Executive Briefing: Cybersecurity — Points That Need to be Part of the Conversation

MarcPetock By Marc Petock, Vice President, Marketing, Lynxspring, Inc. Today’s connected business world means there are thousands of entry points in and out of companies. The truth is that network security does not work as well as we thought.

Hacks, breaches, vulnerabilities, threats we can’t ignore them. They are undesired events. Cyber threats are changing constantly. Threats are targeted, and they continue to get even more targeted. It used to be a virus was thrown out there and whomever it hit, it hit. Now the attackers are going after specific companies and systems trying to steal specific information or cause DoS attacks against specific systems or use networked devices as pivot points to gain access into a business network. In addition, there are many unpatched systems, hackers scanning for vulnerability in systems, and cyber criminals using a variety “things” every day to break into companies. And there are thousands and thousands of exposed, unprotected devices on the Internet that are inviting unwanted persons to come right in.

The topic of cybersecurity is a complex issue. There’s probably no issue that has become more crucial, more rapidly, but is less understood. When it comes to cyber security, understanding the issues, being informed, knowing what the implications are and engaging in dialogues about cyber security are critical. To help conversations here is a link to our new Executive Briefing entitled Cybersecurity. Points That Need to be Part of the Conversation.

http://lynxspring.com/documents/cyber-security-executive-briefing.pdfcyberpro

Cyber related issues play a growing role within our building networks and systems. They are not immune to attacks. Don’t underestimate the potential for cyber vulnerabilities. It only takes one breach to compromise the whole infrastructure and cause a serious issue. The best way to approach cyber threats is to realize one simple truth: It is not if an attack will happen; it is only when. It is all of our responsibility to take an active role.

Fun With Lynxspring at IBCON 2014

We got a chance to catch up with Bob Mealey at IBCON. Bob is the Chief Operating Officer at Lynxspring. Bob, enlightened us on Lynxspring’s, CyberPro, an effective approach to handling the Cyber security problems that are affecting building owners today.

Founded in 2002, Lynxspring is changing way devices and systems communicate and collaborate across enterprises. Lynxspring technologies, solutions and services are enabling users to go further to manage and operate their facilities and equipment smarter, safer, securely, more efficiently, and at peak performance levels. They have changed the way control systems are built, secured and distributed.

Embracing open, interoperable platforms, they design, manufacture and distribute JENEsys®, JENEsysONE and LYNX CyberPRO brand Internet based automation and cyber security technology and edge-to-enterprise solutions for Building Automation, Energy Management, Cyber Threat and Security Protection, Equipment Control and other Specialty applications. Lynxspring technologies support true plug-and-play, multi-vendor interoperability, that simplifies the automation and information architecture across the entire enterprise and significantly lowers automation and information infrastructure costs.

BMS/EMS Cyber Security – A Top Priority, Realcomm Advisory with Marc Petock

MarcPetockRealcomm Advisory: Author: Marc Petock, Vice President, Marketing, Lynxspring & Connexx Energy.

I spend a lot of time on the road meeting and speaking with business leaders. While these conversations are an opportunity to engage with them on the challenges they face and where they want to take their organizations, a consistent and mounting topic in all of these discussions is the issue of cyber security. An overwhelming concern is the potential for financial, reputational and physical damage caused from cyber incidents.

Cyber security has emerged in recent years as the number one priority and if it has not for you, it should. What was traditionally seen as a simple component of an organization’s infrastructure – throwing a firewall and antivirus solution down has evolved into something that can keep you awake at night.

It’s impossible to miss the daily headlines on the latest breaches and cyber-attacks. And these include cyber threats, network compromises and vulnerabilities directed at building and energy management systems. Headlines such as Hackers’ Next Target Maybe Your Facility’s Control Systems, Hackers Breached New Jersey Industrial HVAC System, The Internet of Things is Under Attack, Texas Hospital Discloses Huge Breach, Australian Google Office Building Hacked, Software Security Vulnerabilities Climb 26%, Vulnerability Lets Hackers Control Building Locks, Electricity, Elevators and More, Building Heating, Lighting and HVAC Systems are Vulnerable to Cyber-Attacks, according to DHS. And then there are all the headlines regarding the recent cyber security issues concerning Target.

