Jun 21, 2021

A simple building system—yes, lighting—can be the gateway to an IoT security crisis. Better industry standards can help avert disaster

By Michael Skurla

Don't Be A TargetIt is an odd time to be talking of 2013, but the timing couldn’t be more apt. Between November 27 and December 18, 2013, one of the most significant financial data breaches in U.S. retail history occurred when Target Corp. had somewhere in the range of 40 million credit card and debit card numbers stolen along with a host of other personal records. Though not the most significant in size and scope for retail, the Target breach brought to the forefront, through their transparency and subsequent investigations, the risks associated with building systems and integration solutions. At the heart of it was the overall risk of connected business I.T. (Information Technology) and building O.T. (operational technology). The incident led to what was the largest effort by any retailer to reanalyze their security parameters and set standards that still would be considered a gold standard in retail.

The incident should have been a wake-up call to more than just retail. The “surface vector” of attack (or in more human terms, the point of initial penetration that led to a cascading of events and eventual loss of all the personal and credit card data) was that of stolen credentials related to a mechanical firm that had access to the system for remote management and monitoring integration. Reports suggest the credentials were obtained through a rudimentary email phishing scheme. Hence, a low-tech means of entry led to a high-tech problem. Years of investigations into this breach uncovered that several failures existed at the time that led to this incident.

The now heavily productized term “IoT” was in its infancy in 2013, yet each one of these buckets stands the test of time in the age of IoT proliferation. A basic tenant of security design is to keep the attack surface small to limit the potential for unanticipated interactions (Sunil Cheruvu, 2020). By nature, IoT spreads this surface potential far and wider than was ever thought possible back in 2013. In its current state, IoT security is nebulous, undefined and often mysterious, but things are rapidly changing as IoT is the ripest vector for future attacks in all vertical markets given its exponential growth.

In the case of lighting, and its other building counterparts in the energy space, everything is now on the wire. Connectivity of building systems and solutions brings efficiency, automation, sustainability, management and convenience that we as humans have all grown accustomed to and now expect. The question remains how manufacturers can offer these vital cross-connected experiences without introducing security vectors for exploitation. Though security can be a deep topic, practices are emerging, and the manufacturers of building equipment are on the hook through legislation and simple responsibility to be a part of the solution.

To better manage the conveniences (and debatable necessity) of always-on connectivity and integration, building automation has moved to the “edge.” The term “edge” is often misunderstood; though it is heavily used in the I.T. space, it has not become as prevalent in the electronics and building community. In the I.T. world, the edge means something out in the field. It can be an entire building, shelter, or location in a network of other buildings, shelters, or locations that are often interconnected by networked means. Though in our context as a manufacturer of equipment, the term “edge device” is more prevalent. This could be a motion sensor, thermostat or light sensor to name just a few. At its lowest level, it’s a hardware device out there somewhere, but most importantly it is connected in this new world order by some digital means.

To further this definition, an “edge system” is typically what we would refer to as a building subsystem, or a digitally connected trade in the building. A Wi-Fi network in a building is an edge system, as is a networked lighting system, or an HVAC system controlled by a BMS. There can be dozens of edge systems in a building—all of them are talking and sometimes bridging communications to other systems or the outside world. The edge system approach, however, is not completely clean. IoT has added devices to this mix that often are shared, or don’t fit into just one edge system. As sensors become Ethernet devices and sit on the TCP/IP stack with these edge systems, our surface area of attack grows.

In the current state of affairs in commercial buildings, we use a significant amount of Fieldbus protocols to connect things. Modbus, BacNet, DALI and the like. These Fieldbus protocols typically route to controllers that convert them into TCP/IP allowing communication to other systems or the outside world. Typically, devices on Fieldbus protocols are static, in so much as they are disconnected from the outside (except through the controller) and are rarely upgraded. However, the controllers they connect to function like gateways to the outside world, again further opening the surface area of an attack.

Taken from a security perspective, we have two ideations of solutions here that are assimilating over time into one: “brownfield” technologies relying on historic Fieldbus protocols, and “greenfield” technologies that have emerged and are backed by I.T. standards in the IoT space. Both, given the desire of communication, must speak to each other and likely to the outside world safely and securely. Daunting? Not as much as it seems, given the I.T. space has been working on this for decades.

