ICYMI: Intelligent Buildings spotlights APC Smart-UPS TLStorm vulnerabilities that allow attackers to cause cyber and physical damage through undetected remote access.
SUMMARY
Over 20 million APC Smart-UPS (or uninterruptible power supply) devices are currently deployed worldwide. These devices are widely used in Commercial Real Estate, banking, hospitals, data centers, and media. Armis security researchers found a flaw, dubbed TLStorm, that allows attackers to take over these devices remotely. TLStorm has two critical vulnerabilities:
One in a design flaw, in which firmware upgrades of all Smart-UPS devices are not properly signed and validated
One in the TLS implementation used by both Cloud-connected Smart-UPS devices and a third critical vulnerability
[et_pb_section fb_built=”1″ _builder_version=”3.22″][et_pb_row _builder_version=”3.25″ background_size=”initial” background_position=”top_left” background_repeat=”repeat”][et_pb_column type=”4_4″ _builder_version=”3.25″ custom_padding=”|||” custom_padding__hover=”|||”][et_pb_text _builder_version=”3.27.4″ background_size=”initial” background_position=”top_left” background_repeat=”repeat”]A recent Forbes article predicted that a post-coronavirus future will include more contactless interfaces and
interactions, strengthened digital infrastructure, better monitoring and use of IoT and Big Data, AI-enabled
development, and an increased reliance on robots. Put simply, the trend will be towards virtualization and
digitalization in all industries, and Digital Twin-making will pave the road to virtualization and digitalization in the
building industry. More online meetings, less travel; more shared, flexible workspaces, fewer assigned physical
spaces; more operational data collection via IOT sensors, less manual reporting; more AI-enabled analysis, less
guesswork; more maintenance tasks performed by robots, less manual intervention. Read the article and Tom Shircliff’s comments here: Cityzenith[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]
Cybersecurity may not be easy, but you might agree by the end of this article that it is easy relative to the broader technology-related problem in commercial real estate (CRE). In other words, cybersecurity is only a subset of the real problem.
For many years, all industries have struggled with traditional enterprise cybersecurity risks and the consequences we read about in the headlines every day. As a result, there are many cybersecurity solutions for traditional IT areas, such as local area networking (LAN), remote access, and information security (infosec) in general. Although commercial real estate is late to the game in most IT solution implementations, we do have the advantage of being able to pick and choose what is right for our portfolios from established options.
If you have not already done so, your real estate organization will likely soon end up putting all building control systems on your existing enterprise network or providing stand-alone, remote access and LAN solution for those buildings systems. For the latter, it requires a much more simplified solution that not only protects but is also cost-effective and easy to manage for the organization and the contractors using it. In short, it needs to be an IT solution for a non-IT customer.
However, focusing on the remote access issue alone misses the real problem: vendor risk management (VRM).
The 2019 Gartner Glossary describes VRM as the process of ensuring that the use of service providers does not create an unacceptable potential for business disruption or a negative impact on business performance.
Gartner intended this for IT environments, but our 15 years in the real estate technology space tells us that this is even more applicable to real estate than it is to IT-proper for the reasons outlined below.
In larger portfolios, there are three things that any real estate professional knows about vendors, particularly building systems contractors:
Fragmentation: There is tremendous fragmentation in the number and type of contractors across all the total building count
Inconsistencies: The fragmentation creates indescribable inconsistencies for system setup and configuration, data back-ups, and remote access
Turnover: There is frequent turnover at all levels between contractors, building managers, and property managers
Fragmentation, inconsistencies, and turnover at scale create chaos. This chaos tells us the “real problem” is VRM and dealing with dozens or even hundreds of different contractors who not only have or need remote access but also manage onsite, complex, digital building systems such as HVAC, elevator, lighting, parking, and metering. These building systems provide critical functions affecting life safety, experience, productivity, core network integrity, regulatory compliance, and insurance exposure.
…critical functions affecting life safety, experience, productivity, core network integrity, regulatory compliance, and insurance exposure.
There is indeed a big problem with secure, remote access for control systems, which must be addressed. But as noted, there are many different, well-established ways to address that technically. Notwithstanding that fact, nearly all those IT solution providers do not understand the technology nor the culture of the building systems world, leaving the potential for a misused or underused solution for remote access.
Still, the question remains, “what can go wrong if I establish secure, remote access?”. Putting aside for a moment whether all contractors will adhere to the remote access procedures, the answer is most things that go wrong today in building systems are not related to hacking. The cause of approximately 80% of all cyber-related incidents is human behavior (www.itgovernance.co.uk). And hence, the number one cause of disruption in building systems is Ransomware, followed by outdated software or firmware, and then a variety of site-related problems caused by poor system configuration.
