Smart Connected Buildings - Cybersecurity Maturity Model (SCB-CMM): Proliferate Cybersecurity Maturity Level in Smart Connected Buildings To Facilitate Secure Integration with Smart-Grids and Micro-Grids
By Mangaya Sivagnanam and Dr. Massoud Amin
The Smart Connected Buildings (SCB) represent a convergence of latest cutting-edge technologies including Self-awareness, Predictive Maintenance, Convergent Networks, Wireless Retrofits, and Biometric, all with security built-in as a design criterion. They continuously integrate and interact with the Smart-Grids and Micro-Grids to optimally achieve functions such as Combined Cooling-Heating-Power, Solar-Photovoltaic, Wind Generation, Energy Storage and sophisticated grid controls and optimization software.
The SCB is the inner-most element within a smart grid and the fact that buildings are the number-one energy consumption nodes and also the most significant producer of distributed renewable energy. The role of buildings in the Smart-Grid infrastructure is very crucial. As many of these net-zero energy buildings operate with less energy and less operating cost; these improvements make them more appealing on many fronts – with the cost of operation to LEED certification, predictive maintenance, full-life-cycle asset management, Demand Response, and more.
Currently, SCB across all critical infrastructure do not have the same cybersecurity maturity levels and do not necessarily align with smart grid standards. So, integrating the two entities (SCB and Smart-Grids) with different maturity levels makes SCB more vulnerable (due to mismatches and holes in the seams where they connect and exchange information). At the same time, it makes smart grids susceptible to various eavesdropping and attacks as these buildings can potentially become an easy-entry point for intruders.
So the recommendation is to proliferate cybersecurity maturity level of the SCB to match features, technologies, and maturity with the connected micro or smart grids.
Resilient buildings and cities are prerequisites to support the vision of “Resilient Nation” discussed and presented in various settings, during the past 20 years (including Y2K, post 9/11, persistent cyber-physical attacks, post major natural disasters, and more.). Therefore, before infusing external security and intelligence into our buildings, it is more prudent if SCB can intrinsically secure itself and become smart, secure, resilient, and sustainable. Security needs to be built in as part of its design, the Smart Connected Buildings Cybersecurity Maturity Model (SCB-CMM) supports this strategy.
The model helps infuse Command, Control, Communication, Computation, and Intelligence (C4I) in buildings; and create cost-effective and risk-informed improvements to the cybersecurity standards and programs (across all sectors with various backgrounds and sizes). More specifically, the SCB-CMM focuses on the implementation and management of cybersecurity standards and programs on SCB considering the deployment of information technologies (IT) and operational technologies (OT) integrated within the cyber-physical systems (CPS) in the environments which they operate. This system/model includes several tested/proven benefits, which include:
- Strengthen cybersecurity standards and capabilities and enables a very secure integration and interaction with smart grid and micro grid.
- Enable SCB to evaluate the threats, risks, and capabilities frequently, and improves buildings efficiency and resiliency.
- Provides a layered security approach protecting endpoints, applications, data, networks, and digital space.
This system/model provides flexible, agile and scalable standards and guidance to benefit SCB to improve cybersecurity maturity levels. The model comprises of 12 main domains to group the cybersecurity standards, programs, and practices. Each domain delivers a purpose for the organization's cybersecurity measures. They are “Flexible and Agile OT/IT Network Governance”, “Risk Management Framework”, “Asset and Configuration Management”, “Access Management”, “Threat-Vulnerability Management Process”, “Patch Management “, “Network Assessments”, “Situational Awareness”, “Information Sharing and Communication”, “Incident Response and Business Continuity Program”, “Supply Chain and Vendor Management”, and “Cybersecurity Training”.
The model provides an edifice and contingencies plan for handling uncertainty in heterogeneous systems in network governance. It influences the enterprise’s governance by evaluating standards, policies, procedure, regulations, audit process, and compliance with other IT/OT/CPS requirements. It cogitates innovations in building-technologies along with the growing risk, threats, and vulnerabilities in the industries. Thus the model develops a stimulus approaches capable of adjusting and improving the cybersecurity maturity level in organizations and 16 critical infrastructures functioning in the SCB. Seamless integration of all 12 domains develops a secure SCB.
The model’s domains serve specific objectives, roles and practice plans to increase the cybersecurity standards in the SCB. The recommendations are implemented in the bottom-to-top approach progression. The progression has both short-term and long-term implementation plans comprising of six main phases. Phase 1 starts by setting a foundation with proper “cybersecurity training.” Phase 2, for network security, the organization needs to establish an appropriate foundational approach like “Asset-Configuration Management,” “Access-Management,” “Network-Assessments,” “Information-sharing and Communication.” Phase 3, the organization needs to strengthen its“Situational-Awareness” by maintaining appropriate process and technologies to collect, analyze and ingest cybersecurity information efficiently.