We have witnessed that networked BMS and EMS technology have weaknesses, such as inadequate password protection, the use of software that can be hacked and breached and various unmonitored access points within the network. Given this, BMS and EMS systems should always be considered vulnerable to hacking and threats. cybersecurity_image

Cyber threats continue to increase. This increase is due, in part, to evolving external and malicious threats. Enterprises today aren’t just facing a single attacker or the stereotype of a teenager in the basement just doing it to be doing it. We are fighting well-organized, well-funded adversaries who have formed a sophisticated marketplace; one that is efficient at orchestrating multiple attacks on the same targets with diverse techniques.

So how did we get here? For many years, cyber security and threat protection has taken a back seat to our building and energy management systems. Today, many buildings use IP-based networks and computerized building management systems to monitor and control their systems; these structures are susceptible to cyber threats such as hacking, malware and viruses.

Looking back, our building protocols were never originally designed or built with security in mind. Most of the protocols communicating with BMS/EMS have their origins in serial communications and provide little, if any, security. The unfortunate reality is that these protocols do not possess a robust security framework that can deal with today’s real world possible intrusions and breaches.

During the ‘80’s, when communication protocols enabled systems and equipment from different manufacturers to interact with each other, BMS technology had the ability to load and execute programs in real-time, as well as update software over an extended period of time. During this era, it was security by obscurity and not that conceivable that hackers could pose some threat. Most commercial code was proprietary and used by stand-alone systems and was not considered to be entry points or posed risks. In the past, our BMS were left to be isolated as they utilized propriety technology and avoided the open standards that exist today. The last decade we have seen a tremendous increase in the number of facility systems based on open technology and connected via standard TCP/IP and connected directly to the Internet.

What Can Happen? A hacker can use a BMS/EMS device as a jumping off point to get onto other devices and systems, introduce malware, viruses and worms or engage in other detrimental activities. The social implications can be as equally devastating with negative publicity and loss of customer confidence while the financial ramifications may be compounded with lawsuits and equipment replacement and repair.

The Target case is just the latest example of this. Target’s reputation to protect the security of confidential data pertaining to their customers’ personal financial information has taken a big hit and has had a direct impact on their business. As a result of this incident, Target is facing losses of billions of dollars, countless lawsuits, their brand has suffered greatly, they have lost the trust of their customers and given them a reason to shop somewhere else.

And there is more, it is the critical role cyber security protection of building automation systems plays in the operation of our businesses. The operational, financial and reputational impact to a business is tremendous and can include:

Operational Repercussions: Uninhabitable facilities, Uncontrollable and locked-out systems, Equipment damage and replacement, Inefficient systems, Sprinkler and smoke alarm failure, Disabled elevators controls system, Lighting failure, and Compromised building access and intrusion,

Business Repercussions: Interruption of business and operations, Exposure and compromise of intellectual property and sensitive information, Introduction of malicious files, viruses to the corporate IT network, Negative publicity, loss of customer confidence, Brand damage, Litigation, and Occupant harm, loss of life.

BMS and EMS cyber threats are real. Today cyber security protection and risk prevention for building automation systems is a necessity. Building automation networks and IT networks should not be treated differently when it comes to cyber security and threat protection. Just like an IT network (you invest in its cyber protection), building automation networks should have multiple layers of defense and protection as well as policies and procedures that are continuously addressed. It should be part of an overall risk management process.

We have adopted the use of the Internet and its communication capabilities to further the development of smarter and more advanced technologies that help better operate and manage our Building Automation and Energy Management systems. Security is no longer a technical challenge; it is a core business issue. Our modern systems consist of many connected, integrated, interoperable systems and devices and intertwined business applications — all are critical for the building to run and perform at maximum efficiency and financial optimization. A security breach or an outage to a business application or an entire network has a direct impact on a company’s bottom line.

Cyber related issues play a growing role within our building networks. They are not immune to attacks. Don’t underestimate the potential for cyber vulnerabilities. It only takes one single breach to compromise the whole infrastructure and cause a serious issue.

The best way to approach cyber threats is to realize one simple truth: It is not if an attack will happen; it is only when. It is all of our responsibility to take an active role.

About the Author: Marc Petock is Vice President, Marketing at Lynxspring and Connexx Energy where he leads corporate and product marketing strategy and execution, brand management, public relations and communications to support both companies’ strategic and growth initiatives. Marc is a contributing author, noted speaker and recognized industry leader having earned Realcomm’s Top 35 People to Watch for the last six years in a row, Who’s Who in M2M, a Digital Impact Award and several other industry accolades. Marc also serves on the board of directors of Connexx Energy and as an advisor to Realcomm.

