Don’t be a Target

June 21, 2021

A simple building system—yes, lighting—can be the gateway to an IoT security crisis. Better industry standards can help avert disaster

By Michael Skurla

Don't Be A TargetIt is an odd time to be talking of 2013, but the timing couldn’t be more apt. Between November 27 and December 18, 2013, one of the most significant financial data breaches in U.S. retail history occurred when Target Corp. had somewhere in the range of 40 million credit card and debit card numbers stolen along with a host of other personal records. Though not the most significant in size and scope for retail, the Target breach brought to the forefront, through their transparency and subsequent investigations, the risks associated with building systems and integration solutions. At the heart of it was the overall risk of connected business I.T. (Information Technology) and building O.T. (operational technology). The incident led to what was the largest effort by any retailer to reanalyze their security parameters and set standards that still would be considered a gold standard in retail.

The incident should have been a wake-up call to more than just retail. The “surface vector” of attack (or in more human terms, the point of initial penetration that led to a cascading of events and eventual loss of all the personal and credit card data) was that of stolen credentials related to a mechanical firm that had access to the system for remote management and monitoring integration. Reports suggest the credentials were obtained through a rudimentary email phishing scheme. Hence, a low-tech means of entry led to a high-tech problem. Years of investigations into this breach uncovered that several failures existed at the time that led to this incident.

  • Improper network segmentation
  • Poor credentialling of edge device security policies and capabilities
  • Improper or inadequate training of employees about supply chain security

The now heavily productized term “IoT” was in its infancy in 2013, yet each one of these buckets stands the test of time in the age of IoT proliferation. A basic tenant of security design is to keep the attack surface small to limit the potential for unanticipated interactions (Sunil Cheruvu, 2020). By nature, IoT spreads this surface potential far and wider than was ever thought possible back in 2013. In its current state, IoT security is nebulous, undefined and often mysterious, but things are rapidly changing as IoT is the ripest vector for future attacks in all vertical markets given its exponential growth.

In the case of lighting, and its other building counterparts in the energy space, everything is now on the wire. Connectivity of building systems and solutions brings efficiency, automation, sustainability, management and convenience that we as humans have all grown accustomed to and now expect. The question remains how manufacturers can offer these vital cross-connected experiences without introducing security vectors for exploitation. Though security can be a deep topic, practices are emerging, and the manufacturers of building equipment are on the hook through legislation and simple responsibility to be a part of the solution.

To better manage the conveniences (and debatable necessity) of always-on connectivity and integration, building automation has moved to the “edge.” The term “edge” is often misunderstood; though it is heavily used in the I.T. space, it has not become as prevalent in the electronics and building community. In the I.T. world, the edge means something out in the field. It can be an entire building, shelter, or location in a network of other buildings, shelters, or locations that are often interconnected by networked means. Though in our context as a manufacturer of equipment, the term “edge device” is more prevalent. This could be a motion sensor, thermostat or light sensor to name just a few. At its lowest level, it’s a hardware device out there somewhere, but most importantly it is connected in this new world order by some digital means.

To further this definition, an “edge system” is typically what we would refer to as a building subsystem, or a digitally connected trade in the building. A Wi-Fi network in a building is an edge system, as is a networked lighting system, or an HVAC system controlled by a BMS. There can be dozens of edge systems in a building—all of them are talking and sometimes bridging communications to other systems or the outside world. The edge system approach, however, is not completely clean. IoT has added devices to this mix that often are shared, or don’t fit into just one edge system. As sensors become Ethernet devices and sit on the TCP/IP stack with these edge systems, our surface area of attack grows.

In the current state of affairs in commercial buildings, we use a significant amount of Fieldbus protocols to connect things. Modbus, BacNet, DALI and the like. These Fieldbus protocols typically route to controllers that convert them into TCP/IP allowing communication to other systems or the outside world. Typically, devices on Fieldbus protocols are static, in so much as they are disconnected from the outside (except through the controller) and are rarely upgraded. However, the controllers they connect to function like gateways to the outside world, again further opening the surface area of an attack.

Taken from a security perspective, we have two ideations of solutions here that are assimilating over time into one: “brownfield” technologies relying on historic Fieldbus protocols, and “greenfield” technologies that have emerged and are backed by I.T. standards in the IoT space. Both, given the desire of communication, must speak to each other and likely to the outside world safely and securely. Daunting? Not as much as it seems, given the I.T. space has been working on this for decades.

There is clearly a tension between brownfield and greenfield solutions (Sunil Cheruvu, 2020), but this is also where IoT frameworks and platforms play an important emerging role in the combination of the two as a necessity. Greenfield devices and the associated gateways from brownfield solutions (existing or new) are the future of IoT, and the most serious vector for an attack. To date, little standardization has occurred at this level for security, however, this is changing rapidly.