We know multiple real estate organizations who have never been hacked but have been completely shut down by these other VRM issues. Additionally, a related and prevalent behavioral issue is that there are no current backups to restore with, and backups from all systems are rarely in the same, validated place that lasts through contractor turnover.
…multiple real estate organizations have never been hacked but have been completely shut down by these other VRM issues
With or without a remote access solution, if each system has password complexity, proper configuration, and recent backups they can “survive” malicious attacks or sloppy mistakes. This is the essence of VRM – having a proper inventory, policy, and policy compliance process for all systems and contractors. The policy and policy compliance must be reasonable and manageable given the deeply embedded cultural realities of building systems contractors, or it will risk rebellion and failure.
A VRM solution must have a customer-empowering, customer-owned approach. This approach must survive the contractor turnover and rise above the inconsistencies caused by the fragmentation of service providers. VRM is a top-down solution that is pushed throughout all regions, buildings, systems, and contractors. This will be manifested in new policy requirements, service contracts, and organization-wide process and controls. The process and controls will eventually mimic formal IT process and controls, such as Service Organization Control (SOC) 2.
So, the next time you say you need to address cybersecurity for your building portfolio, you might consider saying what you really need is a VRM strategy that includes cybersecurity.
About the Authors: Tom Shircliff and Rob Murchison are co-founders of Intelligent Buildings, LLC a nationally recognized smart building consulting and services company that leads the industry in OT cybersecurity and vendor risk management solutions for projects and portfolios at scale.
The rise of the Internet of Things in Buildings (BIoT) offers up tangible business benefits and many new opportunities for innovation, but these need to be carefully weighed up against the potential risks of increased cyber security vulnerability. The latest report published by Memoori finds that if threats are not properly managed by stakeholders across the supply chain, we run the risk of undermining consumer confidence in the market.
“Cyber security is widely perceived as one of the most prominent threats facing society today,” begins this latest report Cyber Security in Smart Commercial Buildings 2017 to 2021 from Memoori. However, this is not necessarily because attackers are infiltrating society’s most important systems but because seemingly inconsequential elements can act as an entry point for a whole network of vital assets.
Attackers seeking entry into corporate networks will often seek out the path of least resistance. The interconnected nature of the Internet of Things in Buildings (BIoT) means that cyber attacks can pose risk far beyond the initial point of entry. Potentially causing cumulative damages that could potentially permeate into new layers of the enterprise, building and facility portfolio, users, operators, and service providers.
The increased proliferation of smart devices, combined with persistent concerns over cyber risk and data privacy and an increased incidence of cyber attacks against smart buildings will drive a significant increase in demand for new cyber security hardware, software and services in the market.
Memoori estimates that global revenues for smart building cyber security will reach $8.65 billion by 2021, up from an estimated $4.26 billion in 2016, which represents a healthy CAGR of over 15% during the forecast period.
According to Fred Gordy, director of cyber security at Intelligent Buildings LLC, as much as 80 percent of the time, an attacker’s aim is to infiltrate the network via a BAS, and to get past those controls to accomplish a larger goal or seek a more specific target. As we dive deeper into the internet of things (IoT) it is not just BAS that creates vulnerabilities.
Organisations that have adopted a centralised approach to building management, through a building management system (BMS) hosted in the cloud could provide the vector for an attack. Network routers, gateways, cloud and Web servers all have the potential to provide potential entry points to a network. The vast number of network connections and servers managed by data centres mean those facilities are highly targeted and any breach could be catastrophic.
Even so called “Bring Your Own Device” (BYOD) policies, increasingly seen in all manner of buildings, can create security vulnerabilities. Security protocols adopted by the average user, on their own personal devices, may not conform to the criteria required to protect a network, potentially making a single mobile phone the weak leak that brings down an organisation.
“It is clear that a more holistic approach to cyber security is required in smart commercial buildings. In order to determine potential system vulnerabilities in a modern networked Smart Building, one must also carry out an assessment of the systems, devices and networks that are connected to building automation and control systems,” states the report.
For smart buildings, a robust building cyber security plan is critical. Armed with knowledge from security audits and security risk assessments, organisations can make more informed risk management decisions and proactively identify the steps required to reduce threats. Even after a plan has been developed, an effective defense involves an ongoing iterative process, which must be continuously reviewed against the constantly changing threat environment.
First Intelligent LavatoryTM Launch Smooth & Successful
Irvine, CA—Working in partnership with Intelligent BuildingsTM to enhance Sheild Property Company ‘s showcase project, Ballantyne Village in Charlotte, NC, Cognos Systems has installed its remote lavatory appliance monitoring system, i- Lav. Dubbed a beta test, this configuration of i-Lav is performing flawlessly and drawing the attention of other prominent property development managers.
