Leaders of Industry is a series of conversations between operational technology, critical infrastructure (CI), and security experts from Armis and other leading companies and institutions. The series explores critical considerations for protecting the OT and CI assets that keep our manufacturing operations, public and private institutions, and cities humming.
This conversation on securing digital cities, campuses, and buildings features the following experts:
- Thomas A. Rodgers, Director of Operational Technology, Penn State University
- Mirel Sehic, General Manager, Cybersecurity, Honeywell Building Technologies (HBT)
- Keith Walsh, Director, OT Strategy and Operations, Armis
In Part 1, Keith Walsh and Thomas Rodgers discussed how Penn State has addressed security challenges related to connected assets across its facilities that span the Commonwealth of Pennsylvania.
Read Leaders of Industry, Part 1.
In Part 2, Keith and Mirel Sehic, VPGM / Head of Cybersecurity for Honeywell Building Technologies discuss managing the attack surface of our smart devices and building the foundations of what good cyber hygiene looks like.
In Part 3, we will outline 5 essential proactive steps for securing our digital buildings, campuses, and cities.
Welcome to the conversation.
Part 3: 5 Essential Steps to Securing and Sustaining Digital Cities, Campuses, and Buildings
As we come to the conclusion of our inaugural discussion on securing BMS assets and the systems that control them, we initially reached out to Thomas Rodgers, Director of Operational Technology at Penn State University, a very large, complex, and dynamic asset operator to discussed the challenges, objectives, and goals, of what it takes to manage hundreds of buildings across thousands of miles spanning the Commonwealth of Pennsylvania.
Thomas shared with us the challenges of managing what presents as a smart city, inclusive of academic buildings, research facilities, museums, dining spaces, and much more. With the biggest challenge being the lack of visibility into disparate devices, new and old. Without the ability to load agents nor scan OT devices, Thomas was concerned about the ‘shadow’ devices he knew little about, but resided on his networks.
This lack of visibility led to the need to inventory all the authorized and unauthorized devices on the PSU network. Knowing that bad things happen in the shadows, gaining access to understanding what every device is, its true risk profile and attack surface, and how to proactively manage the risk posture would be a large step forward in what is a large undertaking for an operation the size of Penn State University.
Conversely, our conversation with Mirel Sehic, General Manager, Cybersecurity, Honeywell Building Technologies (HBT) offers us insights from the perspective of a large OEM of BMS devices and systems.
Mirel shared with us the following insightful perspective we would all be wise to understand:
‘With these new expectations, buildings need to make changes from a standard operating model to a ‘smart’ and ‘connected’ model, meaning a greater emphasis on technology that intersects both laterally (devices in-building expanding to other devices in-building and ultimately to the edge) as well as interconnectivity with the cloud. As you would expect, taking these historically low cyber-hygiene environments and stacking this new technology can lead to a potentially larger cyber threat footprint.’
When we have the intersection of older ‘brownfield’ assets that have populated our environments for decades, and intermix them with newer cloud attached ‘greenfield’ assets, as Mirel rightfully explains, we have a new and much larger cyber threat footprint with vectors of attack that may seem limitless, and targets never meant to, nor cyber-engineered to, withstand them.
In an ideal world, we would never have to be concerned with ransomware attacks, denial of service attacks, and threats against our critical infrastructure. But unfortunately, that’s not the world we live in.
So, as evidenced by the conversations previously had with Thomas and Mirel, there are steps that can be taken to improve the overall risk posture of our OT and BMS environments. Whether working with a canvas filled with brownfield, greenfield, or both, types of assets, here are 5 steps we should be taking to ensure the safety, comfort, and well-being, of our buildings, campuses, and cities:
- Identify your ‘protect-surface’. A real-time, full device inventory, inclusive of hardware, software, and associated vulnerabilities that enables you to know what you don’t know about your environment.
- Segment properly. Typically, you should group devices into subsystems according to their functions. Connections across subsystems should be monitored closely, including connections to the Internet. Anything less allows for pivots to higher profile targets.
- Never rely on default device and system credentials as publicly available user guides oftentimes include this information.
- Be a constant champion. Train your staff on what is an acceptable security posture of connected assets and continually reinforce it.
- Patch. Work closely with your vendors to ensure assets are up to date in a timely manner.
In addition to taking the 5 proactive steps above to improve your security posture, I would suggest one final step—working together. Tear down the walls that exist between IT and OT; plan, execute, and plan again together; invest in platforms that share information because it takes a village to be right 100% of the time.
A big shoutout to Thomas Rodgers from Penn State University for sharing ‘what good looks like’, and Mirel Sihec from Honeywell Building Technologies for contributing to our ‘Leaders of Industry’ series.
Stay tuned for our next ‘Leaders of Industry’ episode, where we explore how a manufacturing giant managed the chaos called Covid-19.
Additional information on Penn State University can be found at psu.edu.
Additional information on Honeywell Building Technologies can be found at https://buildings.honeywell.com/us/en/home.
Share this Article
Get Updates
Sign up to receive the latest from Armis.