There is clearly a tension between brownfield and greenfield solutions (Sunil Cheruvu, 2020), but this is also where IoT frameworks and platforms play an important emerging role in the combination of the two as a necessity. Greenfield devices and the associated gateways from brownfield solutions (existing or new) are the future of IoT, and the most serious vector for an attack. To date, little standardization has occurred at this level for security, however, this is changing rapidly.

In September 2018, California passed Bill SB-327 into law that addresses information privacy specifically pertaining to connected devices. Though subject to some debate, the law was a first step in defining a connected device as “any device, or other physical object that can connect to the internet, directly, or indirectly, and that is assigned an internet protocol address or Bluetooth address.” The bill requires manufacturers of connected devices to do away with default passwords that are often unchanged. The California legislation was clearly targeted at general IoT devices like smart locks and security cameras; however, the scope extends far beyond this into commercial systems, healthcare, and even automotive. SB-327 went into effect January 1, 2020 (Vigderman, 2020).

More recently, last December, the IoT Cybersecurity Improvement Act of 2020 was signed into law (US HR1668). Though geared toward federal government agencies, the bill requires the National Institute of Standards and Technology (NIST) to develop and publish standards and guidelines on the appropriate use and management of IoT devices controlled by any U.S. government agency. As part of the signed bill, following development of the standard (and to be clear, NIST hasn’t done this yet), any federal agency would be prohibited from procuring, obtaining or using IoT devices if it is determined they do not meet the new standard. Given the proliferation of IoT devices, this NIST standard will have long ranging impacts on the development criteria of all types of devices and IoT solutions, and will have a meaningful impact in the lighting space within PoE lighting, networked lighting systems, and realistically any controller connecting to an I.T. or O.T. network.

Given what has emerged from the I.T. space, we can expect to see at least the following requirements emerge as a minimum from the NIST standard:

When I first started in lighting, the concept of networks was foreign. As with everything else, technology advanced, and networks became a staple, though often these networks were industry (brownfield) networks—DALI, DMX and the like. In the mid-2000s, particularly in entertainment lighting, Ethernet came into the picture. Yet these networks were highly isolated and air-gapped from other networks. A completely different network infrastructure was built. In fact, I.T. organizations wanted nothing to do with them. This proved to be shortsighted as connecting two networks only took a short patch cord, and suddenly you had a cross-connected mess and pretty tangible security. (VLANs have mostly eliminated the necessity of air gapped networks in practice.)

A shift has certainly occurred where I.T. and O.T. are fundamentally intertwined, and for good reason. Only by connecting systems is it possible to gain real insight into operation. The I.T. industry brings years of innovation in standards and capabilities of security that make this interweaving possible—safely and manageably. Far from a facility manager having to manage their own network, I.T. organizations are better equipped to secure and manage these networks in totality. Yet this drives different practices at the subsystem level, and interaction with I.T. resources far earlier in the design and implementation phase of projects. This has already changed how things like lighting systems and HVAC systems are deployed but will continue to evolve with the emerging standards.

Things are changing for the built world, and I.T. technologies driven by IoT are the path the world is on. Regulation is now catching up with the times, and it is in the best interest of our industry as a whole, even in the name of mitigated risk, to take steps to not be the next targeted vector in the news.

References
116th U.S. Congress. (2020, 12 4). trackbill.com. Retrieved from trackbill.com: https://trackbill.com/bill/us-congress-house-bill-
1668-iot-cybersecurity-improvement-act-of-2020/1723165/

Entech. (2019, 5 1). Anatomy of a data breach – what we learned from Target. Retrieved from entechus.com: https://www.entechus.com/resources/anatomy-of-a-data-breach-what-we-learned-fromtarget

Sunil Cheruvu, A. K. (2020). Demystifying Internet of Things Security ((Creative Commons Attribution 4.0) http://creativecommons.org/licenses/by/4.0/). New York: apressOpen.

Vigderman, A. (2020, 12 2). https://www.security.org/blog/california-passes-first-cybersecurity-law-iot/. Retrieved from security.org:
https://www.security.org/blog/california-passes-first-cybersecuritylaw-iot/

Contributor(s)

Michael Skurla

Michael C. Skurla

Michael C. Skurla, Member IES, is the chief technology officer of Radix IoT, LLC—a commercial IoT platform offering monitoring and management multisite infrastructure ranging from smart buildings to telecommunications. He has over two decades of experience in control... More info »