New Facilities Promise ‘Smart’ Tech – But Can They Keep Hackers Out?
Starting from scratch can be quite liberating.
Usually, injecting new technology into Federal agencies means finding a way to retrofit existing systems and structures. Compromise is the order of the day. But every now and then comes an opportunity to start entirely from scratch, to build an entirely new structure and fill it with the latest technology, from its operational systems to its information architecture.
That was the case two years ago when the Coast Guard built its new headquarters. And it will be the case soon with the rest of the Department of Homeland Security and the new FBI headquarters, wherever it ends up relocating from its 1970s-era office block in downtown Washington, D.C.
“Bringing everything into one platform at one command center – this is a chance to go in and do this from the ground up,” said Timothy Alexander, director of program management for Tyco Integrated Security in Washington. He spent more than 26 years in government security, the last five as chief of the physical security division in the Department of Homeland Security’s Office of Security. He has seen the “Frankenstein” networks, the labyrinth of old and new solutions, each for a different function – security, building automation systems, fire, and safety – and each using proprietary protocols.
The patchwork approach and the emergence of what is now called the Internet of Things (IoT) – digitally controlled building systems ranging from air conditioning to security cameras and other sensors – opened up new security vulnerabilities as these systems hooked into existing networks.
Indeed, weak security on control systems drove the General Accountability Office (GAO) to report earlier this year that nearly 9,000 Federal buildings and associated networks are sitting ducks for cyber intrusions.
Dragging Building Security Into Future
Fred Gordy, chairman of the InsideIQ Building Automation Alliance, moved into the controls industry in 2000. “At the time, whether it be government business or commercial, when a control system would go up, it was ‘security in obscurity;’ nobody else cared about it,” he said. As building controls and physical security evolved to include full-scale, centralized automation, Internet access promised remote diagnostics and control.
While that added convenience and efficiency, it also opened up new vulnerabilities. Lighting, air conditioning, security features, and more weren’t always installed with proper firewalls in place. Hackers found they could push through weaker systems to break into buildings’ information networks.
“Four or five years ago, hackers looking for angles, things they can exploit, and found these control systems [were] something they could get right into,” Gordy said. “The first thing I immediately got from everyone was, ‘Who cares about the lights?’ I said, ‘Guys, it’s an on-ramp. It’s a way to get on the corporate network.’”
Gordy was right. International intelligence agencies used the same vulnerability to disrupt Iran’s nuclear progress with the Stuxnet virus. The 2013 Target breach came about when hackers gained access through the retail giant’s HVAC service contractor.
Now the government is attempting to establish best practices and security standards for operations technology (OT), just as it does for conventional information technology systems, said Michael Chipley, a building security expert; president of the PMC Group, an IT/OT systems consultancy; and a former Air Force civil engineer.
In many cases, he explained, misconfigured building controllers communicate to an aggregator box and then to the operator console workstation over an insecure http connection with a direct Internet login. This can be a flashing neon welcome sign for hackers. (For more detail, see the Whole Building Design Guide cybersecurity resource page, which Chipley updated in July)
Chipley says OT vendors are finally beginning to recognize the problem.
They “realize they have huge financial vulnerabilities they cannot continue to ignore,” he said. “The big guys are now reconfiguring product lines to be able to put in encryption.”
IoT: Must OT and IT Merge?
As the world outside becomes enmeshed with IoT, new campus and facility projects face a critical decision: Should the two networks be one, or should they be separate? Should the work product of the people in a building be on the same network as the building’s heating and air conditioning, power, lights, elevators, security, and emergency response?
Alexander, at Tyco Integrated Security, says yes. He describes a centralized system accessed on-site through one command center, like the bridge of a ship. The primary network will be designed with all needs in mind.
Today, “there are a lot of proprietary protocols and proprietary systems in which no one system can talk to the other unless they are the same,” Alexander said. “What we are talking about are converged networks, eliminating redundancies. It’s just a huge savings.”
To date, no major Federal building that has been built “smart” from the ground up.
The General Services Administration (GSA), which oversees government-owned and leased property, has pledged to work toward smart building in both retrofitting and new construction. GSA’s website touts not only the cost savings and energy efficiency of intelligent buildings, but also safety and security.
“A fire situation is perhaps the most commonly cited example of how GSA Smart Buildings are beneficial. The alarms sound and other building systems begin to react: Exhaust dampers open, the IP paging and intercom system issues instructions to occupants, the access-control system unlocks doors for evacuation, and CCTV cameras provide emergency responders with a view of the fire,” the site states.
Smart buildings could also respond to alerts from outside agencies. An earthquake alert from the U.S. Geological Service, for example, could trigger a network to power down computers and gas lines and broadcast pre-recorded instructions for occupants over the public address system, the GSA points out. Guards on patrol could access live video feeds on phones or tablets, rather than only from a single command center.
That capability might have lessened the damage during the 2013 shooting at the Washington Navy Yard, where police were initially unaware of a control room with access to video feeds from 160 cameras spread throughout the facility. In the future, however, those feeds could be accessible using mobile devices, increasing their utility.
The Interagency Security Committee (ISC), a panel of experts from 54 agencies and departments, is generating standards for physical and network security, including oversight and management. An ISC white paper released in February, focuses attention on compliance with FISMA, the Federal Information Security Management Act, and related standards. The main message: Operations technology is just like any other system on the network. Life cycle maintenance, software patches, identity management, and verification are all critical to ensuring vulnerabilities are eliminated.
As the massive data breach at the Office of Personnel Management (OPM) illustrated, the Federal government is under perpetual electronic attack.
“You’re going to build this massive facility that has these physical protections, and then you are going to have to put into place a convergence of IT and OT systems that is going to have to stand up to the hackers of the world, who are going to try to penetrate it,” said Chipley.
So just how “converged” should the IT and OT networks be in such a facility?
Chipley said the IT and OT networks should be separate and distinct fiber networks. The OT network should be in a “demilitarized zone” and require a virtual private network connection, he said, with an outbound connection to the IT systems to support the business side only when needed, he explained.
“We want to isolate the OT system so hackers can’t easily jump over to the IT side,” he said. “In the case of the FBI, it should absolutely have redundant fibers. In fact, it should probably have three; one for IT, one for the OT building automation, fire, elevator, etc., systems, and one for the OT physical access control, intrusion detection, CCTV systems.”
Alexander disagreed. While he believes that the IT and OT can run on two different fibers in the same conduit, he would not break out the others.
“One of the primary aspects of smart building is to consolidate,” Alexander said. “Two [IT and OT] fibers meet that objective. Three would be a motion away from consolidating, and to some extent, drifting away from the main objective.”
These debates will continue among facility engineers and system integrators each time the government embarks on a new facility project. No matter the agency – the writing is already on the wall. OT and IT systems are converging. The Internet of Things is changing the way we view building infrastructure.
The opportunities are endless. And future new buildings will be far smarter than anything we have today.