Keeping the lights on with secure segmentation

By
Erik Giesa, VP of Products

Our buildings and infrastructure are getting smarter and more responsive by the day with all sorts of integrated sensors and access controls. Just recently, I was sitting in a park in New York City late one evening when a well-appointed businessman came up to me and asked me what color I’d like the Bank of America Tower lights to be. I threw out "purple" and the tower immediately illuminated to bright purple, by way of his smart phone that controlled the facility’s building automation systems. IP networking has evolved to provide us with an incredibly easy way to connect virtually everything. We are the masters of our connected world…until a hacker takes command and control.

It’s systems like the lighting system that are highlighted in the 2017 SANS Survey on Securing Industrial Control Systems. Reviewing the results, it is interesting to note that one of the biggest concerns for network security practitioners is connected devices and systems that cannot protect themselves. This includes the system controlling the lights in the Bank of America building. With the primary purpose of these building automation systems being connectivity, control and monitoring, security is often overlooked, despite constant reminders from ICS-Certs and DHS.

What many people don’t understand is that despite all the effort and layers of security, most building automation systems remain vulnerable since they connect via TCP/IP, which is inherently insecure. By using an IP address for both device location and identity exposes devices to a myriad of attack vectors. I liken it to shooting fish in a barrel for clever hackers. Why? The fundamental flaw of TCP/IP is the root cause of virtually all networking and security challenges. It's fueling our burgeoning security market that Gartner says will exceed $90 billion this year.

Security, fire suppression, building access controls, HVAC systems, you name it, are often on the same flat network. These are inherently unsecure systems and serve as perfect pivot points for bad actors to make lateral moves to other parts of the network. This double-whammy of security vulnerabilities makes it an imperative to securely segment your BACnet systems.  

Traditional segmentation and NetSec implementations mean installing firewalls, managing certificates, ACLs, VPNs, etc. In addition, these systems often require new routing rules for BACnet traffic and custom configured policies for each system or location. The result is high costs, and only modest improvement in the network security posture.

Our Identity Defined Network (IDN) solution addresses these concerns while delivering a more secure and simpler solution than any alternative. How? We leverage the recently ratified open Host Identity Protocol (HIP) that enables us to assign unique cryptographic identities to every system and device, and then use scalable orchestration to centrally manage identities and policies. You get military grade security that’s easy to deploy and manage. Tempered Networks offers the only simple, sustainable way to connect and protect your BACnet systems.