Securing Smart Buildings - Fortinet · 2019-11-01 · Commercial buildings account for nearly 20%...

Securing Smart Buildings: Do You Know the Risks?

The Impact of Physical and Digital Systems Convergence on Select Industries

An IDC InfoBrief, Sponsored by Fortinet | September 2019Document #US45473419

pg 2

An IDC InfoBrief, sponsored by FortinetSecuring Smart Buildings: Do You Know the Risks?

© IDC Visit us at IDC.com and follow us on Twitter: @IDC Document #US45473419

Executive SummaryThe rise of the Internet of Things (IoT) and the declining costs of sensors and cloud computing are disrupting the building industry as more organizations retrofit or build out new smart buildings. There are numerous benefits of smart building technology ranging from occupant comfort and safety to improved efficiency and sustainability. However, the proliferation of smart building technology increases the risk of a cyberattack on vulnerable endpoints that need to be protected.

In most cases security has not been built in when it comes to deploying smart building point solutions, thus expanding the risk exposure. Organizations must take a security-first approach to deploying smart building technology and migrate to a security fabric architecture to improve the organization’s security posture. This IDC InfoBrief examines how five industries have embraced smart building technology, identifies the associated security implications and challenges, and provides essential guidance for how organizations should establish a security-first approach to their smart building strategies.

KEY FINDINGSSmart building technology creates a connected asset that introduces a new attack vector that needs protecting.

There is a growing convergence between IT and OT, as well as between physical and digital security, that needs to be managed by security professionals.

Organizations are at risk if they have started to deploy technology such as connected HVAC, lighting, and badge access control systems, which have been breached by cyber criminals to gain unfettered access to IT systems.

»

»

»

pg 3



Smart Buildings Are Connected Assets IoT technologies have enhanced traditional building automation and management systems. Innovative smart buildings provide facilities with greater efficiency, sustainability, safety, comfort, and security, and they are evolving into connected assets. The growing connectivity of devices and automated systems improving building and facility operations has made it essential to have a long-term strategy for both physical security and cybersecurity.

Welcome!Industry Certified Level 3 Building

Smart Kiosk

Smart ParkingSmart Lighting/Sensors

Wayfinding AI & Machine Learning Electric Vehicle Charging

Smart Elevator

CABLING FIBER XHAUL ENERGY/POWER

Drone Access

Macrocell Real Estate

Rooftop Cooling

Units

Solar & Green

Microwave

SatelliteDigital Ceilings

Industrial Controls

Demand Response

Physical Security &

CybersecurityIn-b

uild

ing

Con

nect

ivity

5G

LTE

IoT

Wi-Fi

Large-scale Emergency Response

Predictive Maintenance

Building Automation

Smart HVAC

Sustainability

Video Surveillance

Smart Meter

Building Access Control

Air Quality Monitoring

Edge Analytics

Real-time Location Services

pg 4



What Are the Benefits of Smart Building Technology? Smart building technology is becoming more widely deployed as the cost of connected sensors and cloud computing declines, and the devices themselves become smaller and less obtrusive. Benefits accrue to the occupants of the building, to the enterprise, and to society.

Improved Experience Efficient Operations Increased Sustainability

Building tenant comfort and satisfaction

Preventative and predictive maintenance Energy and water cost savings

Wayfinding

Air quality monitoring

Reduced operating costs Optimized building spaceImproved physical safety and security

Higher production from assets and employees Decreased carbon footprint

pg 5



A Growing Convergence of Digital and Physical SecurityPhysical security and cybersecurity are becoming intertwined as more physical devices such as video surveillance cameras, employee badges, and door locks are connected to the network and stream data to be aggregated, analyzed, and monitored as part of a greater IoT-based security initiative.

Has your organization deployed video-centric solutions (e.g., video surveillance or crowd monitoring) as part of your IoT initiatives?

Historically, physical security and cybersecurity were separate functions. However, with the growing convergence between digital and physical security, the ownership and responsibility for networked physical devices is shifting from the facility security team to IT.