In September 2018, California passed Bill SB-327 into law that addresses information privacy specifically pertaining to connected devices. Though subject to some debate, the law was a first step in defining a connected device as “any device, or other physical object that can connect to the internet, directly, or indirectly, and that is assigned an internet protocol address or Bluetooth address.” The bill requires manufacturers of connected devices to do away with default passwords that are often unchanged. The California legislation was clearly targeted at general IoT devices like smart locks and security cameras; however, the scope extends far beyond this into commercial systems, healthcare, and even automotive. SB-327 went into effect January 1, 2020 (Vigderman, 2020).

More recently, last December, the IoT Cybersecurity Improvement Act of 2020 was signed into law (US HR1668). Though geared toward federal government agencies, the bill requires the National Institute of Standards and Technology (NIST) to develop and publish standards and guidelines on the appropriate use and management of IoT devices controlled by any U.S. government agency. As part of the signed bill, following development of the standard (and to be clear, NIST hasn’t done this yet), any federal agency would be prohibited from procuring, obtaining or using IoT devices if it is determined they do not meet the new standard. Given the proliferation of IoT devices, this NIST standard will have long ranging impacts on the development criteria of all types of devices and IoT solutions, and will have a meaningful impact in the lighting space within PoE lighting, networked lighting systems, and realistically any controller connecting to an I.T. or O.T. network.

Given what has emerged from the I.T. space, we can expect to see at least the following requirements emerge as a minimum from the NIST standard:

  • Physical security–including but not limited to administrative ports, will be heavily scrutinized, down to USB ports and their intent. This also will have consequences on supply chain traceability (what is that chip doing, and how is it communicating to what?).
  • Data classification–what data and interactions are considered “trusted” by devices to a network and how does a trusted relationship exist with other devices and systems. Trusted relationships allow privileged interactions, changes and richer datasets. It’s easy for a manufacturer to say all data should be “trusted” and not allow others to access anything, but this drives proprietary, something the market will not bear, and breaks the clear advantages of synergy between systems. There is a place for “untrusted” data interactions between disburse systems and devices in different scopes. This can come as data that is not considered privileged (e.g., the BMS system may not be trusted to change the dimming curve of a driver, but it would be beneficial for the driver to expose the energy consumption to allow the BMS to be an untrusted user of data).
  • Secure hardware booting–the ability for devices to boot up, but verify they are booting from an authentic image, and still be upgradable from authentic sources for patches and enhancements.
  • Network management–running only secure protocols (at a minimum secure socket layer, [SSL] encryption to and from devices), with ports open only for the services required with trusted authentication and ample encryption.
  • Credential management of subsystems—through services such as LDAP or OAUTH allowing more secure management of user rights, and authentication from centralized systems as part of a master I.T. security policy framework.
  • Standard practice mechanisms for networking professionals—to manage and monitor equipment without proprietary software packages (SNMP and the like).

When I first started in lighting, the concept of networks was foreign. As with everything else, technology advanced, and networks became a staple, though often these networks were industry (brownfield) networks—DALI, DMX and the like. In the mid-2000s, particularly in entertainment lighting, Ethernet came into the picture. Yet these networks were highly isolated and air-gapped from other networks. A completely different network infrastructure was built. In fact, I.T. organizations wanted nothing to do with them. This proved to be shortsighted as connecting two networks only took a short patch cord, and suddenly you had a cross-connected mess and pretty tangible security. (VLANs have mostly eliminated the necessity of air gapped networks in practice.)

A shift has certainly occurred where I.T. and O.T. are fundamentally intertwined, and for good reason. Only by connecting systems is it possible to gain real insight into operation. The I.T. industry brings years of innovation in standards and capabilities of security that make this interweaving possible—safely and manageably. Far from a facility manager having to manage their own network, I.T. organizations are better equipped to secure and manage these networks in totality. Yet this drives different practices at the subsystem level, and interaction with I.T. resources far earlier in the design and implementation phase of projects. This has already changed how things like lighting systems and HVAC systems are deployed but will continue to evolve with the emerging standards.

Things are changing for the built world, and I.T. technologies driven by IoT are the path the world is on. Regulation is now catching up with the times, and it is in the best interest of our industry as a whole, even in the name of mitigated risk, to take steps to not be the next targeted vector in the news.

References
116th U.S. Congress. (2020, 12 4). trackbill.com. Retrieved from trackbill.com: https://trackbill.com/bill/us-congress-house-bill-
1668-iot-cybersecurity-improvement-act-of-2020/1723165/

Entech. (2019, 5 1). Anatomy of a data breach – what we learned from Target. Retrieved from entechus.com: https://www.entechus.com/resources/anatomy-of-a-data-breach-what-we-learned-fromtarget

Sunil Cheruvu, A. K. (2020). Demystifying Internet of Things Security ((Creative Commons Attribution 4.0) http://creativecommons.org/licenses/by/4.0/). New York: apressOpen.

Vigderman, A. (2020, 12 2). https://www.security.org/blog/california-passes-first-cybersecurity-law-iot/. Retrieved from security.org:
https://www.security.org/blog/california-passes-first-cybersecuritylaw-iot/