Lynxspring along with Netop recently launched LYNX CyberPRO the industry’s first cyber-threat protection solution designed specifically to enhance the protection of commercial building automation and energy management systems. For more information visit www.lynxcyberpro.com.

ControlTalk NOW for Week Ending March 16, 2014

Mike Welch’s interview and review of DALI and LED Lighting are featured in this week’s ControlTalk NOW, along with another batch of new products, solutions, and as always, breaking news from the HVAC Industry and need-to-know information. Welcome again, to ControlTalk NOW.

ControlTalk Now March 16 from Eric Stromquist on Vimeo.

cyber-pro-200Lots to Learn from the Target Cyber Incident: Building management cyber security should be part of an overall risk management process and a company procedure. “We Can Learn From the Target Cyber Incident,” by Marc Petock, Vice President Marketing, Lynxspring and Connexx Energy as published originally in the March, 2014 edition of automatedbuildings.com. The Target incident is another example of a cyber-incident that struck close to our industry and is another stark wake up call to businesses to be more vigilant and to take more preventative care when it comes to the cyber security of their assets.

realcomm1Realcomm Advisory Update: SPRINT Real Estate & CBRE Embrace Mobility to Set High Innovation Benchmark. The Sprint real estate group together with CBRE created an innovation program focusing on mobile technologies. The goal was to create e Sprint real estate group together with CBRE created an innovation program focusing on mobile technologies. The goal was to create a formal structure where leading ideas could be explored, vetted, implemented and evaluated.

aci logoACI Brings Home The Trophy: ACI, won again at the ControlTrends Awards! This year ACI won the Award for the 2013 ControlTrends Awards Peripheral Product of the Year from a Small Manufacture. If you need sensors ACI has a solution for you. Congratulations ACI! Few manufacturing companies are able to balance an aggressive competitive spirit with a palpable corporate heartbeat. ACI is not just an industry leader, but a committed community member able to sustain an active and viable community commitment, which is not an easy task to perform. ACI does it all so well and they make it seem easy. Take a look at ACI’s intuitive website, you’ll be very impressed.

Mike-WelchWhy LED Lighting Might Not Be Your Best Choice: Mike Welch Explains. Thanks again to our friend Mike Welch, from Control Network Solutions UK, for how outstanding thoughts and insights on lighting, lighting control and how to have a smarter building. CNS is a Niagara AX® Developer, Tridium and Honeywell Partner. CNS has a successful track record of creating both client specific and off the shelf web based solutions to the SMART buildings control environment world. They are based upon open standards network communication protocols and compatible with the “Internet of Things” (IoT) and demands for “big data” cloud based analytics.

HW_TalkingStat2020 Thermostat Odyssey: Picking a Smart Thermostat for Stanley Kubrick’s House. In perhaps the most current and comprehensive smart thermostat report to date, Rachel Cericola reviews the next-gen “quasi-stats” now available. The list contains many of the usual suspects, but also includes a few “outside the box and not just a thermostat” thermostats, or “quasi-stats,” that are competing in the smart-stat market — especially aimed at the feature-hungry, up-scale, and smart DIY homeowners. Rachel also provides some good advice to consider before buying a smart thermostat.

HW.001Honeywell Wins The Trendy: Best Marketing Tools and Support. Congratulations to Amy Anderson and her marketing team at Honeywell for the winning the 2013 ControlTrends best Marketing and Support Award. Honeywell’s new approach to reach the hearts, minds, and warehouses of its distributors means that Honeywell will be busy touring the country the months of October and November, launching new high-end integration items like the competitively priced Sylk LCD wall module, Sylk IOs, and new additions to their Spyder and Stryker family, as well as their expanding field devices including new valves and actuators.

TS_ImHere_ceiling-tileTherese Sullivan on the SensorWeb: Is ‘Finding Stuff’ the Killer App that Will Drive IoT adoption in Buildings? Therese Sullivan, Buildingcontext.me highlights the brands and people that are succeeding at marketing to buildings professionals via digital media. In this article Therese keeps the ControlTrends Community on top of the SensorWeb developments. We just took one big step toward the Sensor Web—a concept that combines sensors, Geographical Information Science (GIS) and mobile telecom’s location-based services (LBS).

