCYBERINCIDENTS

LARGEINTERNETSEARCHPROVIDERResearchershackbuildingcontrolsystemofkeyfacility;abletoobtaincommandandcontrol

CHINESEHOTELHackerinfiltratedhotelroomautomationsystemviaWiFi;establishedabilitytomanipulateroomcontrolsystemsandstealcustomerdata

INTERNETDOMAINNAMESYSTEMPROVIDERLargestdistributeddenial-of-service(DDoS)attackinhistoryusesmassivenumberofcompromisedIoTdevicestoswarmitstargetandcausemajorinternetoutages

REPORTEDINDUSTRIALCONTROLSYSTEMVULNERABILITIES

Source:ICS-CERT2015AnnualVulnerabilityCoordinationReport

9

EvolvingGuidance:

BUILDINGS NEED TO BE CYBERSMART

1. Securitybydesign fornew;retrofit optionsforestablishedbuildings

2. ITandoperationaltechnology(OT)assetsaremapped andzonedforriskmanagement

3. Vulnerabilitymanagement functioninplaceforconnecteddevicesandinfrastructure

4. Passivemonitoring forcriticalassetstounderstandnon-baselineanomalies(e.g.,networkscanning,controllerre-flash)

5. Cyberincidentresponse planisdevelopedandexercisedbyrelevantstakeholders

WHAT’SACYBERSMARTBUILDING? WHOPLAYSAROLE?

10

LifecyclePhase CyberCapabilities

AcquisitionConsiderSecurityRequirements

Assess

Deployment Buildin Security

Operations&Maintenance

UpdateRegularly

Test,Monitor, &Respond

KEY CONSIDERATIONS FOR TAKING ACTION

Observeandorientaroundyourspecificchallenge1

Forgetoldsilos— cybersecurityrequirescross-functionalteaming2

Changetheculture— speakupforcybersmart buildings3

Buildtherightcapabilitiestoenable– nothinder– smart

buildingadoption4

Finally,getoperational5

WHATTODO

Jason Rosselot, CISSPDirector Product Cyber SecurityJohnson Controlsjason.r.rosselot@jci.com

www.johnsoncontrols.com/productsecurity

THANK YOU