The first of its kind, i-Lav wirelessly communicates the status of lavatory appliances and plumbing fixtures. Empty paper towel or toilet paper dispensers, no soap, and water, trash and sewage problems in restrooms can be significantly reduced or eliminated through instant notification to maintenance, resolving many of the top complaints received by property managers and building owners.
Tom Shircliff, Intelligent Buildings Group Co-founder explained, “We use the Fourth Utility®, which is based on the Cisco Connected Real Estate platform to add value to commercial real estate properties. We found the i-Lav solution to be a perfect fit for an “Intelligent Building”. This service gets to the heart of tenant satisfaction and ultimately tenant loyalty. The installation was done in minutes and the connection to the building technology infrastructure was simple and seamless. We already have enthusiastic interest in Intelligent Hygiene from other large developers.”
“I couldn’t be more impressed with i-Lav. I expect to derive immediate payback through more efficient maintenance scheduling, and long term payback as a result of increased tenant loyalty, which ultimately adds up to tenant retention,” George Sheild commented. “Ballantyne Village is a premier multi-use property offering retail space, class A office space, entertainment, and residential quarters. Everyone, business patrons, business owners, and office tenants, will benefit from the i–Lav solution, “ Mr. Sheild concluded.
“Our goal is to sustain tenant retention, add to patron satisfaction, and provide the management tools to improve the allocation of resources in commercial buildings,” stated Hank Ortiz, CEO for Cognos Systems. “With the assistance of Tom Shircliff and his team at Intelligent Buildings, we have launched i-Lav in the perfect building project. Ballantyne Village is a prime example of vision and innovation. We are elated to be among the participants offering the latest technology advancements and we are very pleased with the positive response i-Lav is receiving from George Sheild and others,” Mr. Ortiz continued.
Recognizing that a basic frustration for individual tenants and patrons often translates itself into an economic issue for building owners and property managers, Cognos Systems has responded with the low-cost, easily implemented i-Lav system that virtually pays for itself within months in a typical Class A Commercial Building
About Intelligent Buildings
Intelligent Buildings is a pioneer and leader in the new industry segment of commercial real estate technology services. We provide the Fourth Utility®, which is based on the Cisco Connected Real Estate platform and adds value to buildings by increasing net operating income through operational savings and new revenue streams. Additional information about The Fourth Utility and Intelligent Buildings is available at www.intelligentbuildings.com.
About Ballantyne Village
Ballantyne Village is an upscale, unique, and pedestrian-friendly 800,000 square foot development in the Ballantyne area of Charlotte, North Carolina. Ballantyne Village comprises upscale retail and restaurants, luxury condominium homes, class A offices, plus an independent movie theater. Ballantyne Village is located in the heart of Ballantyne, a 2,000-acre community featuring nationally-recognized Ballantyne Resort Hotel, Ballantyne Country Club, and Ballantyne Corporate Park – home to LendingTree, ESPN Regional, AXA/Equitable, and other international and national companies.
For more information, contact George Sheild by email or telephone: (704) 541-2800.
About Cognos Systems
Cognos Systems, Inc. provides remote monitoring, hygienic solutions using patented wireless technology. For more information regarding Cognos Systems and its products, including i-Lav, please visit www.cognos-systems.com.
Cabarrus Regional Chamber of Commerce is going the extra mile to help area businesses and citizens benefit from the mammoth N.C. Research Campus going up downtown.
A week from today, the chamber will host an information session for small businesses on “How to Connect to the North Carolina Research Campus.” It will include opening remarks from Lynne Scott Safrit and a project update.
It’s easy to understand why someone would want to make that connection. During another session sponsored by the chamber last week, an official close to the project estimated it will generate about 2,200 jobs in just its first two and a half years of business — scientific jobs, support staff and other workers. That news came from Tom Sanctis, director of construction operations for Castle & Cooke.
Next week’s session, to be held in the Old Cabarrus Bank Building in the Village, is aimed at new and existing businesses and will give pointers on doing business with the campus and gaining access to leaders of the project. For more information or to register, call the chamber at 704-0782-2000, ext. 26.
Some businesses have already found their connection. The Charlotte Observer reported recently that two Charlotte entrepreneurs are in the early stages of planning services their company, Intelligent Buildings, can provide at the Research Campus. “Workers there might be able to use touch-screens to have lunch delivered to their desks; visitors can use them to find out about the tenants; and researchers can use the network to share data securely,” according to the report.
