The J2 Innovations' blog

The home of smart buildings, smart equipment and IoT

Why a Holistic Approach to Cybersecurity is Essential

Secure by design

At J2 Innovations, we provide best in class cyber security with every release of the FIN Framework. We’ve adopted a “think security” philosophy when it comes to development and product lifecycle.  We define cybersecurity as the protection of life and company assets from harm caused by digital attacks against the availability, confidentiality, integrity, authenticity, and reliability of information in cyberspace. Here's how we approach cybersecurity holistically in our FIN Framework technology.

Remote access

The need to manage and program Smart Buildings remotely has been around since the introduction of the phone modem and telephone line. This provides connectivity for both monitoring and engineering tools. The internet and browsers/HTML5 helped simplify the ubiquitous nature of getting connected but also introduced new risks. Cybersecurity is critical when building automation systems (BAS) are directly exposed to the Internet. Manufacturers play a constant cat and mouse game to try to mitigate hacking risks. 

As technology has progressed, there's a better, more secure approach to remote access through the Cloud. We all have experienced the simplicity and security of, for example, joining a smart home device through Alexa or Google Home and not worrying about exposing those devices directly to the internet. The same concept applies to smart buildings, where technologies like J2 Innovations' Edge2Cloud provide complete, fast, and secure remote access to BAS devices. 

Edge2Cloud technology creates a secure end-to-end encrypted connection without the additional hassle of setting up firewall rules or a custom VPN (virtual private network). This means your smart building data is not directly connected to the Internet and, therefore, inherently more secure. The multifactor authentication and single sign-on provide a secure and simplified browser user experience for operating and programming tools. 

Authentication 

One of the most important aspects of security beyond the technical details is user authentication and the "social engineering" that comes with managing users and passwords. Historically, BAS protocols such as Modbus and BACnet originally had no authentication and relied on security through obscurity. As global controllers became internet connected, the importance of secure and unique passwords became blatantly apparent. 

Authentication technology has evolved to greatly reduce the cybersecurity risks through security best practices like strong passwords, mandatory change of default passwords, and encrypting. In addition, enterprise level user management, such as Lightweight Directory Access Protocol (LDAP), provides a centralized authentication server for the organization. 

As smart buildings became more internet connected and the number of sites increased dramatically, the need arose for a more interoperable authentication. That protocol is OpenID Connect, based on the OAuth 2.0 framework of specifications. It simplifies the verification of users based on the authentication performed by an Authorization Server and provides user profile information in an interoperable and REST-like manner.

Secure by Design 

Secure by design is an end-to-end approach to product development that builds security into the product from the beginning. 

People need a broad and heightened awareness of the importance of security, both physical security and cybersecurity. Through our Software Maintenance program, we help communicate how important it is to implement cybersecurity software updates. In addition, we encourage proper user management, for example using the least privilege principle to limit data and application access.

Throughout the product's lifecycle, our experts perform manual penetration tests and automated machine security testing (learn more about FIN's Software Maintenance here). This assessment starts at the beginning of the process and is repeated as required to identify and mitigate risks appropriately. In addition, regular product security testing is conducted by Siemens AG and external experts.

Applying Security by Design to FIN Framework helps ensure a secure product architecture, as well as the secure implementation of software components. The software is designed to be secure by default, meaning its features and functions are secure out of the box. 

Learn more about Security by Design by downloading our Whitepaper: Security and Reliability by Design

Best practices 

Finally, taking a holistic approach to security includes providing a detailed guide to how to harden and protect a BAS installation relative to networking and cybersecurity best practices.

J2 Innovations' IT Hardening Guide addresses a full range of technical topics and details for implementing a systematic secure network. This includes the following:

  • A detailed overviewed of threat and risk terminology and systems security design
  • Detail about typical BAS, installation, and network design and how that relates to threat analysis 
  • Establishing the proper access control (how the data flows and how people get in and out of the system)
  • Strong authentication standards (i.e. long login and password combinations, using strong passwords for users, and changing passwords on a regular basis) 
  • Proper authorization and user set-up
  • Recurring tasks and preventative processes

Smart organizations make security one of the cornerstones of their businesses, taking a proactive vs reactive approach. When choosing BAS (or any software technology), it is crucial to the security of your building and its data to invest in a solution that is secure by design. Learn more about FIN Framework's Security by Design here.

B. Scott Muench

Scott joined J2 Innovations as a partner in 2011, and is now Vice President of Customer Experience. He has a wide range of responsibilities including evangelism, business development, training, and operational excellence. Scott is well known as an industry expert in smarthomes and smart buildings. He is a past president of ASHRAE, and is currently a board member for Project Haystack. Scott attended Clarkson University for Mechanical Engineering and graduated with a BS/Business in Organizational Innovation.

View all articles

Topics from this blog: Cybersecurity FIN Edge2Cloud Smart Buildings Technology

Back to all posts