Ultimately, there will be a blending of the physical security and cybersecurity teams with the chief security officer responsible for ensuring physical safety and digital security.

Source: Global IoT Decision Maker Survey, IDC, June 2019

49.6%

38.3%49.0%

54.5% 58.7%

Energy Utilities

Health Provider

RetailGovernment Manufacturing

pg 6



Smart Building Design: Think Security First Smart buildings exemplify the convergence between IT and OT systems. This convergence presents a new attack vector that enterprises need to secure to protect IT assets and operational building functions.

Many enterprises have not contemplated the risk associated with the proliferation of internet-connected sensors and devices that monitor large assets and buildings. Bad actors could use inadequately secured smart building technology to infiltrate IT systems.

Vulnerabilities include:

Minimal password protection for older building automation systems (BAS) and industrial control systems (ICS)

Embedded operating systems that are not appropriately patched or even supported anymore

Multiple connected smart building devices and systems from different vendors, compounding the challenges of security updates

Security not initially built into many smart building technology solutions

pg 7



Security Implications of Smart Building Technology by Industry

Smart Campuses

Manufacturing Retail

Energy Government

pg 8



Smart Campuses: Improving the Education and Healthcare ExperiencesMedical and education campuses are complex environments that operate 24-7 with multiple buildings running disparate smart building technology point solutions that need to be integrated and secured to ensure the safety of patients, students, and staff.

Has your healthcare organization deployed any of the following solutions as part of your IoT initiatives?

Spending on smart school campus technologies globally will be almost $6.5 billion by 2023.

59.8%

33.3%43.0% 47.6% 49.0%

People- centric

Building- centric

Video- centric

Vehicle- centric

Environment- centric

Fast emergency response services for building lockdown campuswide

Smart stadiums and intelligent event management systems on college campuses

Technology for navigating large campuses: finding parking lots, specific buildings, or events

Key Smart Building Technologies for CampusesAI and Machine Learning | Building Access Control | Large-scale Emergency Response | Physical Security and Cybersecurity |

Predictive Maintenance | Real-time Location Services | Smart Elevators | Smart Parking | Video Surveillance | Wayfinding

Increased pressure to improve customer and staff experience drives investment in people-centric solutions for creating a connected workplace and ensuring public safety. Solutions include:

Reliable and resilient power systems for 24-7 mission-critical operations

Source: IDC’s Global IoT Decision Maker Survey, June 2019 Source: Worldwide Semiannual Smart Cities Spending Guide, May 2019

pg 9



Energy: Realizing Cost Savings and Protecting InstallationsSmart buildings and facilities in the energy sector range from power plants to oil rigs to commercial high rises and more. Plant and facility managers along with key stakeholders in IT and operations are putting greater emphasis on smart building technology with concentrated efforts to ensure that these facilities are both energy efficient and secure from a physical and cyber perspective.

Has your organization deployed, or does it plan to deploy, smart building technologies?

More entry points with additional devices and greater requirements for sensitive data collection (i.e., equipment operating status, power production, and consumption) have created cyber vulnerabilities and increased the need to improve facility security.

22.0%25.5% 27.0%

Piloting/ Proof of Concept

In Production Researching/ Considering

Key Smart Building Technologies for EnergyAI and Machine Learning | Demand Response | Distributed Energy | Energy Management | EV Charging | Industrial Control Systems | Physical Security and Cybersecurity | Smart Lighting/Sensors | Smart Water

Source: IDC’s Global IoT Decision Maker Survey, June 2019 1 U.S. DOE, 2ACEEE

Commercial buildings account for nearly 20% of energy use in the U.S., and nearly 30% of that energy is wasted.1

Smart building automation control and optimization systems for lighting, HVAC, and on-site distributed energy can realize 30% - 50%2 energy cost savings compared to facilities not using smart technology.

pg 10



Government: Increasing the Resilience, Sustainability, and Safety of Public FacilitiesGovernment facilities worldwide face pressures to reduce operating costs and improve efficiency, reduce energy use and increase sustainability (often a compliance requirement), and ensure the physical and cyber safety of building occupants. The continuous investment in smart technologies and IP-connected endpoints expands the potential attack surface in buildings.