The chamber’s doing a good job, and its leaders are to be commended. Still, you get the feeling the most aggressive entrepreneurs are not sitting around waiting for a seminar.
Donald Trump is rumored to be heavily involved in it. Cisco Systems is all over it via its Cisco Connected Real Estate (CCRE) initiative. Numerous power, cooling and building-automation systems (BAS) vendors are jumping on the bandwagon.
What is it?
It’s the convergence of IP networks and BAS. Convergence that is enabling IT managers to keep track of everything in one building via a single console.
“We are seeing an emerging market of security systems, HVAC and power systems managed via IP,” said Andreas Antonopoulos, an analyst at New York City based Nemertes Research. “Long term, we will see other forms of convergence, such as IP managing a whole range of BAS.”
BAS includes lighting, elevators, cooling and electrical elements. It can also encompass physical security systems, TV and fire safety — all united under IP as the overarching control and monitoring system. Antonopoulos lists the benefits as power savings, coordination of physical and logical assets, and improved security.
While such systems are starting to appear, it may be years before they are a standard part of provisioning a new data center. The early stages of convergence are here, however, and range from simple extensions of existing IT capabilities to full-fledged facility systems that tie IT tightly into a building’s infrastructure.
Netuitive, for example, sells a business service management (BSM) solution that analyzes the data center in real time. It self-learns the system and transmits advanced warnings of heating and power issues. Netuitive Service Analyzer correlates environmental metrics, such as temperature and power consumption, alongside server performance metrics.
“Because server overheating creates IT nightmares, knowing ahead of time that the power consumption or temperature is going up allows the IT manager to contact the building manager to proactively prevent problems,” said Jean-Francois Huard, CTO and vice president of research and development at Netuitive.
Netuitive’s technology is based on statistical regression and correlation analysis. For example, a data center with multiple air conditioning (AC) units might have issues with one AC control board that failed to detect a rise in room temperature and therefore didn’t send any alarms. This system would detect the anomaly early enough so an admin could have the AC control board repaired and address the overheating issue before any servers shut down. This technology also learns server patterns, so intensive periods of processor usage that send temperatures higher don’t also sound the alarm for no reason.
According to Huard, Netuity requires sensors be connected to the network. These can be found in the smart UPS and APC-MGE’s NetBotz sensor offerings or Liebert’s cooling systems.
Eaton offers a different way of monitoring. In addition to power equipment, Eaton’s Foreseer Enterprise Management System manages environmental and life/safety devices from any site carrying a Foreseer server. It can interface with gear from most power and environmental equipment manufacturers, as well as fire, security, fuel, UPS, air handlers, HVAC, battery monitoring and temperature/humidity subsystems. Thus, IT managers can simultaneously track servers and building systems.
APC, meanwhile, has been steadily upgrading its InfraStruXure platform to encompass an even greater zone. InfraStruXure Central 4.0 covers data center design, monitoring and management, and it encompasses power, cooling, floor space and cabling. Its approach is to lower support costs and prevent downtime through early detection.
“With 1 to 2 percent of total U.S. power consumption now occurring in data centers, good data center design is vital — but alone it is not enough,” said Soeren Jensen, general manager of enterprise management products at APC- MGE. “It takes the right combination of design, operational and management factors to run things properly.”
InfraStruXure Central has three components to take care of each facet. Thus, it can be used to design a data center from the ground up (or reconfigure it), for day-to-day operations and in overall management. It keeps an eye on UPS, power switches, PDUs, batteries, cooling, environmental monitors, airflow and server racks. It can also be tied into some BAS systems and enterprise management platforms.
IP in Charge
Although many of the systems mentioned above can access data from building systems, most are limited in what they can do. Ultimately, however, that will change. The overall trend is for IP to be the backbone for all building systems. Instead of having dozens of different cabling systems, only a few will be needed, and IP will manage just about everything.
“Every major sub-system manufacture has something to say about IP,” said Tom Shircliff, co-founder of Intelligent Buildings in Charlotte, N.C. Intelligent Buildings is a pioneer in real-estate technology, design and management. “Larger companies like Trane, Siemens, TAC and Johnson Controls promote building technology platforms that look like Ethernet diagrams with their BAS applications hanging off the edge.”
While this is a good sign, Shircliff cautioned that many of these established players in the facilities market continue to protect their proprietary protocols. As a result, products often labor to be truly interoperable with “foreign” controllers, other building applications and other technologies. He advocates platforms that accommodate multiple protocols and applications. Shircliff’s advice to anyone planning a new data center:
“Convergence comes at many different levels and you should take what you can get in today’s environment, and look to the most progressive vendors to push your legacy systems and providers,” said Shircliff. “Basic interoperability is already attainable with mechanical controls, access controls/security and lighting controls.”
