The Internet of Things : Managing Risk & Reward

By E. Mitchell Swann, PE

A hot topic in the industry today is the “Internet of Things” (IoT).  The IoT is the use of “smart” devices, transmitters and systems to facilitate the real time transmission of information, control of equipment and optimized operation of systems; often including or via some Internet-based communication network.  The objective is to make the information available anywhere, easily and in real time to improve decision making and operations.  Information is collected by the devices and transmitted via a wireless network to a centralized and/or cloud-based “head end” and control commands are sent back via the same system.  The IoT has been enabled by advances in the miniaturization of computer processing power, the development of interoperable communications and processing platforms and the growing ubiquity of high-speed, wireless, broadband networks.  That’s the stuff that puts your email on your smartphone.

In 2013 the Global Standards Initiative on Internet of Things (IoT-GSI) defined the IoT as “the infrastructure of the information society.”1

While the term IoT and its applications can be very broad, the focus here is on the ‘built environment’ – smart cities, smart grids, smart buildings, smart homes and smart systems.  Since each ‘thing’ has its own embedded computing system, each thing is uniquely identifiable and addressable through the network and can also communicate with other things on that network.  Gartner, Inc, a leading technology research and analysis firm, estimates that there will be more than 20.8 billion “things” in the IoT by 2020. 2   Current device estimates hover around 6.4 billion in network.

If you have a remotely programmable “learning” thermostat for your home or a security system which can be monitored, armed and disarmed from your mobile, then you are a part of the IoT.  The IoT has created the opportunity to greatly expand the reach, enhance flexibility, increase real time knowledge and amplify productivity by connecting and integrating what were once ‘closed’ and isolated systems via the internet.  But it also opens up these systems to the wild, wild world of the world wide web – and we know what can go on in that rodeo.  What security considerations and concerns should be on your mind as you move to ‘the next step?’

As pointed out above, there are some clear benefits to moving to a wireless, IoT base for control, reporting and monitoring systems.  The ability to capture, transfer, analyze and respond to data on operations, alarms or other critical parameters is extremely valuable in today’s critical path world.  In many instances, there is so much data that the ‘bottleneck’ can be the decision tree that the people go through once bombarded with all that information.  If devices and systems can be made to ‘learn’ and make some level of decisions, themselves, it allows for a more responsive – even anticipatory system. And that should pay dividends.

A little background on how we got here might be helpful.

In the early to mid-80s the building control systems’ world – often referred to as “ATC” or ‘Automatic Temperature Controls’ – began to move to “DDC”, meaning ‘distributed’ or ‘direct’ digital control.  With the advent of more reasonably priced computers and IT systems, software and services, DDC systems began to migrate from the very high-end industrial sector to the commercial buildings sector.  As ATC morphed into DDC technology and systems began to monitor and control more than just traditional ‘temperature & humidity’, the broader term of “Building Automation Systems, or “BAS”, became more popular.  Initially, these systems were often ‘stand alone’ and isolated from each other and any communication between them was a ‘hard wired’ affair.  With the development of common or open protocol communications platforms, the systems became more integrated and operational ‘responsiveness’ was enhanced.

As a natural companion to the advances in computer, network and communications technology, it is only logical that BAS systems also became web-connected, then, like everything else, wireless too. They are now moving to internet enabled, semi-autonomous and “learning, or ‘smart’ devices.

One of the burgeoning areas in which IoT technologies can be seen and felt is in the arena of high-performance buildings (HPB).  HPB’s have as their core objectives to provide improved indoor environmental quality (IEQ) 3 , greater operating efficiency, ‘real time’ performance tracking and enhanced resiliency.  HPBs demand, and often require energy and resource performance monitoring as a key part of their ‘charge’.  Demand Response Management systems where a facility or campus operator is looking to shed or reduce electrical load to achieve energy cost savings in response to real time power pricing is an area where accurate predictive data is essential and the certainty of a system’s response to commands is crucial.  To achieve high performance you need to know what’s going on and when and how to look ahead to optimize that performance.  Wireless devices have the advantage of flexibility, adaptability and safety in hazardous environments that can cost considerably more to achieve with hard wired devices.  Smart sensors and controls make that possible.