DataFlow_graphic_2DGLogik’s Latest Feature Release: Dataflow – Modern Visual Programming for Building Automation
San Francisco – March 7, 2014 — DGLogik is excited to announce the addition of a revolutionary feature called Dataflow, to our 2013 award winning product – DGBox. With Dataflow, DGBox users now have the ability to create logic sequences within a modern visual programming UI. Connect and command all devices, objects and operations as “smart blocks” with inputs and outputs…without having to write any script!

HW_AX3_1Honeywell Announces the New AX3-PPC Programmable Plant Controller: Honeywell is pleased to announce the availability of the AX3-PPC programmable plant controller, which is ideal for controlling and monitoring a building system including HVAC equipment, lighting and meters. The AX3-PPC programmable plant controller, which is ideal for controlling and monitoring a building system including HVAC equipment, lighting and meters.

S1‐TTSCC02 York Affinity Wi‐Fi JCI – York Announce Affinity S1‐TTSCC02 Wi‐Fi Communicating Control Product Introduction. In JCI’s continued effort to expand their Affinity product offering, JCI is pleased to introduce the Wi‐Fi capable version of their Affinity Residential Communicating Control. The Wi‐Fi capability provides homeowners with remote access to the control system from their Smartphone or tablet device using the IntelliComfort™ mobile app, allowing them to easily monitor the status of every enabled system device.

BBkings112013 ControlTrends Awards Highlights: And the Award Goes To… Thanks to our Mr.Jones (Bill Jones) for this great video of the 2013 ControlTrends Awards. Bill and his team worked very hard behind the cameras to make sure the magic of the 2013 ControlTrends Awards was captured on film. Nice job Mr.Jones!

ControlTalk NOW will continue to provide a weekly episode featuring the people, products, and the News of the Week shaping our world of controls, building automation, and the HVAC industry.

<ahref=”http://traffic.libsyn.com/hvaccontroltalk/76_Episode_76__ControlTalk_Now__HVAC_and_Building_Automation_Control_News_You_Can_Use.mp3″ target=”_blank”>Click here to listen to or download the Podcast version of ControlTalk Now.

Want to subscribe and listen to ControlTalk now as a Podcast? Followme_230x40_white

Not So Good News: Smart Building Industry Experiences Major Technology Challenge!

Richard K. Warner, OM|E Facility Solutions, expounds on “the rest of the Target story,” and brings the reality of our present state of affairs into a very sobering and focused perspective. The HVAC industry’s over-used security through obscurity period has ended abruptly, and it’s going to take some time, more talent, and more money, to bring the HVAC and building automation industries in-line with the future cyber-threats they will certainly face.

OME_logoSmart Building Industry Experiences Major Technology Challenge. By Richard K. Warner, PE

The last decade has witnessed an ever increasing demand for buildings that are both green and smart. With buildings accounting for 40% of the US energy demand, the additional environmental policy requirements and increasing energy costs are primary industry drivers. Combine this with the cultural expectation that everything must be “connected” by virtue of the “Internet Of Things” (IOT) mantra and it is no small wonder why “smart building” networks are fast becoming a proxy point for malicious cyber-attacks.

On the surface, it would appear that this is merely a problem of obscure circumstance and a convenient access point. However, it has far deeper roots and may well prove to be extremely difficult to fix in any short time frame with the current resources available to the facility automation community. The unfortunate situation with the Target breech is not shocking for the handful of insiders that have long predicted such an event. The reality is that these attacks have been occurring with ever increasing frequency, however, most have been thwarted or not resulted in such a pervasive impact to so many.

Historically, automation system networks were deployed on separate infrastructure, utilized proprietary protocols and avoided open standards adoption to protect vendor interests. At first an unintended cyber security protection through obscurity, this scenario unfortunately fostered a closed culture that has resulted in an industry that has a limited understanding of standard IT cyber security practices. As open and interoperable products entered the automation market, there was very little attention given to secure network infrastructure and development of talent dedicated to that mission. Most industry vendors focused on creating automated applications to insulate the field resources from the underlying IT complexities instead of requiring the resources to increase their level of competency.