Case in point: Intelligent Buildings was a primary vendor in a site known as Ballantyne Village in Charlotte, N.C. It executed its Fourth Utility concept alongside other providers, including Liebert, Panduit and Cisco. Fourth Utility is all about harnessing IP as a readily available utility — just like electricity, water and gas.
“Most of the dozen applications that are converged and operating on the Fourth Utility infrastructure at Ballantyne Village were not planned from the beginning but were groomed onto the infrastructure along the way,” said Shircliff. “Some are converged physically via conduit, cable tray and fiber optics, and others are electronically converged by being switched through the Cisco infrastructure.”
This includes television, ambient music, digital signage on 35 plasma screens, energy sub-metering, WiFi, VoIP,
LED property lighting, point of sales and even lavatories that tell the maintenance staff to bring more toilet paper or paper towels.
Another example is the 4 million square-foot North Carolina Research Campus (NCRC), which is being built over the next few years at a cost of $1.5 billion. Anyone looking to see the data center of the future would do well to investigate this property. It is being constructed from the ground up using Intelligent Buildings’ Fourth Utility infrastructure.
“Building system convergence is being driven by the dominance of IP and the economics,” said Jim Sinopoli, principal of Sinopoli and Associates, an engineering and consulting firm based in Spicewood, Texas. “As well as saving money on the construction of the building, the benefits are ease of management and streamlining of the skill sets required to manage the systems.”
In the drawback side of the ledger, however, he notes that legacy methods of designing and constructing a building are hard to combat. Traditionally, each system is designed and installed separately. Therefore, it can be difficult to get architects, engineers and contractors to agree to look at doing things in a different way.
But like everything else, that will change with time. Shircliff thinks it might take another five to seven years for complete convergence to take place. Meanwhile, early adopters in the United States, like Ballantyne Village and NCRC, represent some of the relatively few North American examples, compared to a multitude of such state-of- the-art campuses using this technology in Asia, the Middle East and Europe.
“From the perspective of the data center, the Fourth Utility is all about reducing capital expenditures and operating expenditures,” said Terry King, business development manager at Liebert. “For now, however, it is mostly hype and discussion in the U.S.A. and not a lot of action. But that is going to change in the near future.”
Tom Shircliff, left, and Rob Murchison, right, of Intelligent Buildings, with a screen in their conference room that shows global cyber attacks happening in real time. Diedra Laird – dlaird@charlotte observer.com
Imagine a group of hackers breaching a building’s secure computer network – but they aren’t interested in stealing financial data, sensitive emails or company secrets. Instead, they want to hack the building itself.
Imagine the hackers take control of the building’s heating system and crank up the thermostat, damaging temperature-sensitive servers. They turn off the lights and activate the fire alarm system at random, making it impossible to work in the building. And then they shut water valves, backing up sewage and wreaking havoc on the plumbing – all from behind a computer screen.
This scenario isn’t as far-fetched as it might sound. Building control systems are more connected to the Internet than ever before, allowing remote access, monitoring and greater energy efficiency improvements. But greater connectivity can lead to greater vulnerability for buildings if the proper security measures aren’t in place.
“It can be as benign as brand damage and as dangerous as life safety issues,” said Tom Shircliff, co-founder of SouthPark-based Intelligent Buildings, which provides energy efficiency and smart-building consulting. The company helped design the systems for the Duke Energy Center and was a key partner in launching the Envision Charlotte initiative (behind those energy monitoring screens you see if you work in an uptown building). Now it sees a growing need for building cybersecurity.
“Even a low-level nuisance is a brand problem,” said Shircliff. “If you’re a big developer or portfolio manager and you can’t get the lights on or your elevators working, that’s not good for business.”
With the real estate market largely recovered and building booming, there are more buildings under construction that have to consider security. And the push for “smart buildings,” where building systems are integrated and accessible online, means connectivity is only going to increase. Intelligent Buildings goal now is trying to raise awareness of how building systems can be just as vulnerable to cyberattacks as other corporate networks.
“Whether it’s a lighting system, HVAC, physical access control, video surveillance, elevators, they’re all computer networks,” said Rob Murchison, Intelligent Building’s co-founder. “Since they’re computer networks with servers, they are susceptible to the same vulnerabilities and exploits.”
He pointed to risks such as someone changing the settings on valves feeding a building’s cooling system to break the equipment.
“You can bring the whole system down. It’s not an ‘if,’ it’s a ‘when’ question,” said Murchison, sitting in front of a screen displaying cyberattacks worldwide in real time.
