Summary Of Outcomes Of The 2019 Cybersecurity Roundtable

2y ago
32 Views
2 Downloads
1.29 MB
21 Pages
Last View : 2m ago
Last Download : 2m ago
Upload by : Arnav Humphrey
Transcription

Summary of Outcomes of the 2019 Cybersecurity RoundtableEliot Crowe, Claire Curtin, Hannah Kramer, Jessica Granderson, Lawrence Berkeley National LaboratoryCindy Zhu, U.S. Department of EnergyHayden Reeve, Glenn Fink, Pacific Northwest National LaboratoryPrepared for:Amy Jiron and Monica Neukomm, U.S. Department of EnergyOctober 2019

Cybersecurity Roundtable OrganizersNameOrganizationEliot CroweLawrence Berkeley National Laboratory (facilitator)Hannah KramerClaire CurtinLawrence Berkeley National LaboratoryLawrence Berkeley National LaboratoryJessica GrandersonLawrence Berkeley National LaboratoryHayden ReevePacific Northwest National LaboratoryGlenn FinkPacific Northwest National LaboratoryCindy ZhuMonica NeukommU.S. Department of EnergyU.S. Department of EnergyBuilding Industry Stakeholder AttendeesNameOrganizationDavid BainTelecommunications Industry AssociationSarah BemporadRealcommHoward BergerRealcommMichael ChipleyAaron DalyPMCWhole Foods MarketKendall GeorgeCarleton CollegeSusan GerockWashington REITKen KurzCorporate Offices Properties TrustSabine LamGoogleMartha LarsonBayron Lopez PinedaCarleton CollegeKilroy Realty CorporationJosh McKiddyMGM ResortsCharles MeyersWells FargoNeal MohammedRudin ManagementChip PierpontJulia RotondoGeneral Services AdministrationPNNLFrancisco RuizOracleLimor SchafmanTelecommunications Industry AssociationSandy ShadchehrGeneral Services AdministrationDeborah ShandsSRIThomas YehNYSERDA1

BackgroundCybersecurity concerns represent asignificant barrier for many commercialbuilding owners who are considering theaddition of connected smart buildingtechnologies to improve their buildings’energy performance. The main goal ofthis full-day cybersecurity workshop,hosted and facilitated by LawrenceBerkeley National Laboratory (BerkeleyLab) was to gather insights intocommercial building owners’ andmanagers’ current cybersecuritypractices and concerns. Toward thatPhoto: Thor Swift/Berkeley Labgoal, the Cybersecurity Roundtable,held on May 23, 2019, was structured to meet three key objectives pertaining to energy efficientsmart building technologies: To understand the range of building cybersecurity risks and possible mitigation strategies To understand current cybersecurity management practices in the commercial sector To gain insights to inform publicly funded building technology research that takesaccount of cybersecurity risks and current practices/constraints within the commercialbuilding sectorThe event hosted representatives from 21 leading organizations that were identified as earlyadopters of smart building technologies from the commercial real estate, higher education,hospitality, grocery, utility, and government sectors, as well as representatives from industryassociations. In addition to Berkeley Lab and the U.S. Department of Energy (DOE), the eventwas supported by Pacific Northwest National Laboratory (PNNL).Cybersecurity Issues for Commercial BuildingsOperational Technology Versus Information TechnologyCybersecurity is a very broad topic, affecting a vast array of technologies; the focus of theCybersecurity Roundtable was on Operational Technology (OT), as opposed to InformationTechnology (IT). More specifically, the Roundtable was concerned with connected energyefficient OT, such as energy management and information systems (EMIS), advanced connectedcontrols, and “Internet of Things” (IoT)1 devices. Typically, an IT group is responsible foroverall cybersecurity in enterprise systems including, but not limited to, the business informationnetworks. The IT group is also typically tasked with cybersecurity risk management. In contrast,OT groups are tasked with the well-being and function of individual building systems such asheating, ventilation and air conditioning (HVAC), lighting, and elevators. Table 1 summarizesthe key differences between IT and OT systems.1The Internet of Things (IoT) is a system of interrelated computing devices, mechanical and digital machines, that areprovided with unique identifiers (UIDs) and can transfer data over a network without requiring human-to-human or humanto-computer interaction (Source: Wikipedia).2