To compound matters, the long adopted practice of acquisition via lowest bid created an environment where talent development was further suppressed in favor of lower cost resources. It was cheaper to create a “self-configuring” product that the current talent pool could deploy than maintain higher qualified professionals capable of adapting to the rapidly changing technology landscape. As a result, talented resources migrated to other industries where they could find more lucrative compensation.

The last decade has seen a tremendous increase in the number of facility systems connected via standard TCP/IP infrastructure. These systems include but are not limited to HVAC, Electrical, Lighting, Security, Video Surveillance, Fire and Life Safety. While this has precipitated the automation system installation firms to coopt the term “systems integration”, their resources lack the skill sets of resources in the IT domain.

Industry experts indicate that nearly 50% of all new construction projects have facility automation systems that share network infrastructure with the corporate or business LAN. For the remaining systems that are installed on independent infrastructure, a large percentage have a connection point to the corporate LAN to facilitate access or information connectivity.

For existing facilities, the current drive to provide energy utilization and operations data to the corporate information systems is requiring legacy and proprietary systems be retrofitted with newer TCP/IP based supervisory controllers that are then connected to the corporate infrastructure. The reality is that businesses and government agencies alike can experience significant optimization benefits and lucrative returns on investments through properly implemented smart building technologies. Some research firms indicate there could be a compounded 35% increase annually in the global smart building marketplace over the next five years. For building automation systems, this could mean a $40B market increase to nearly $100B by the year 2020.

In an environment where it has long been accepted practice to provide facility automation and operations professionals with remote connectivity, the response by the automation industry and corporate IT community remains to be seen. One thing is certain; it is a problem of potential epic proportion that is not easily corrected in the short term.

Richard K. Warner, PE, CEM, CxA, DCEP,EBCP, LEED BC&D

Currently the President/CEO of OME (omefacilitysolutions.com), an industry leader in innovative solutions for the facility automation industry. His experience with Fault-Tolerant and Mission Critical facilities spans over 25 years for some of the largest organizations in the world. In recent years, he has focused on solutions for large-scale system integration in the areas of real-time information analysis, data visualization, actionable information intelligence, cyber security and demand response.

2013 ControlTrends Awards Best Building Application of the Year Nominee-Lynxspring’s LYNX CyberPRO

cyber-pro-200 2013 ControlTrends Awards Best Building Application of the Year Nominee-Lynxspring’s LYNX CyberPRO the industry’s first cyber-threat protection solution designed specifically to enhance the cyber protection of commercial building automation and energy management systems.

Lynxspring’s LYNX CyberPRO is the industry’s first cyber-threat protection solution designed specifically to enhance the cyber protection of commercial building automation and energy management systems.

Incorporating industry proven IT security technology and practices along with real-time building operating and control methods, LYNX CyberPRO hardens the corporate firewall by removing exposed devices and ports from the public Internet. It reinforces the perimeter defense and creates additional layers of continuous protection and prevention for the devices and systems across a building network by securing, managing, controlling, tracking and monitoring account access and activities.

LYNX CyberPRO reduces attack surfaces, secures remote connections, manages access and privileges to devices and applications, logs and audits session activity, and adheres to compliance regulations. More information is available at www.lynxcyberpro.com

BAS Cyber Risks: It’s Not Just About the Numbers. It’s a Business Case.

Corporations must budget money for insurance and good legal advice. The rising Cyber Threat and the possible consequences, fully justify IT security measures. The following article by Marc Petock, Vice President of Marketing at Lynxspring, Inc., as published on AutomatedBuildings.com, provides a compelling business case.

Cyber Threats: Don’t Let Your Building Automation Control System Be a Pivot Point

Unknown-5

Welcome Marc Petock, Vice President of Marketing at Lynxspring. Marc has contributed this very timely post on Cyber threats as they relate to building automation controls.

We are experiencing a reality check. Today’s reality is this: No matter what business you are in, no matter where in the world you are—everything on a network is at risk. Cyber threats and security compromises directed at building and facility control systems remain one of the most dynamic issues in the building automation industry today. Buildings are highly susceptible to cyber threats, hacking and viruses.We have seen the number of cyber related incidents and discoveries of building automation software vulnerabilities ramp up. Cyber threats within the building environment are becoming more frequent and sophisticated and we are now at a point where we should be concerned. Gone are the days of “security through obscurity”. [Read more…]