A Government Accountability Office audit in December found that there isn’t enough being done to secure building control systems networks. “Building and access control systems are vulnerable to cyberattacks,” the report said.
The number of attacks reported on such systems rose 74 percent from fiscal 2011 to 2014, the GAO said, to 243 incidents.
But Intelligent Buildings isn’t advocating isolating computer systems from the Internet. Such connectivity makes it far easier to manage buildings and monitor for ways to cut down on energy consumption. However, they say many buildings are using software from many different vendors that can be out of date, missing security patches and have different security standards.
Instead, they say building systems should be on a single, unified network with up-to-date security measures. They also say the numerous vendors who service building systems need security policies, such as strict control over passwords and other access protocols when an employee is fired.
“Would you rather have one secure network or 17 that you don’t know what you’ve got?” said Shircliff.
Data-centered hacks have attracted far more attention in the media. Shircliff and Murchison are trying to make people more aware of building systems risks without panicking people.
Ray Rupuano, a Raleigh-based Cisco executive in charge of smart buildings, said it can be a challenge to convince executives that connecting more systems won’t actually create more vulnerabilities, if it’s done right.
“Customers see putting building systems on the Web as a risk, not as a way to prevent attacks,” said Rupuano. “We’ve got to get rid of the fear.”
Another challenge, Shircliff and Murchison said, is that facilities operations and information technology have been in separate silos.
“Traditionally, facilities management and IT are not having a lot of conversations,” said Shircliff. “We’re really bringing established IT cyber concepts to the building.”
To be sure, Shircliff said the worst-case scenario won’t happen in all, or even most, buildings. But he said developers should still pay attention to securing building systems controls, or risk harassing attacks.
“It may not be that a local high-rise developer here needs to worry about the worst North Korean hacker, but if there’s no measures taken, now he has to worry about the kid who’s just trying to create a problem,” said Shircliff.
Thanks once again to Intelligent Buildings’ Director of Cyber Security, Fred Gordy, who keeps the global ControlTrends Community and systems integrators current with his Cyber Security updates. Fred is calling for the widest dissemination of this information possible, and for responsible parties, at every level to take immediate actions to eliminate their exposure and safeguard their building against eminent attack.
Fred Gordy, Director of Cyber Security at Intelligent Buildings, LLC: I did a cursory search usingCensys device search engine of building control systems and the first systems to pop up were Niagara 4 systems. As most know Niagara 4 was released after the first of the year to integrator community at large. The discussion of cyber security for control system has been going on for over 4 years. So it is still amazing to me that control system devices are still being put directly on the web. These Niagara 4 systems would have had to been installed in the last 4 months.
The screen shot below are just the first page. I didn’t count the Niagara 4 system but I was still finding them 5 pages into the 357 pages listed.
With a “green” design that produces more energy than it consumes, Ethernet-connected lighting, total building integration down to the towel dispensers, and a hoteling app that assigns workspaces on an as-needed basis, the Edge Building in Amsterdam is widely touted as “the smartest building in the world.” Security features include a license plate recognition camera that recognizes the employee and opens the gate, and a robot that patrols the hallways at night.
But while much has been written about this fascinating space, buildings such as this are famous because they are rare. In fact, most buildings are still “dumb.” But buildings such as the Edge are the dream, with their cost-savings for owners and convenience for users. This is an early trend, but one that is likely to take off as technology trends such as IoT, the cloud, PoE and wireless make it more attainable than ever before.
Schneider Electric was one of the participants in the the Edge, in Amsterdam, widely considered to be the smartest building in the world. Photo courtesy of Schneider Electric.
“Smart buildings have certainly crossed the chasm into the mainstream,” says Brian Eckert, executive vice president and chief marketing officer, Kastle Systems, Falls Church, Va. “Initiatives like the U.S. Green Building Council’s LEED and the Department of Energy’s Better Buildings are driving the trend towards more efficient spaces across the board.”
The market is still in its infancy, though, says Ashish Malpani, director embedded solutions product marketing, HID Global, Austin, Texas. “The market for smart buildings is expected to reach the tens of billions of dollars in the next few years. However, much of the market is still in its early stages. Current efforts are only focused on energy, lighting and security systems for the most part, and solutions rely on interconnecting these systems along with IoT deployments.”
At that, security is the relative newcomer to the party. Traditionally proprietary, many buildings of a size to consider a smart building approach today are dealing with legacy systems that may need to be upgraded before being added to the building automation backbone that controls their lighting and HVAC systems, for example.
Most buildings today have many of the technologies in place necessary to be smart — but they are siloed, or just “somewhat smart,” says Ron Zimmer, president and CEO, Continental Automated Buildings Association (CABA), Ottawa, Ontario. “Most buildings are dumb buildings, but increasingly we are seeing more integration.”
