Security is a broad term. It can refer to food security, data security, national security, emotional security, security of personal information and much more.
This article focuses on a few aspects of security that impact the built environment:
1. Security as seen traditionally by Information Technology (IT) professionals in the architecture, engineering and construction (A/E/C) industry.
2. Security of the built environment and its intersection with infrastructures such as power/water systems, building access, cable/DSL and wireless such as cellular, Bluetooth, Wi-Fi, etc.
3. Security issues resulting from widespread deployment of the Internet of Things (IoT) and Artificial Intelligence and Machine Learning (AI/ML).
A second article will outline approaches that can mitigate security risks. Some broad security issues such as national security will not be discussed.
Working Definitions for a Few Terms
Some of these terms may be new to some readers. Others may be familiar but warrant a reexamination. The main thrust of this article is to reconsider security in a changed context with two characteristics:
1. Rapid deployment of “things” typically equipped with wireless connections
2. A worldwide change in mechanisms for construction, computing and control
Cybersecurity is “the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. In a computing context, security includes both cybersecurity and physical security.” (source: whatis.techtarget.com)
Internet of Things (IoT)
IoT is “the network of physical devices, vehicles and other items embedded with electronics, software, sensors, actuators and network connectivity. These objects are enabled to collect data, exchange information and to act on their environment.” (source: Wikipedia) IoT gives both the built environment and infrastructure a dynamic quality, hence, new meaning.
In social science, the term built environment refers to the human-made surroundings that provide the setting for human activity … “the human-made space in which people live, work, and recreate on a day-to-day basis.” (source: Wikipedia) With widespread wireless connectivity and mobile computing devices, people effectively become part of the built environment.
The basic physical and organizational structures and facilities (e.g., buildings, roads, power supplies) needed for the operation of a society or enterprise. Oxford Living Dictionary defines it as the social and economic infrastructure of a country.
With worldwide changes in computing, communication and control, people effectively become part of infrastructures.
Artificial Intelligence is the broader concept of machines being able to carry out tasks in a way that we would consider “smart.” And Machine Learning is a current application of AI based around the idea that we should be able to give machines access to data and let them learn for themselves. (source: Forbes, Dec. 6, 2016)
The process by which a programmer writes computer code and turns it into a form a computer can execute. Twenty years ago, the code for an application was typically executed on a mainframe, a server or a personal workstation/laptop. Today, a single application (or app) is likely to execute simultaneously on a variety of devices including watches, mobile phones, laptops, cloud services, as well as traditional computing devices.
The complex set of activities required to “operate” a system. The term operations may refer to the operation of a firm’s computing system, a variety of dynamic components in a structure, etc. Twenty years ago, a firm’s computing operations were typically confined to structures owned or controlled by the firm. Today the systems are typically distributed across clouds, mobile devices, desktop CAD systems, etc.
Fifteen years ago, software development and operations was usually done by separate organizations/people and most work was done by hand with the help of a few simple programs which are often called “scripts.” As operations became more complex and typically involved many devices, the tasks required need to be carried out by computer programs rather than individuals working carefully and following elaborate policy documents.
A few years ago, Tim O’Reilly, a publisher and one of the most influential people in technology, popularized the phrase Infrastructure as Code as a terse definition of DevOps.
With DevOps, organizations push policies and practices to code. This shift in tools, practice and culture has changed software and systems development, distribution and maintenance. From a security standpoint, DevOps needs to cover the automatic installation of security patches and system upgrades.
There is no silver bullet that will make systems secure.
In the past, virtually all access to information systems such as corporate data and operational systems such as Mechanical, Electrical and Plumbing (MEP) has been through physical connections. Security problems are becoming more challenging as IoT becomes pervasive and the value of attacking the built environment becomes more evident.
As we move forward, houses, apartment buildings, offices, and public spaces (such as stadiums and entertainment venues) take on critical characteristics of utilities (such as power stations and mass transit). Instead of stealing data, attackers can turn utilities off and on at the level of buildings, cities, even nations.