Table 1. Distinguishing characteristics of IT and OT systemsINFORMATION TECHNOLOGYOPERATIONAL cess transactions, provideinformationControl or monitor physical processesand equipmentEnterprise-wide infrastructure andapplications (generic)Event-driven, real-time, embeddedhardware and software (custom)Graphical user interface (GUI), Webbrowser, terminal, and keyboardElectromechanical, sensors, actuators,coded displays, hand-held devicesOwnership Chief Information Officer (CIO) and ITConnectivityRoleEngineers, technicians, operators, andmanagersCorporate network, Internet Protocol(IP)-basedControl networks, hard wired twistedpair, and IP-basedSupports peopleControls machinesSource: Whole Building Design Guide, National Institute of Building SciencesOT staff concentrate on maintaining the operational status of building systems for occupantcomfort and convenience; thus, availability is most important to their mission, and cybersecurityis a relatively new concern. IT security staff, on the other hand, are more familiar withcybersecurity risks and mitigation strategies, but are often unfamiliar with OT systems and theways in which they are becoming connected.Operational technology cyberthreatsTypically, financial or political desires motivate cyberattackers, and the most direct means ofexerting their will is by targeting enterprise IT systems. They may wish to steal confidentialcustomer financial information or deny the owners use of their systems, either for ransom or toinfluence the victim toward actions advantageous to the attacker. The impacts of financiallymotivated attacks are easiest to quantify, with research showing that hacks involving theft ofpersonal information has resulted in losses of almost 1.5 billion in market value for thecompanies involved.2While the IT community has long been aware of cybersecurity risks and has developed countermeasures and procedures, OT system management generally has lagged in addressingcybersecurity. Before OT networks were commonly networked with enterprise IT systems (and,by proxy, the Internet), their cybersecurity concerns were minimal. However, connection of OTsystems to IT networks has become quite common, and these systems have become both vectors(i.e., an entry point enabling access to broader enterprise IT systems) and occasionally directtargets of cyberattack.Because IT staff are often unfamiliar with the function and capabilities of OT systems, manyhave been unaware of the growing exposure from those systems becoming IP-enabled. However,recent incidents of OT-targeted cyberattacks are changing this perception. It is now common forbuilding HVAC (and possibly lighting) system controls to be IP-enabled, and there is2Orszag, Peter R. 2018. “How a Data Breach Affects the Bottom Line.” et-valuation3

proliferation of IoT devices emerging to support energy efficient building operations.Additionally, devices and systems like elevators that traditionally are not networked areincreasingly becoming IoT devices because of the ease of use an Internet connection affords.In 2016, the Mirai botnet appeared, compromising and employing millions of these consumerIoT devices to perpetrate denial-of-service attacks on web domains.3 Beyond the headlines,cyberattacks on commercial building OT systems is increasing; building control systems arebeing attacked with ransomware and remote access control gained directly over buildingequipment.4Data published by IntelligentBuildings shows that half of the buildings they assessed in 2018 haddevices directly exposed to the Internet that could be accessed remotely, and 95 percent of thebuildings had no disaster recovery plan or had not changed default configurations and ports.5This illustrates a lack of cybersecurity awareness and implementation of best practices bybuilding operators.Implications for adoption of energy efficient connected technologiesThis lack of good cyber “hygiene” can slow the adoption of energy efficiency technologies. Asurvey by Bain and Company showed that concern over cybersecurity is the number one barrierto the adoption of IoT technologies by enterprise customers. Of the executives surveyed,45 percent listed security as their number one concern, with 60 percent of respondents statingthey were very concerned about the risks6.Photo: Thor Swift/Berkeley LabFurthermore, companies with moresophisticated cybersecurity practices actuallyhad higher concerns about the risk of IoTdevices. This suggests that raising awarenessand education about cybersecurity bestpractices can help but is not the wholesolution, as improvements in thecybersecurity of product offerings and serviceproviders is also required. Based on the levelof concern among building owners,cybersecurity continues to be an importantissue of consideration and research for DOE’sBuilding Technologies Office as it seeks topromote smarter, more energy efficienttechnology development for buildings.3U.S. Department of Homeland Security. 2017. Alert (TA16-288A). Heightened DDoS Threat Posed by Mirai and OtherBotnets. https://www.us-cert.gov/ncas/alerts/TA16-288A4 Gordy, Fred. The State of BAS Cybersecurity. 2019. om/news/apr19/articles/ib/190318022808ib.html5 Ibid.6 Ali, S., A. Bosche, and F. Ford. 2018. Cybersecurity Is the Key to Unlocking Demand in the Internet of Things. Bain &Company. 4