Bill Bozeman, president and CEO, PSA Security Network, Westminster, Colo., sees smart buildings as still a ways off. “The hype is the smart building where everything all talks to each other with intelligence. It sounds incredibly good, but at this point in time, the majority of the higher-end security integrators actually are not even in the life safety or pro-AV business [much less building controls].”
But those very large companies that are doing it all agree: Security not only has a major and growing role in smart buildings, but most integrators that work in the commercial building space will at some point be faced with a customer that wants to work toward this goal.
“It is more of the promise at this point, but there is no question that this is where the market is going,” says Alessandro Araldi, vice president of global product management, Honeywell Security and Fire, Melville, N.Y. “It is not a question of if, but when we will see markets adopting smart building technologies and whenwe will be able to fulfill that vision or promise.”
Jason Ouellette, product general manager for access control, Johnson Controls, Westford, Mass., says the channel needs to adapt and change in order to make the promise a reality. “Part of the challenge is the fact that it doesn’t all happen through the same channels. In my opinion, we’re still in the emerging stages because of that, but the channel will grow or go through partnership levels to be able to get there.”
One integrator that stepped up to the plate early on was Dale Klein, CEO, Parallel Technologies, Minneapolis. “I bought a structured cabling company in 2005 as the foundation company to prepare for intelligent buildings.” Though Klein acknowledges that it is taking longer than he thought it would, he sees it as the way forward. “What I have learned is there is a future definition of intelligent buildings and we are just at the basic level right now.”
Security’s Role
The advent of IP and networking has really brought security systems to the forefront of what is needed for a truly smart building.
“With network video now the norm, physical security systems have an opportunity to be more integrated,” says Steven Anson, vice president of marketing, vertical market solutions, Anixter Inc., Glenview, Ill. “There is a desire today to be more efficient. Customers ask, ‘How can I leverage these resources?’ ‘Why can’t my building be more automated?’ ‘Why can’t I see actionable intelligence?’”
Matt Powers, vice president of technology support services for Anixter, calls security systems “the best kept secret in a smart building” due to the information they house. “What better information is there?” However, he points to some challenges.
“Security has historically been one of those things that are later down the road,” Powers says. “I think it is becoming more of a technology that is thought about up front but not from the standpoint of how to leverage the information within the systems.”
And that is the crux of the issue. “Historically security has been isolated or siloed from this from a mass market perspective,” says Steven Turney, security program manager, Schneider Electric, Dallas. “I have been here for 22 years and we have always done [smart buildings] as far as bringing the power, lighting and climate together. But even amongst ourselves security was somewhat isolated from the rest of the technologies in the building.”
According to an August 2017 report by Research and Markets, the smart building market is projected to grow from an estimated $7.42 billion in 2017 to $31.74 billion by 2022, at a compound annual growth rate of 33.7 percent during the forecast period. The report cites factors such as the growing need for integrated security and safety systems in buildings and the implementation of the IoT platform in building automation technology as main drivers of smart commercial buildings.Source: Research and Markets
This “legacy mindset” still exists, but is quickly changing, he adds. “Customers are more open to it and in some markets demanding and requiring it, making the pure security side of the industry have to step up.”
Consultant Shaun Klann, senior vice president, Intelligent Buildings, Charlotte, N.C., is seeing this as well. “One of the more modern trends we are seeing is a heightened focus on what we call use cases, or occupant experiences — what an employee or visitor would expect out of the building. In order to enable these use cases, data from security systems is becoming highly valuable and we are seeing the need to capture that data becoming quintessential.”
He also points to the desire of building owners and managers to “right-size” their portfolios and maximize efficiency as a driver. “One way of doing that is by looking at security data like video and access control and doing more with that security information.”
Jim DeStefano, national sales manager for security, Siemens Industry Inc., Building Technologies Division, Buffalo Grove, Ill., agrees. “I don’t think you can have a smart building without security. For everything from knowing when I walk in the building to turning on the lights, access control comes into play,” he says.Araldi, however, says video is “the ‘killer app’ of smart buildings. You can use that information to solve a whole bunch of different problems that are more business problems. I don’t think you can say the same thing for HVAC.”
Data today has become very important agrees Powers. “If you look at the security industry, we have gone through the IT/OT convergence and done a great job in the industry of migrating customers over to a pure IP network. The subsystems have migrated but that data is still siloed and for the security integrator, the key is how do you create an integrated security framework that allows that customer to benefit from that data? That is the key to the kingdom.”