Has your organization deployed, or does it plan to deploy, smart building technologies?

26.8% 27.3%

18.7%

In Production

Researching Piloting/Proof of Concept

Key Smart Building Technologies for GovernmentAI and Machine Learning | Building Access Control | Building Information Systems | Physical Security and Cybersecurity |

Predictive Maintenance | Smart Elevators | Smart Lighting/Sensors | Video Surveillance | Smart HVAC

There are 4.2 million state and local government buildings worldwide; Local government spending on smart building technologies is forecasted to be over $2 billion by 2022.1

One-third of government survey respondents state that network security is most vulnerable to security threats.

Many government buildings are retrofitted with multiple separate systems, both new and legacy, running separate functions and using different types of connectivity (Wi-Fi, 3G/4G, LAN).

The U.S. Army issued an RFI to explore specific “smart” capabilities for its Future Installations initiative: industrial control system cyber emergency response; real-time facility control; barracks analytics; utility monitoring retrofit; and frictionless entry.

The U.S. General Services Administration implemented utility meters and building operations software on 81 buildings to reduce energy costs, environmental impact, and operational efficiencies while improving tenant satisfaction and security. Source: IDC’s Global IoT Decision Maker Survey, June 2019

1 Worldwide Semiannual Smart Cities Spending Guide, May 2019

pg 11



Most manufacturing facilities are outdated and filled with aging, unsecured assets. IoT initiatives mean more OT systems are connected than ever before, converging with IT systems. Manufacturers are under pressure to ensure their assets, control systems, and facilities are safe from vulnerabilities and threats while maintaining reliability, uptime, and real-time access to critical data. OT security is a rising priority for manufacturers due to the convergence between IT and automation networks.

Has your organization deployed any of the following solutions as part of your IoT initiatives?

Nearly 50% of survey respondents gave high priority to ensuring the security of IT and OT systems when connecting facilities.

The top driver for IT spend in manufacturing is updating/replacing outdated technology (45.2%).

Research shows that downtime costs can reach up to $22,000 per minute within manufacturing. It only takes one incident to shut down a line/plant, cause millions of dollars in damage, and tarnish brand image.

42.2%

40.4%

58.7%54.2% 54.5%

People- centric

Building- centric

Video- centric

Vehicle- centric


Key Smart Building Technologies for ManufacturingAI and Machine Learning | Industrial Control Systems | Physical Security and Cybersecurity | Predictive Maintenance |

Real-time Location Services | Smart HVAC | Smart Lighting/Sensors | Smart Meters

Manufacturing: Safeguarding and Enabling Efficient Plants, Equipment, and Systems

Source: IDC’s Global IoT Decision Maker Survey, June 2019

pg 12



The retail industry crosses subsectors including retail storefronts, warehouses, restaurants/quick serve, fuel/convenience retailing, and hospitality/hotels. Retail is a hypercompetitive industry facing pressures to innovate and digitally transform to deliver better customer experiences.

Has your organization deployed any of the following solutions as part of your IoT initiatives?

61%

57%

59%

47%55

%

41%54

%

69%

47%

39%

35%38

%

35%

35%

30%

People- centric

Building- centric

Video- centric

Vehicle- centric


Key Smart Building Technologies for RetailAI and Machine Learning | Digital Ceilings | Energy Management | IoT | Physical Security and Cybersecurity |

Predictive Maintenance | Smart Lighting/Sensors

Retail: Innovating to Provide a Better and More Secure Customer Experience

Retail Restaurants Wholesale

Source: IDC’s Global IoT Decision Maker Survey, June 2019

Reducing operational costs is a top priority for retail strategy/investment in IoT, behind improving customer experience and improving business productivity/efficiency internally.

Retail attacks have grown in sophistication, often from very organized actors using orchestrated waves of attack techniques, requiring a converged response capability.

Spending on security software and hardware in retail over the next five years will grow at nearly 8% CAGR.