Roundtable FormatThe Roundtable workshop was structured to maximize collaborative group discussion (SeeAppendix A for the agenda). Brief introductory presentations by DOE and the NationalLaboratories were followed by a full day of whole-group discussion and focused breakoutgroups. The topic of cybersecurity is very broad and, by its definition, highly interconnected; toallow for a deeper dive and to help organize the Roundtable, the main topic was broken out intofour sub-categories for breakout group discussions: Operations and IT collaborationTechnology procurement - working with vendors and third-party service providersCorporate environment and workplace practicesCybersecurity risk assessmentFacilitation of the breakout groups was led by National Laboratory researchers and DOETechnology Managers. Attendees completed a brief pre-event survey to help organizers developan agenda and discussion guides that took account of attendees’ experiences and interests. TheRoundtable also featured a cybersecurity role-playing game, as a way to spur furthercollaboration and discussion around cybersecurity defense strategies (see Appendix B).Summary of FindingsSeveral high-level themes emerged from the cybersecurity roundtable, covering industry bestpractices and outstanding needs, including the following: Organizational structures need to account for cyber risks.Data collection and ownership needs to be clearly defined.Collaboration and contracting is key for leased properties.The smart building technology supply chain is complex, immature, and fragmented.The financial value of cybersecurity is difficult to quantify.Existing cybersecurity resources need to be tailored to the building industry.Training needs to evolve as buildings and cyberthreats become more sophisticated.There is a lack of testing standards and facilities.Additional detail on each of these key themes is provided below.5

Organizational structures need to account for cyber risksCybersecurity roles and responsibilitieswithin an organization’s structure varygreatly by company and its core mission,as described by Roundtable attendees.Large companies whose core business isIT typically have a mature organizationalstructure and processes for securityembedded throughout the IT, legal, andHR departments. One Roundtableparticipant described a well-definedreview process for any new technologiesor equipment that the company considers,meaning all departments are aligned inprocess. For real estate landlordsgenerally, offering a secure workplace toPhoto: Thor Swift/Berkeley Labtenants is critical, so security is oftenprioritized at the leadership level. Some companies have IT departments co-located with theirconstruction department. Others are incorporating dedicated IT security roles into their OTdepartments (or vice versa). In other cases, a Chief Information Security Officer (CISO) existsindependent of IT and OT, with overarching responsibilities. In the higher education sphere, it isoften the case that IT and OT staff report to different management streams, requiring moreemphasis on accountability and communication in order to align interests when it comes toconnected smart building technology adoption.Historically, the natural departmental separation of the IT and OT groups, and the prior lack ofconnectivity of OT systems, has meant collaboration has not been the norm and establishedcollaborative practices have not been developed. However, given growing OT connectivity andcybersecurity threats, collaboration has become a necessity. Principally, OT staff need to betterunderstand security risks of remote managementand vendor access to OT technologies, and ITstaff need to understand the function andpriorities of various OT platforms, which ofteninclude energy management. In distinguishingroles, IT can be responsible for securing thenetwork, and OT can be held accountable toabide by the established security rules and bestpractices. When planning IP-enabled OTimprovements it is recommended that IT staff beconsulted at the earliest opportunity (andthought of as a kind of “insurance policy”),rather than as a final security check once newPhoto: Thor Swift/Berkeley Labtechnology is installed.For organizations looking to go beyond interdepartmental collaboration, it was also suggestedthat companies could create a new position in their operations departments, such as an“Operational Technology Manager.” This person would be an OT specialist embedded in the IT6

