Building Automation Systems

The digitization of building automation systems can result in energy and operational savings, occupant comfort as well as safety, and also lower the total cost of ownership. Cheaper, smarter, more pervasive edge assets are rapidly replacing proprietary devices across a variety of applications that are varied, complex, and increasingly interconnected, including HVAC, energy management, lighting control, video surveillance, and so on.

Challenges around Digitization

Associated cyber risks must be actively monitored and managed in advancing securely from proprietary/legacy systems to the edge. Poorly defended OT systems can be as exploited as entry points into large public buildings or structures to cause chaos. The notorious Target hack demonstrated how an HVAC system could be used to ultimately steal sensitive financial information for upwards of 40 million people.

Modernization & Onboarding

Smart facilities tend to have a considerable installed base of legacy systems, applications, devices, that must be modernized with minimal disruption. Digitally connecting dispersed assets increases the attack surface.

OT/IT Convergence

Absence of enterprise-grade firewall and poor awareness of best practices in security within OT inhibit the adoption of optimal security practices that are well established in IT. Differing perception of BACS vulnerabilities and security within OT leads to a roadblock towards the implementation of such practices.

Costs & Risks

Cyber incidents have the potential to disrupt production and increase costs for building operators as well as tenants, directly impacting business outcomes. Cyber assurance policies may cover some losses from cyberattacks, however, such coverage is unlikely to cover all losses or all types of claims that arise.

Collection & Monitoring

Lower cost sensors, wired and wireless, are being increasingly deployed to acquire more data. There is a consequent need to implement proactive and responsive monitoring based on real-time data from connected smart buildings. Granular visibility is similarly needed for the proactive upkeep of such smart facilities.

Going Forward

Owner-operators will find it challenging to establish in-house teams and processes to address cyber risks. The selected cybersecurity solution must be future-proof and flexible to adapt to an evolving business and technology landscape.

Xaptum’s Solution

Extending Xaptum’s SASE (Secure Access Service Edge) fabric to connected, dispersed smart facilities provides the following key benefits:

Isolation & Segmentation

To tackle the expansion of attack surfaces and mitigate lateral threats, the ENF uses default-deny firewall rules in isolating OT endpoints, while protecting their data and masking their public identities. It enables microsegmentation of assets within facilities into policy-based security zones.

Bridging OT & IT

ENF is foundationally designed to extend IT-grade firewall and security mechanisms to dispersed OT endpoints. It enforces Zero Trust Networking security between OT and IT with built-in identity and access management (IAM) at scale, thereby facilitating a seamless convergence.

Visibility & Awareness

OT endpoints are assigned unique, permanent IP identities to allow persistent remote tracking from a central pane-of-glass dashboard. Building operators and their insurers can leverage the resulting visibility (into previously invisible OT networks) to assess underwritten risks, while instrumentalizing end-to-end data trails to quantify exposure.

Monitoring Varied Vulnerabilities

As a standards-compliant IP network, the ENF allows for the use of any vulnerability/threat tool. Xaptum can host this for building operators (e.g., the open-source IDS/IPS tool Snort) or they can configure an ENF network tap to send a copy of all traffic to further leverage third-party inspection.