Smart buildings need to meet the expectations of the occupant and technologies must work together flawlessly to provide a personalized experience, says Jody Ross, vice president global sales and business development for AMAG Technology Inc., Torrance, Calif. “The potential for security systems to make a big difference is there, particularly with the emerging mobile technologies. Streamlining operational efficiencies, such as room scheduling, HVAC usage and monitoring parking systems will continue to gain momentum as well. Building managers and tenants need to easily manage all functions from a mobile device.”
Right now security is still mostly focused at the perimeter, Malpani says. But that will continue to change as more of these systems get connected.
Becoming the ‘Master Integrator’
There is a conception that security integrators need to be very large and multi-disciplinary to play in the smart building world. That is still largely true for the biggest projects such as the Edge (which Schneider Electric was involved in). But as this trend becomes more widespread, more and more integrators will need to figure out how to become a “master integrator” themselves.
What is a master integrator? “There are different types of integrators such as IT, AV and security integrators, as well as HVAC, wireless and middleware integrators,” Anson explains. “The concept of a master integrator is relatively new terminology.” Right now there are just a handful of companies that can provide all of those disciplines, he says, but that is beginning to change.
The master integrator needs to bridge both the operational and the information side of the building, Klann explains. “There are multiple different systems and the more sophisticated the use is, the more sophisticated the integrator needs to be.”
However, there is such a thing as “a little bit smart,” and the road to becoming the master integrator can be long, with many opportunities along the way.
There are things happening today making this easier for integrators, such as more open protocols, and initiatives such as PSIA’s PLAI (physical security interoperability alliance) agent, says David Bunzel, executive director, PSIA. “One of the challenges we have and one of the more vexing issues for industries like security, which is late to the consolidation party, is that means you get companies with different PAC systems and the integrator has to figure out how to make it all work and make it easy.” That is one of the things PLAI has addressed, allowing companies to seamlessly synchronize privileges. “Security was the initial thing, but now we have the interfaces to accommodate hoteling, locker management, elevators, conference rooms and print stations,” he explains.
Some manufacturers are also getting on board the BACnet or Modbus, two popular backend protocols that help facilitate the smart building. “I absolutely think you can be a little bit smart,” says Chris Sincock, vice president security business, DAQ Electronics, Piscataway, N.J. “Yes, there will be opportunities to apply technology that is prevalent in security into building automation. For the small to medium-sized integrator that wants to get involved there are some things they can do right away.”
He suggests looking at BACnet-based non-security things such as lighting control or thermostats, especially ones that can be programmed simply without getting into all the controls.”
If this concept seems familiar, it is happening now in a big way on the residential side, with connected and smart homes. In fact, for the dealers who play in that space, if they are not looking at expanding into these areas, they may be in trouble in the near future.
The prediction on the commercial building side is not nearly that fast or that dire, but it is an opportunity that experts say integrators shouldn’t ignore.
“Looking at the smart home there are a lot of small dealers that are already doing some of this stuff where they are integrating temperature controls and video and garage doors,” says Amy Huizenga, director of marketing for global security solutions for Anixter. “On the smart building side, I would say that it is definitely within [the integrator’s] reach,” she adds.
“You don’t have to be a top-tier systems integrator to be a part of a project that is going to deliver a smart building; you just have to be more open in your mindset of how you work,” Turney says.
There is a continuum of “smart” buildings, from basic backbone, all the way through to the intelligent building. Image courtesy of intelligent buildings.
“This will be a massive systems integrator play — bigger than the security integrator or even building automation,” Klein says. But it requires different skillsets. (See “Partner to Play” on page 58.)
As an example, Klein says that his company began focusing on data centers, which has put them well on the path to becoming that master integrator. “We believe our vision is right but our timing was off, which is why we built out our data center group. People were willing to invest in that. And we built up a lot of skills in understanding electrical, mechanical and HVAC that will translate well to smart buildings.”
Araldi, too, agrees that there are many integrators that are well positioned to start doing at least parts of smart buildings. “As we meet integrators we hear over and over how much they are investing in IT. They all see that solution as important and a lot of them are hiring those people and building that expertise in-house. For all those reasons we absolutely believe they can play there.”
However, he agrees that ultimately, the goal will be to add or acquire all the skills needed to be the master integrator. “Now you have HVAC, fire, lighting and security and somebody in that value chain will have to play the role of the super integrator across the different systems. The security integrator is probably better positioned than others.”
No matter how you do it, Araldi has this advice: “Get on board. The train is slowly leaving the station and this is one of those things that once it has left it will be more difficult to hop on. That train has been trying to leave and hasn’t fully yet, but it feels like it is really starting to happen and the technology is coming together.”