Today’s commercial and multifamily buildings have been transformed by the Internet of Things (IoT). These advancements bring a wide range of capabilities enhancing efficiency, convenience, security, streamlined property management, and overall occupant experience. As devices like HVAC, security systems, appliances, lighting, smart EV chargers, and grid-connected energy storage systems become integrated into smart buildings, they offer advanced technologies for automation, monitoring, and control. However, this integration also presents several challenges and risks, including security, privacy, health, and usability concerns.
by Wayne Stewart, Vice President, Global loT & AI, Intertek
When addressing cybersecurity for connected commercial and multifamily buildings, owners and electrical inspectors need to consider a comprehensive approach. This approach, known as defense in depth, involves multiple layers of security measures to protect the building’s systems and occupants. By considering various aspects of cybersecurity, from device security to network protection, owners, and occupants can be assured of a robust defense against potential threats.
For building owners, this approach includes a cybersecurity policy that covers all aspects of building management and operations, including IoT devices and network security. Owners should review the products they are installing to ensure the security of the IoT device itself and the cybersecurity of the overall network.
Some of the most common ways to address these types of reviews include deploying products tested or certified by a third party and conducting assessments. A risk assessment identifies potential threats, evaluates vulnerabilities, and determines the impact of these threats on the network. Vulnerability assessments (VAs) are detailed analyses that find specific security weaknesses within systems. The findings from VAs are a key input for a comprehensive risk assessment, helping to prioritize security mitigations based on the identified risk.
Additionally, regular penetration testing (pen testing) is essential. Pen testing involves simulating cyber-attacks to uncover and assess the impact of exploitable vulnerabilities. Pen testing is part of a proactive approach to ensure that the security measures in place can withstand real-world attacks. Given the constantly evolving cyber threat landscape, with new threats emerging regularly, it is a key component to good cyber hygiene.
Protecting the building’s network infrastructure is another key element. This includes implementing firewalls, deploying intrusion detection/prevention systems (IDS/IPS), and ensuring secure communication protocols are used for all sensitive data. It’s also important to segment networks to isolate critical systems (e.g., HVAC, security) from less critical ones (e.g., guest Wi-Fi). Implementing strong access control measures, including multi-factor authentication, to prevent unauthorized access to building systems and data is crucial, too.
But what does this mean for electrical inspectors? The National Electrical Code (NEC) and building codes in the United States primarily focus on the physical safety aspects of electrical installations and building construction. As smart devices and IoT become more prevalent, codes are evolving with a growing recognition of cybersecurity concerns. However, cybersecurity standards for the smart devices in these buildings do exist to ensure their safe and secure operation. These standards are developed by various international organizations and regulatory bodies.
Some common cybersecurity standards include:
- ISO/IEC 27001, which provides a framework for an information security management system (ISMS). It ensures that organizations systematically examine their information security risks and implement comprehensive information security controls.
- ISO/IEC 27002 offers guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization.
- NIST Cybersecurity Framework (NIST CSF), developed by the National Institute of Standards and Technology in the United States, provides a policy framework of computer security guidance for how private sector organizations in the U.S. can assess and improve their ability to prevent, detect, and respond to cyber-attacks.
- NIST Special Publication 800-53 provides a catalog of security and privacy controls for federal information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation.
- IEC 62443 is a series of standards and technical reports that provide a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems (IACSs).
- ETSI EN 303 645: Establishes a cybersecurity baseline for consumer IoT devices, providing guidelines for manufacturers to ensure products are secure, including provisions for data protection, software updates, and secure communications.
Adhering to these cybersecurity standards helps to ensure the protection of the devices themselves, the data they handle, and the broader network. Manufacturers and regulators must ensure that these devices comply with established standards to maintain the safety and security of smart buildings. Inspectors should familiarize themselves with these cybersecurity standards and understand how they apply to the inspection of electrical IoT devices and smart buildings overall.
By adopting a proactive and comprehensive approach to cybersecurity, the building’s systems, data, and occupants can be protected from potential threats. Regular risk assessments, strong security measures, staying informed about relevant standards, and continuous training and awareness are essential.