IoT, HVAC, refrigeration, smart lighting, and security systems are presenting new and unfamiliar security challenges.

pg 13



Smart Building Technology Investment Road Map…Security at the CoreA smart building technology road map should have concrete goals and technologies that are being deployed immediately in Horizon 1, contain use cases that are incubated and have been budgeted for in the midterm in Horizon 2, and contain more aspirational use cases which should be considered in the long term in Horizon 3. Physical security and cybersecurity should be at the core of foundational investments made in Horizon 1 and subsequent investments in future time horizons.

PhysicalSecurity and

Cybersecurity


Cybersecurity


Cybersecurity

VideoSurveillance

PredictiveMaintenance

IndustrialControls EV Charging

Solar RoofTop-distributed

Energy

Next GenAI/ML

Drone Access

Digital Ceilings

AugmentedVirtual Reality

Real-timeOccupancy

Management5GSmart Parking

OrchestratedDemand

Response

Smart HVAC

Lighting/Sensors Smart Elevators

Smart Kiosks

Wayfinding

HORIZON 1(Immediate) (Midterm) (Long Term)

HORIZON 2 HORIZON 3

pg 14



Essential GuidanceSmart building technologies offer a wide range of benefits. However, smart buildings also create a broader attack surface and risk due to the increased numbers of devices and connected assets involved. With that in mind, smart building technology investments must begin with security front and center. Both physical security and cybersecurity should be the highest priority and core building block when investing in smart building technology. Consider the following recommendations for creating a security-first strategy:

Develop an overarching security plan that includes smart building technology

Increase visibility of smart building devices at the edge and on the network

Deploy a platform solution / fabric to provide an integrated view into security across the enterprise, avoiding siloed point solutions

Involve key stakeholders early in the process across the enterprise

Form a strategic relationship with your security technology supplier

pg 15



IDC Analyst ProfilesLynne A. Dunbrack Ruthbea YesnerGroup Vice President IDC Health Insights, IDC Government Insights

Vice President IDC Government Insights and Smart Cities

John Villali Robert EastmanResearch DirectorIDC Energy Insights

Research ManagerIDC Retail Insights

Reid PaquinResearch DirectorIDC Manufacturing Insights

IDC Corporate USA 5 Speen Street Framingham, MA 01701 USA T: 508.872.8200 F: 508.935.4015 Twitter: @IDC idc-insights-community.com www.idc.com

This publication was produced by IDC Custom Solutions. The opinion, analysis, and research results presented herein are drawn from more detailed research and analysis independently conducted and published by IDC, unless specific vendor sponsorship is noted. IDC Custom Solutions makes IDC content available in a wide range of formats for distribution by various companies. A license to distribute IDC content does not imply endorsement of or opinion about the licensee.

External Publication of IDC Information and Data — Any IDC information that is to be used in advertising, press releases, or promotional materials requires prior written approval from the appropriate IDC Vice President or Country Manager. A draft of the proposed document should accompany any such request. IDC reserves the right to deny approval of external usage for any reason.

Copyright 2019 IDC. Reproduction without written permission is completely forbidden.

Click here to see the analyst profile





pg 16



A MESSAGE FROM OUR SPONSOR

About Fortinet: Fortinet is a worldwide provider of network security appliances and a market leader in network security (FW/NGFW/UTM). Our products and subscription services provide broad, integrated, and high-performance protection against advanced threats while simplifying the IT security infrastructure. NASDAQ: FTNT

Learn more about Fortinet solutions at https://www.fortinet.com/solutions/

Follow us on Twitter https://twitter.com/fortinet

Join the community on LinkedIn https://www.linkedin.com/company/fortinet

For more information, contact

State & Local Government, Education: [email protected]: [email protected]: [email protected] Government: [email protected]: [email protected]

General Information: [email protected]

Securing Smart Buildings - Fortinet · 2019-11-01 · Commercial buildings account for nearly 20%...

Documents

Transcript of Securing Smart Buildings - Fortinet · 2019-11-01 · Commercial buildings account for nearly 20%...