Richard K. Warner, OM|E Facility Solutions, expounds on “the rest of the Target story,” and brings the reality of our present state of affairs into a very sobering and focused perspective. The HVAC industry’s over-used security through obscurity period has ended abruptly, and it’s going to take some time, more talent, and more money, to bring the HVAC and building automation industries in-line with the future cyber-threats they will certainly face.
Smart Building Industry Experiences Major Technology Challenge. By Richard K. Warner, PE
The last decade has witnessed an ever increasing demand for buildings that are both green and smart. With buildings accounting for 40% of the US energy demand, the additional environmental policy requirements and increasing energy costs are primary industry drivers. Combine this with the cultural expectation that everything must be “connected” by virtue of the “Internet Of Things” (IOT) mantra and it is no small wonder why “smart building” networks are fast becoming a proxy point for malicious cyber-attacks.
On the surface, it would appear that this is merely a problem of obscure circumstance and a convenient access point. However, it has far deeper roots and may well prove to be extremely difficult to fix in any short time frame with the current resources available to the facility automation community. The unfortunate situation with the Target breech is not shocking for the handful of insiders that have long predicted such an event. The reality is that these attacks have been occurring with ever increasing frequency, however, most have been thwarted or not resulted in such a pervasive impact to so many.
Historically, automation system networks were deployed on separate infrastructure, utilized proprietary protocols and avoided open standards adoption to protect vendor interests. At first an unintended cyber security protection through obscurity, this scenario unfortunately fostered a closed culture that has resulted in an industry that has a limited understanding of standard IT cyber security practices. As open and interoperable products entered the automation market, there was very little attention given to secure network infrastructure and development of talent dedicated to that mission. Most industry vendors focused on creating automated applications to insulate the field resources from the underlying IT complexities instead of requiring the resources to increase their level of competency.
To compound matters, the long adopted practice of acquisition via lowest bid created an environment where talent development was further suppressed in favor of lower cost resources. It was cheaper to create a “self-configuring” product that the current talent pool could deploy than maintain higher qualified professionals capable of adapting to the rapidly changing technology landscape. As a result, talented resources migrated to other industries where they could find more lucrative compensation.
The last decade has seen a tremendous increase in the number of facility systems connected via standard TCP/IP infrastructure. These systems include but are not limited to HVAC, Electrical, Lighting, Security, Video Surveillance, Fire and Life Safety. While this has precipitated the automation system installation firms to coopt the term “systems integration”, their resources lack the skill sets of resources in the IT domain.
Industry experts indicate that nearly 50% of all new construction projects have facility automation systems that share network infrastructure with the corporate or business LAN. For the remaining systems that are installed on independent infrastructure, a large percentage have a connection point to the corporate LAN to facilitate access or information connectivity.
For existing facilities, the current drive to provide energy utilization and operations data to the corporate information systems is requiring legacy and proprietary systems be retrofitted with newer TCP/IP based supervisory controllers that are then connected to the corporate infrastructure. The reality is that businesses and government agencies alike can experience significant optimization benefits and lucrative returns on investments through properly implemented smart building technologies. Some research firms indicate there could be a compounded 35% increase annually in the global smart building marketplace over the next five years. For building automation systems, this could mean a $40B market increase to nearly $100B by the year 2020.
In an environment where it has long been accepted practice to provide facility automation and operations professionals with remote connectivity, the response by the automation industry and corporate IT community remains to be seen. One thing is certain; it is a problem of potential epic proportion that is not easily corrected in the short term.
Richard K. Warner, PE, CEM, CxA, DCEP,EBCP, LEED BC&D
Currently the President/CEO of OME (omefacilitysolutions.com), an industry leader in innovative solutions for the facility automation industry. His experience with Fault-Tolerant and Mission Critical facilities spans over 25 years for some of the largest organizations in the world. In recent years, he has focused on solutions for large-scale system integration in the areas of real-time information analysis, data visualization, actionable information intelligence, cyber security and demand response.