Smart cities and critical infrastructure both face major cybersecurity-related challenges. Today’s rapid adoption of IoT technologies, the convergence of IT and OT environments, drive toward ubiquitous connectivity, and resource constraints are all major challenges when it comes to implementing a good cybersecurity program for smart cities and infrastructure. The 2019 ARC Industry Forum in Orlando, Florida featured a dedicated track on smart cities and infrastructure. Here, end-users shared their experiences in justifying and implementing smart building cybersecurity.
Developing an Effective Cybersecurity Strategy for Smart Buildings
Khanh Nguyen, Vice President, IT-Enterprise Applications at Kilroy Realty Corporation, discussed the development of his company’s cybersecurity strategy for monitoring and controlling its many connected and intelligent buildings. The big push to adopt IoT and remote connectivity resulted in many connected buildings with remote access, but these remote connections were not always secure.
Building automation systems are also frequently left exposed and, historically, have been a vector for cyber-attacks where the attacker gains entry to a building automation system and then uses that to move to the corporate network. The attack on the Target Corporation several years ago was executed in a similar manner. In addition to these technology-oriented issues, cybersecurity policy was not standardized or enforced. This resulted in the use of default credentials and ports, as well as other issues.
Vendor Selection a Challenge
Kilroy executed a search for good partners to help it execute its plan. The company’s three-pronged strategy for evaluating partners was based on organizational, technical, and policy/legal criteria. Kilroy had to find a vendor with experience in facilities and asset management, but also realized it had to make its own internal organizational changes.
Reorganization and New Roles Required at the OT Level
These organizational changes included establishing an operational technology cybersecurity role, something that many end user organizations in the building automation sector lack. The OT role also needed IT skills and facilities knowledge and would reside at the level of the corporate IT department.
Kilroy wanted to adopt a standardized approach to technology and architecture that leveraged the IoT and would enable a future path to data analytics and edge intelligence. The company applied this same philosophy when selecting its cybersecurity vendor, IoTium, which provides secure mass deployment of IoT technologies that also allows for continuous monitoring and centralization of user access and provisioning.