department but would work day to day with OT facilities staff. Another suggested new positionwould be “Director of IoT” within facilities. This person would communicate with IT teamswhen deploying networked OT solutions. It was clear that some organizational role must beestablished to help OT engineering teams understand and coordinate with IT. This role alsowould help IT staff understand building systems protocols and procedures, and enable greatersupport for deployment of energy efficient smart building technologies.Data collection and ownership needs to be clearly definedUsing connected smart building technology to monitor and improve facility energy usage nowresults in the collection of a significant amount of data. Success in cybersecurity managementalso requires collection of data from building IT and OT infrastructures. However, dataownership remains a challenge in building cybersecurity. Some data may encompass overallbuildings systems, some may be specific to landlord/tenant relationships, some may beowner/occupant personal data, and some may be buyer/vendor data. One organization may haveorigination rights to data being collected by another. For instance, monitoring the use ofbuilding-wide systems like lighting and HVAC may reveal activities or identities of buildingusers, thereby raising privacy concerns.To trace the origins of suspected cyberattacks, security personnel from the end-user organization(e.g., a building tenant) will need access to logging data from the Internet access points that maybe owned by another organization (e.g., a third-party IoT service provider). These data may noteven be collected by the building owner and/or they may have some sensitivity (e.g., trackingmovement of people using data from a security card access system). Security data collection is amainstay of traditional IT security, but collection of these data from common OT systems is bothdifficult to accomplish and often legally ambiguous when it comes to establishing dataownership and sharing strategies. Collected data must be secured and access to it must beprovided to any tenant whose security relies on it. However, it is quite uncommon for datasharing agreements to be established contractually or even informally. The recommendation ofone Roundtable breakout group was that organizations that have a stake in collected data or in itsuse should participate in multi-organization agreements on information storage and disposition.Collaboration and contracting are key for leased propertiesIn leased properties, OT systems such as elevators, fire alarms, HVAC systems, and associatedsmart building technologies benefit all tenants, and thus are managed by the building owner.Building-wide IT infrastructure is also often used by many different organizations that occupythe same shared building or site. While it is possible for tenant IT networks and privately ownedOT infrastructure to connect to building-wide systems, this creates a converged system withshared vulnerabilities and risks that cross multiple organizational boundaries. Relationshipsamong tenants, owners, and the vendors that support them via patching7 and maintenance alsocomplicate matters.7Patching is the practice of implementing scheduled or ad hoc changes to a computer program or its supporting datadesigned to update, fix, or improve it. This includes fixing security vulnerabilities and other bugs, and improvingfunctionality, usability, or performance.7