But there are some things to seriously ponder when looking at IoT configurations.  Since many of the systems will use the Internet for data transmission, you need to be very, very mindful of the security of your data and the rigor of your network.  Cyber risks associated with unauthorized hacks can result in the removal\resetting of alarm notifications and set-points; driving a piece of equipment to operate in an unsafe, uncontrolled or unwarranted conditions.  The risks exposed under this scenario can be far reaching and catastrophic.

One of the primary concerns is an obvious one – attack of an IoT system from outside via the Internet.  Security considerations for internet enabled control systems and devices need to be thought of in the same manner that you would think of the IT system running your business.  One often overlooked weakness is that many legacy control systems were not configured to defend themselves against today’s hack attacks.  They can create vulnerabilities in networks that are easily overlooked since their software is resident to the device.

These types of breaches can come in two ways: a hack into the system via some internet exposed portal (think Google Australia’s Tridium system hack – 2013), an imported virus via some data media brought in either by a disgruntled employee or inadvertently (think “StuxNet”).

Another crucial, but often less considered, situation is that the building systems IoT can create an access pathway for a hack to send confidential business information out of an enterprise.  Target’s major breach of customer account data occurred because of an HVAC service contractors’ upload of system software for energy monitoring across multiple stores.  What resulted was a massive amount of data concerning customers, credit cards, PINs and credit accounts was pushed out to nefarious minds at work.  The energy monitoring system served only as an open doorway into the larger system.  So the question begging is what to do with your building system if you want your building system to engage the ‘net?

First and foremost, you need to actively think of your BAS network as akin to your other business IT networks.  It needs to have an overarching security philosophy defined at the start – at the ‘top’ of the system – even though the BAS may not be the ‘top’ of your enterprise’s IT system.  As you develop strategies appropriate for each level or portion of the network, you need to assess how your overall strategy translates to the BAS and related networks.  To try to stick security measures onto a system after it has been designed – like a Mr. Potato Head game – will probably result in some critical gap in thinking or protection capability.

Secondly, you should take some serious time to reflect upon and ascertain the real business efficacy of interconnecting certain systems.  In the Target matter, it seems that the access from the energy monitoring and reporting system to the point-of-sale control system was created by a desire to have easy access to energy use info and business info from a shared enterprise platform – convenience was the driver.  Some systems don’t really need to see or communicate with other systems or their communication is so infrequent that it might make sense to have that under human control at all times.  Think through the upsides and the downsides.

Lastly, personnel management is key. Even the most secure systems can be breached if members of the operating personnel team are not careful or have malicious intent.  Poor password management is also a common weakness which can open a back door to your system.  Stolen or compromised passwords and credentials are a leading cause of network penetrations.  Developing a routine security audit program to assess password and credential access vulnerabilities is also a value added step.

There are an expanding and refining group of industry guidelines which can help to establish an organization’s thinking about cyber security for building systems and provide the mental ‘ticklers list’ to make sure that you have at least considered the possibilities and probabilities of connecting online.

Some useful references:

• ISO/IEC 27001/02 – Information technology – Security techniques – Information security management systems
• ISA/IEC 62443 – Industrial Network and System Security (formerly ISA 99)
• NISTIR 7628, Revision 1 (3 Volumes) – Guidelines for Smart Grid Cybersecurity, September 2014
• “Penetration testing a building automation system. Is your ‘smart office’ creating backdoors for hackers?” – IBM X-Force, published February 2016

————————————
Footnotes:

1. Internet of Things Global Standards Initiative – http://www.itu.int/en/ITU-T/gsi/iot/Pages/default.aspx
2. http://www.gartner.com/newsroom/id/3165317
3. Indoor Environmental Quality (IEQ) encompasses the conditions inside a building and their effects on the occupants of that building.  IEQ functions can include any or all of the following parameters: air quality, lighting, thermal conditions, ergonomics, noise and vibration.  http://www.usgbc.org/articles/green-building-101-what-indoor-environmental-quality