IT security specialists need to look at IoT security in buildings in a completely different way, says Cundall director Chris Grundy

The construction industry still hasn't got to grips with the IT security challenges of IoT devices embedded in buildings

IoT devices increasingly embedded in buildings will require a complete rethink to IT security, according to Chris Grundy, a director at consultancy Cundall.

"Buildings are quite static environments in terms of IT. What we're seeing is a dramatic increase" in the amount of IT being embedded within the fabric of buildings, Grundy told a recent Computing Technology Forum event, sponsored by Intel.

What we are trying to do is make a building fall into an IT policy

"I worked on a national stadium recently. There's an office in the stadium that serves 250 people, but there's 5,000 fixed wired points and up to 27,000 WiFi points. The IT department is, ultimately, there for the building rather than, in many respects, for the core IT function," said Grundy.

He continued: "What we're trying to bring through in the construction industry is more IT level thinking. It's not just about devices but the actual applications. Our immediate concern is the quality of the software and the applications.

"We have a new bank HQ project in the City. As part of the contract, we've brought in the requirement to do a number of different penetration tests on the actual software of all the different security systems, energy systems etc. To my knowledge, that's the first time that that's been done in the UK," he added.

Our immediate concern is the quality of the software and the applications

That's had some ramifications. "From a building perspective, we're not doing anything significantly ground-breaking. What we are trying to do is make a building fall into an IT policy. At an initial device level, that's being able to profile a device [that may be embedded in the fabric of the building], bring it up on the network-access control policy and segment it and so on.

"In reality, that device and application is probably going to sit there for ten years."

Then, there's the issue regarding the cycle of updates to those devices. "We are writing into contracts that when a building is delivered, the people that put those systems in have to price, as part of Capex [capital expenditure], for five years the complete lifecycle cost. That's pretty standard in the IT world, I'd say, but in the construction world it's new and it's causing a certain amount of strain."

The IoT devices embedded within new buildings, Grundy added, are fast increasing in number. "We're really just trying to bring in IT industry best practices and implement them across quite a fragmented industry sector," said Grundy.

But it's the security issues that ought to be most concerning, given that insecure embedded devices in buildings, connecting via the corporate network used by the rest of the organisation or organisations occupying the building, could represent a weak link.

"From a building perspective, there's two real issues. One is system integrity. Ultimately, the very first thing that buildings have to do is be safe for their occupants. I recently advised on a new tunnel ventilation system for a new railway and that was predominantly the single most important criteria.

"They didn't care about privacy because there were no privacy issues - for them, the main issue was around system integrity. So the ability to know that something has changed is key and, at the moment, I think the approach is really to lock the devices down as far as you can.

"Ultimately, we might… potentially use the blockchain to provide that system-level integrity. That's where it's going."

At the same Computing Technology Forum, Intel's Stuart Domett revealed some of the tools that will be used ot help manage the 'device as a service' revolution, while CDW's Kyle Davies warned that shorter Windows 10 upgrade cycles could pose challenges for traditionally run IT departments.

Cloud & Infrastructure Live 2019 returns to London on 19th September 2019. Learn about the latest technologies in cloud, how to keep one step ahead of the regulators, and network with an audience of IT leaders and senior IT pros. The event will include keynotes, panel discussions, case studies, and strategic and technical streams. Best of all, the event is FREE to qualifying attendees. Secure your place now.

Attending Cloud & Infrastructure Live 2019 already? Why not enter the Computing Cloud Excellence Awards that will be celebrated in the evening, too?