Standard business processes do notalways span organizations effectively,and this can result in delays andambiguous assignment ofresponsibilities. Thus, it is often notpossible to get all relevant groups toanswer to a single management team.Because of the intertwined and oftencomplex relationships between buildingowners, tenants, and users, the grouprecommended that a regularlyoccurring cybersecurity forum for keybuilding stakeholders may be anPhoto: Thor Swift/Berkeley Labeffective collaboration mechanism. Thisworking group could include OT andIT, along with operations staff who are responsible for planning, installation, and maintenance ofbuildings systems. The group recommended that the forum would meet once a month anddiscuss what approaches are working, and where gaps and challenges exist.In some cases, the group believed that legal instruments would be needed to delineate andenforce cybersecurity roles and responsibilities. For example, patching and maintenance ofbuilding-wide OT systems could be stipulated in lease contracts to protect buildingtenants/occupants from cyberattack. Roundtable breakout group participants believed thatbuilding owners should be responsible to implement minimum cybersecurity safety requirementsfor the good of all tenants. Existing infrastructure may not be ready to provide secure datatransport to the stakeholders who need it. Thus, it is recommended that whatever entity owns thenetwork infrastructure should provide data collection, provenance, and security for the users ofthat infrastructure regardless of their role (e.g., building owners, tenants, vendors).The smart building technology supply chain is complex, immature, and fragmentedThe adoption and delivery of cybersecurity best practices for smart building technologies ishampered by many of the same supply chain challenges that are generally present for emergingtechnologies in the buildings industry. For example, the value and need for cybersecurity is oftennot well understood by vendors and third-party service providers. A typical example cited byRoundtable attendees concerned patching and regular software and firmware updates. In ITcircles, these are staple requirements, and vendors that do not supply free s

greatly by company and its core mission, as described by Roundtable attendees. Large companies whose core business is IT typically have a mature organizational structure and processes for security embedded throughout the IT, legal, and HR departments. One Roundtable participant described a well-defined review process for any new technologies

Related Documents:

May 02, 2018 · D. Program Evaluation ͟The organization has provided a description of the framework for how each program will be evaluated. The framework should include all the elements below: ͟The evaluation methods are cost-effective for the organization ͟Quantitative and qualitative data is being collected (at Basics tier, data collection must have begun)

Silat is a combative art of self-defense and survival rooted from Matay archipelago. It was traced at thé early of Langkasuka Kingdom (2nd century CE) till thé reign of Melaka (Malaysia) Sultanate era (13th century). Silat has now evolved to become part of social culture and tradition with thé appearance of a fine physical and spiritual .

On an exceptional basis, Member States may request UNESCO to provide thé candidates with access to thé platform so they can complète thé form by themselves. Thèse requests must be addressed to esd rize unesco. or by 15 A ril 2021 UNESCO will provide thé nomineewith accessto thé platform via their émail address.

̶The leading indicator of employee engagement is based on the quality of the relationship between employee and supervisor Empower your managers! ̶Help them understand the impact on the organization ̶Share important changes, plan options, tasks, and deadlines ̶Provide key messages and talking points ̶Prepare them to answer employee questions

Dr. Sunita Bharatwal** Dr. Pawan Garga*** Abstract Customer satisfaction is derived from thè functionalities and values, a product or Service can provide. The current study aims to segregate thè dimensions of ordine Service quality and gather insights on its impact on web shopping. The trends of purchases have

Chính Văn.- Còn đức Thế tôn thì tuệ giác cực kỳ trong sạch 8: hiện hành bất nhị 9, đạt đến vô tướng 10, đứng vào chỗ đứng của các đức Thế tôn 11, thể hiện tính bình đẳng của các Ngài, đến chỗ không còn chướng ngại 12, giáo pháp không thể khuynh đảo, tâm thức không bị cản trở, cái được

Le genou de Lucy. Odile Jacob. 1999. Coppens Y. Pré-textes. L’homme préhistorique en morceaux. Eds Odile Jacob. 2011. Costentin J., Delaveau P. Café, thé, chocolat, les bons effets sur le cerveau et pour le corps. Editions Odile Jacob. 2010. Crawford M., Marsh D. The driving force : food in human evolution and the future.

Le genou de Lucy. Odile Jacob. 1999. Coppens Y. Pré-textes. L’homme préhistorique en morceaux. Eds Odile Jacob. 2011. Costentin J., Delaveau P. Café, thé, chocolat, les bons effets sur le cerveau et pour le corps. Editions Odile Jacob. 2010. 3 Crawford M., Marsh D. The driving force : food in human evolution and the future.