Cyber Smart Buildings - Network Design
Building Operational Technology (“OT”) devices require a network that allows devices to communicate over both IP and non-IP networks. Examples of OT network devices include servers or head end computers for building management systems, access control systems, camera system servers, parking system servers and many more. Each of these systems can have downstream devices connected to an OT network.
Networks are built using firewalls, switches, routers, data cables, fiber runs, Wi-Fi point to point communication devices, and internet modems. There are many types of network converters that can be used to makeup an OT network, media converters, USB to network converters and Wi-Fi bridges are just a few examples. All of these devices can be connected to create a network in a building that allows communication between OT devices.
Most building OT networks are built, not designed. Vendors installing systems (BMS, access control, cameras) require a network and include the lowest cost network devices possible to get the system they are providing up and running. This makes it much too easy for bad actors to carry out cyber-attacks. This kind of network construction can lead to the compromising of a corporate network as well, either at the time a vendor system is installed or as the system is updated over time.
A Cyber Smart Building network design provides OT network devices and systems the communication they need and provides necessary cyber protection. A cyber-smart network allows secure inter-system communications, meaning BMS devices can only talk to BMS devices and access control devices can only talk to other access control devices. A cyber-smart network restricts intra-system communications, meaning only a specific access control device can communicate with a specific BMS device, unless absolutely necessary. Other features of a cyber-smart network are device authentication and authorization, remote access controls, and a complete OT/IoT device lifecycle management plan.
Internet communications on a cyber-smart building network must be carefully configured and monitored. Only predetermined incoming connections should be allowed, automatically logged, and monitored. Vendor technicians’ access rights must be user-based and not shared with other technicians. Email communications on an OT network should not be allowed as this is a primary entry point for Malware and Ransomware.
These are just a few of the top-level considerations when evaluating Building OT Networks.