Today, the cyber intersects with the physical. Accordingly, separation of Internet-based information systems from control systems is becoming as important as the separation of sewage systems from water systems.
With the widespread use of wireless technology, security problems are profoundly more severe.
IoT bridges the gap between traditional IT and the built environment. The same could be said for infrastructure at a city, state, national and international level. When AI/ML is added to the mix, both dangers and opportunities abound.
These changes present new challenges for A/E/C firms regarding protection of their information systems and the way they design and specify their projects.
Examples of Some Problems
WannaCry and Ransomware, Botnets
The WannaCry ransomware attack was a May 2017 worldwide cyberattack by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency.
Stuxnet and the Supply Chain
Stuxnet was an IoT-based attack that targeted Iran’s centrifuges and destroyed many of them, delivering substantial damage to Iran’s nuclear program. It depended on penetrating—not only a server, IoT device, etc.—but the supply chain for the centrifuges and installing hardware/firmware that awaits destructive commands. Attacks on supply chains need not be exotic. For example, widely adopted anti-virus software from Kaspersky Lab was evidently used to breach NSA security and steal NSA hacking tools.
Firewalls, Maintenance and Establishing a Parameter
Like virtually all defenses, firewalls are often worse than useless unless updated and patched automatically as part of DevOps.
Equally important is the question: What should be inside the firewall and what should be outside the firewall? Are shared documents on a laptop that is taken to Starbucks inside the firewall or outside? How about file-sharing services like Dropbox, Google Docs, etc.?
In September 2017, Equifax announced a cybersecurity breach, which it claims occurred between mid-May and July 2017. Cybercriminals accessed approximately 145.5 million U.S. Equifax consumers’ data, including their full names, Social Security numbers, birth dates, addresses, and in some cases, driver’s license numbers. Equifax also confirmed at least 209,000 consumers’ credit card credentials were taken in the attack.
The scope of the breach is staggering. Three aspects of the breach stand out:
1. Equifax knew it was vulnerable for two months before acting.
2. The delay would not have been possible if Equifax culture had incorporated DevOps tools and practices.
3. Fully adopting DevOps requires practices that cross enterprise boundaries.
Unwarranted Faith in Technology
Sometimes we place unwarranted faith in technology. For example, unwarranted faith in a favorite OS or favorite cloud vendor without a balanced commitment of adequately skilled staff can easily compromise systems that are potentially secure. Windows servers with a first-rate admin are much more secure than Linux servers with a third-rate admin, and vice versa.
Special Features of A/E/C
When entrance or exit from buildings is denied, ransomware takes on special meaning. A/E/C firms hold architectural, structural and construction models of buildings in various stages of design, construction and maintenance. What happens if those documents are held for ransom? What happens if they are compromised by changing the specifications for windows from one company to another? What happens if they are stolen and used for unauthorized access to a building years after construction is completed?
Access to buildings is fundamentally different from access to corporate or government information systems; typically, for example, no one needs a password or user account to enter a building. Fifteen years ago, when a person walked into a building, they walked into a building. End of story. Today, they are likely to be carrying all manner of devices that can compromise both building information systems (who lives where?) and building control systems (i.e., elevators, heating/cooling systems, door locks, etc.).
What Can Be Done?
Panic is not helpful. Firms of all sizes need to plan and to act, even if the long-term solution is uncertain.
Each company or project will face different challenges. So we must begin with an assessment, prioritize problems, fix or mitigate the most severe risk, and reassess and repeat.
A mature attitude toward operations will be required. This is the lesson of the development of DevOps over the past decade.
• Good policies are not enough.
• The policies must be pushed to code.
• The code must be testable.
• Expect the current staff to require more training and education.
These are stiff requirements, and they will not be met immediately. But we must accept responsibility for security at many levels: personal, corporate, project, professional organizations, many levels of government, etc. IT departments can’t do it alone.
These topics and much more will be discussed in the second installment of this article.
Blaine Wishart is a senior principal of the Strategic Technologies practice of DI Strategic Advisors.
Excerpted from DesignIntelligence Quarterly.
Photo by Markus Spiske on Unsplash.