Implementing Zero Trust in Smart Buildings, A Cybersecurity Guide for OT Environments November 13, 2024 Security News Security News November 13, 2024 In early November, Aaron from Neeve and Greg Fitzpatrick, CxA, Business Development Leader at Cochrane Supply shared insights highlighting why this model is becoming essential for smart building deployments. In 2023, the concept of “Cyber Harmony” emerged as a call to action, encouraging industry-wide collaboration among all project stakeholders to establish best practices and standards in cybersecurity. As advancements in smart building technology, OT manufacturers’ shift to IP-based devices, and the rise of remote access has become the norm, new vulnerabilities have been introduced into the built environment. Protecting OT systems from cyber threats has never been more critical, and cybersecurity is now a key concern in the construction industry. Systems integrators and consulting engineers are increasingly asking how to embed basic cyber hygiene into their designs and deployments, and where to begin. Since remote access is a common entry point for threat actors due to its exposure to the internet, selecting a solution based on best practices is essential. The concept of “zero trust,” long established in the IT world, provides a solid foundation when considering remote access solutions for OT environments. I recently sat down with Aaron Brondum, Sr. Director Business Development at NEEVE (formerly known as VIEW Smart Building Cloud) to discuss the principles of zero trust and how they apply to OT deployments. Read that conversation below. Greg Fitzpatrick, CxA, Business Development Leader, Cochrane Supply: Hey, Aaron, thanks so much for sitting down to speak with me. Today I wanted to talk to you about Implementing cybersecurity in smart building design. It’s still kind of a new concept for a lot of consulting engineers and systems integrators. They’re often working with the owner’s IT department to integrate smart building technology with an existing IT setup, or they’re setting up a separate OT network. One big question that always comes up from the engineers and integrators is: what’s the best remote access strategy for the standalone OT network? “Zero Trust” comes up a lot, especially in IT circles, but for people who might not be familiar with it, can you explain what Zero Trust really means and why it’s so critical for remote access? Aaron Brondum, Sr Director Business Development, Neeve: Yeah, absolutely. Zero Trust is kind of a game-changer in cybersecurity. You know, the traditional approach is that once you’re inside the network, you’re trusted. Zero Trust flips that on its head—it’s more like, “never trust, always verify.” Every single user or device that’s trying to access any resource has to be verified, no matter where they are or how they’re connecting. When you apply that to smart buildings, especially with remote access, Zero Trust becomes essential for making sure IT and OT systems—which run things like HVAC and lighting—are communicating securely. Let’s say someone’s trying to access the OT network remotely. With Zero Trust, you’re basically saying, “Okay, even though you’re on the network, we’re still going to verify who you are, what device you’re on, and whether you’re authorized to access this specific system.” It’s an extra layer of protection, especially when you’re dealing with sensitive infrastructure. Greg: So, it’s not just a blanket trust once you’re in. Every access point gets verified. That makes a lot of sense. And I guess the principle is the same whether you’re dealing with IT or OT networks? Aaron: Exactly, but there are some differences in how it’s applied. For example, in IT, you’ve got your standard devices—laptops, phones—things that already come with built-in security. But in OT, you’re working with legacy systems, like sensors and HVAC controllers that were never really designed with cybersecurity in mind. So, you have to adapt the Zero Trust methods in a way that doesn’t disrupt critical operations. Another big thing is network segmentation. In IT, you might use more fine-grained access controls based on user roles. In OT, you’re segmenting the network to make sure critical systems are isolated, but still allow necessary communication. It’s all about understanding the physical processes of the building systems and securing them without shutting anything down. Greg: Got it. And what are some of the key factors to think about when you’re specifying a cyber solution for OT? I mean, it’s not just about security, but you’ve got to make sure it’s easy to deploy and doesn’t disrupt the operations, right? Aaron: Yeah, that’s the tricky part—balancing security with ease of deployment. One thing to always keep in mind is segmentation and