By Greg Fitzpatrick, CxA | Business Development | Cochrane Supply & Engineering
For the past five years, I’ve traveled across the country, engaging in discussions with consulting engineers about the integration of IP technology into their smart building designs. In most cases, I’ve found that these firms are enthusiastic about incorporating IP Technology into their strategies.
In June 2023, I authored an article for Realcomm’s Edge Magazine titled “Creating A Path To Cyber Harmony – Challenging Commercial Real Estate’s Supply Chain,” where I briefly emphasize the significance of cyber awareness for commercial real estate owners and all project stakeholders, including consulting engineers.
While IP technology holds immense potential for smart building design, its implementation introduces new challenges in terms of cybersecurity and potential risks for consulting engineers. The consulting engineering community must recognize that cybersecurity is pivotal in deploying Operational Technology (OT) during the construction process.
OT systems, such as building automation and control systems, are increasingly interconnected and susceptible to cyber threats. The recent cyberattacks to MGM & Caesars properties in Las Vegas, and to building controls manufacturers, underscore the urgency of addressing cyber risks in the construction industry.
Robust cybersecurity measures safeguard not only sensitive construction data but also the physical infrastructure. This protection prevents potential disruptions, unauthorized access, or sabotage, ensuring the safety, efficiency, and integrity of construction projects. But, as we are experiencing, these devices are limited for shielding against the growing sophistication of the costly ransomware of today’s hackers.
Concentrated threats to properties and controls manufacturers are alarming, and with SEC’s approval of new cybersecurity disclosure rules, consulting engineers must elevate their cyber awareness and comprehend how to incorporate the necessary hardware and software to address cybersecurity concerns in their designs and specifications.
Cybersecurity Expertise to Achieve “Cyber Harmony”
With over 30 years in the consulting industry my aim has always been to simplify the process of designing and specifying OT and integration, making it as clear and concise as possible. Cybersecurity is no exception.
It is important to bridge the gap between facilities and IT departments, and implementing internal OT teams. My goal is to achieve “Cyber Harmony” through increased collaboration among diverse stakeholders, promoting activities such as knowledge sharing, best practice documentation, podcasts, and other communication channels to ultimately develop best practices and standards for the industry.
My objective is to streamline the fundamental cybersecurity requirements for consulting engineers, making these principles an integral part of the designer’s drawings and specifications when creating construction documents for building systems.
In any given project, there is typically a discovery phase where the designer must ask essential questions before proceeding. Incorporating cybersecurity into your design follows a similar pattern. Here are some key points to clarify during the discovery phase to determine your cybersecurity strategy:
1. Determine whether you are deploying IP devices on the owner’s network or designing a separate OT network that supports various building technologies. If the owner manages all OT, the designer’s responsibility is to ensure data encryption, while firewalls and VPN strategy fall under the owner’s IT department.
2. If the designer is responsible for a separate OT network, they must understand how to incorporate cybersecurity into the design.
Strategy First: Planning for Cybersecurity is Paramount
When considering essential design prerequisites for cybersecurity in your OT Network, assuming the owner prefers complete separation of the OT from their IT network (air gapped), I recommend these four tips:
1. Ensure that the specified OT Network solution offers robust port security capabilities, both in software and through the ability to bind device MAC addresses. This is critical to safeguard against unauthorized access. Optigo provides an OT network solution with the necessary port security and unified management through a user-friendly interface.
2. Implement robust data encryption mechanisms for network traffic, which can be achieved through various methods, including BAS system web supervisors, dedicated gateway devices, or BACnet Secure Connect (BACnet SC) using Tridium’s Niagara. This ensures data confidentiality and protection against threats.
3. Prioritize security when facilitating remote access to the network via the internet. Specify a firewall solution and establish a secure Virtual Private Network (VPN) appliance and strategy for remote access. This multi-layered approach enhances network security.
4. Collaborate with the end user on a VPN strategy for remote access and select a secure VPN appliance. TosiBox offers a product known for its ease of deployment and security features, popular among systems integrators.
Incorporating Your Cybersecurity Strategy into Your Construction Documents
Once a cybersecurity strategy is determined for our design, the question often arises: “How do I incorporate cybersecurity into my construction documents?
As a general practice, it’s wise to include as much detail as possible on your drawings and provide further clarification in the specifications. I advocate for the use of a detailed “Systems Integration Drawing” as the foundation for conveying intent to the master systems integrator (MSI). This drawing should display the OT network layout and the hardware used in your cybersecurity strategy.
The use of this drawing allows the designer show:
- Deployment location of the supervisory software
- VPN hardware/software
- Cell Modem
- OT Network router
- OT Network management switch(s)
- OT Network media
- IP switch types and locations
- Gateway devices
- Server (where applicable)
- Subnetwork media
- Technology being integrated
- OT Network MDF location and installed hardware
SmartBuildingDesign.com has the resources to help you need for ensuring strong cybersecurity for any OT Network
At SmartBuildingDesing.com we have detailed Systems Integration Drawings available here: https://www.smartbuildingdesign.com/system-architecture/
Regarding specifications, I recommend using Division 25 – Integrated Automation as the section for hardware and software related to your cybersecurity strategy. Examples of Division 25 specifications are available on our Guide Specifications page.
Incorporating these measures into your OT Network design not only reduces your risk as a designer but significantly enhances your client’s cybersecurity posture, reducing vulnerabilities and ensuring the safety and integrity of their critical operations.
Greg Fitzpatrick, CxA
Business Development Leader- IoT and Integration, Cochrane Supply and Engineering
Executive Director, Real Estate Cyber Consortium