isolation. You want to make sure that your OT network is separate from the IT network. That way, if there’s a threat in the IT network, it doesn’t spread to critical OT systems like HVAC or elevators. And then there’s secure remote access. You need strong security, like multi-factor authentication, but also something that integrates Zero Trust principles. A lot of people still rely on VPNs, but the problem with VPNs is that once you’re in, you’ve got access to everything. With Zero Trust, you’re constantly verifying who’s accessing what. Greg: What about legacy systems? OT networks are full of older equipment. How do you secure those? Aaron: That’s a huge challenge. A lot of these systems weren’t built with cybersecurity in mind, so you’ve got to choose solutions that can work with what’s already there, without requiring expensive upgrades. It’s about securing the network layer, rather than trying to retrofit security onto each individual device. Greg: Makes sense. So, let’s say the owner wants a separate OT network. Can we look at a solution that gives remote access but with true firewall capabilities? Aaron: Yeah, definitely. The key here is placing a Zero Trust solution right at the edge of the OT network. That way, any communication between IT and OT gets verified. You’re basically creating a secure gateway between the two environments. And if you’re adding remote access, Zero Trust ensures that only authorized users get through, continuously verifying their identity. It’s like a firewall, but with the added security of constant authentication. Greg: It sounds like you’re tightening things up at every level, from the edge to the individual systems. How does a solution like NEEVE’s Zero Trust help with the specific challenges of securing remote connectivity in OT systems? Aaron: And then, there’s network segmentation again. We create smaller zones within the OT network. So even if someone gets into one area, they can’t jump around and access everything. NEEVE’s approach is all about continuous identity verification, using things like multi-factor authentication, so it’s not a one-and-done check. Every time someone tries to access the OT system remotely, we verify their identity and the security of their connection. Plus, all the communication is encrypted, so no one’s snooping in on sensitive data. Greg: So, even legacy systems are covered under this? Aaron: Exactly. A lot of people think Zero Trust can’t work with older OT systems, but that’s not the case. You’re securing the network and monitoring traffic between devices, so you don’t necessarily need to upgrade every single piece of equipment. Greg: And what are some of the misconceptions about Zero Trust in OT environments that you run into? Aaron: Oh, there are a few. Some folks think Zero Trust will disrupt their operations or be too complex to implement. But the reality is, if it’s done right, it’s actually pretty smooth. For example, with NEEVE, we take a step-by-step approach, integrating it into existing infrastructure without causing downtime. It’s all about making the process as seamless as possible. And there’s this idea that OT devices can’t support Zero Trust, which, again, isn’t true. Even if the devices are older, we secure the network layer to make sure they’re part of the architecture. Greg: It’s like you’re providing a modern security solution, but without needing to overhaul the whole system. That’s huge for these older setups. Aaron: Exactly! And it’s also cost-effective. People think Zero Trust is going to break the bank, but we work with what’s already there, so you can roll it out without a massive upfront investment. Greg: This has been super insightful, Aaron. Thanks for breaking it down so clearly. Zero Trust seems like a no-brainer for securing OT networks, especially as they’re becoming more integrated with IT. Aaron: Absolutely, Greg. It’s becoming more essential every day, especially as smart buildings and OT environments get more complex. Always a pleasure to chat about this stuff! I’m looking forward to diving into a more technical level with you next time. As the integration of IT and OT systems in smart buildings continues to grow, the importance of a robust cybersecurity strategy, grounded in Zero Trust principles, becomes undeniable. By incorporating Cyber Harmony as an industry-wide approach and applying Zero Trust as a guiding framework, consulting engineers and systems integrators can better protect today’s complex built environments. In our next article, we’ll dive deeper into the technical specifics, exploring advanced Zero Trust architectures, practical deployment strategies, and best practices for overcoming real-world challenges in OT cybersecurity. Stay tuned as we uncover how to fortify smart buildings at every layer.