The first 3 phases are the recommended short-term goals that help the organization to set a proper background and gain the necessary momentum to support effective implementation and functioning of other domains/functionalities.
For example, with proper implementation and initial focus the “Network Assessment” domain will indirectly improve the maturity level of “Risk and Threat–Vulnerability Management” domains in the longer-term initiatives. Similarly, the “Asset-Configuration” and “Patch Management” domains are interlinked; so improving the maturity in the first will facilitate effective patching in all edge systems in the building networks.
Also, with appropriate “Situational Awareness” security controls in place will advance the organization’s “Incident Response” capabilities.
Phases 4, 5, and 6 are part of longer-term recommendations. In phase 4, the organization can enhance overall cybersecurity standards by “Risk Management Framework,” “Threat-Vulnerability Management,” “Patch Management,” and “Supply-Chain and Vendor Management.” Phase-5 “Incident Response and Business Continuity” program improve immediacy to respond to incidents. Finally in phase 6, “Flexible-Agile-Governance” develops synergy among all 12 domains and supports the organization to become a stimulus to react to threats with technology advancements and innovations.
Cyber connectivity has provided many benefits. However, it has increased the complexity of systems. Enterprises aiming to modernize their facilities, need to overcome significant challenges before massive deployments of smart-technologies in their buildings, to predict, prevent, contain and terminate cyber-physical attacks. The model presented helps organizations to proactively respond to increased cyber-physical attacks as an integrated part of emerging technologies and innovations in building technologies.
Broad use of the SCB-CMM model across all critical infrastructures supported benchmarking sector's cybersecurity maturity and provided a roadmap to secure smart cities. A resilient infrastructure builds a resilient city and a resilient nation. In summary, the SCB-CMM develops resilient, self-diagnosing, self-healing buildings, and facilitate secure integration with smartgrids; thus aids in building secure smart cities, and helps achieve the vision of a “Resilient Nation.”
Finally, in the complex SCB networks, the human participants themselves are the most susceptible to failure and the most adaptable in the business recovery. So proper cybersecurity training and awareness are mandatory for employees since no technology can replace qualified security professionals.
Figure 1: SCB-CMM Maturity Approach Progression in an Organization
Figure shows the graphical representation of how 12 domains of the model are structured and layered in the maturity approach progression in an organization along the area of focus where it is People, Process, and technology
Mangaya Sivagnanam is a principal cyber security systems architect with 17 years of experience in software applications design, analysis, development, testing and deployment of web/enterprise based on client/server applications and commercial industrial control systems. She is responsible for the framework and application design and development of web-based and embedded software for control systems. Mangaya has expertise and experience in innovation, security architecture for the web application, industrial control systems, internet of things, mobile, cloud computing, big data security, smart connected buildings and smart cities. She has extensive experience with heterogeneous system’s software design (Secure SDLC), threat modeling, security and risk analysis, penetration testing. She is also responsible for coordinating and managing the incident response process for the advanced building automation systems and solutions. She received an MS degree in Security Technologies | Cybersecurity in Technology Leadership Institute University of Minnesota.
Dr. Massoud Amin, IEEE Fellow, is Director of the Technological Leadership Institute (TLI). He holds the Honeywell/H.W. Sweatt Chair, is a professor of electrical & computer engineering (ECE), and a University Distinguished Teaching Professor Award Recipient at the University of Minnesota. He is Chairman of the IEEE Smart Grid, a Fellow of ASME and, from June 2010 to August 2017, was a member of the Texas Reliability Entity (as board chairman), a utility industry regional entity that oversees reliability. From January 2013 to August 2017, he also served as a board member of the Midwest Reliability Organization.
Before joining the University of Minnesota in March 2003, Dr. Amin was with the Electric Power Research Institute (EPRI) in Palo Alto, Calif. He pioneered R&D in smart grids in 1998, and led the development of 24 technologies that transferred to industry. After 9/11, he directed all security-related R&D for U.S. utilities. He has led research, development, and deployment of smart grids, and the enhancement of critical infrastructures’ security during this period. He is considered the father of the smart grid.
At EPRI he received several awards including six EPRI Performance Recognition Awards for leadership in three areas, the 2002 President’s Award for the Infrastructure Security Initiative, and twice received the Chauncey Award, the Institute’s highest honor.
He has been recognized by his alma maters, receiving the 2011 Distinguished Alumni Achievement Award at Washington University, and the 2013 Outstanding Senior Alumni Award at the University of Massachusetts. He was the inaugural Thought Leader of the Year, Energy Thought Summit 2015 (ETS '15); inducted into the University of Minnesota’s Academy of Distinguished Teachers (2008); President’s Award for the Infrastructure Security Initiative, EPRI (2002) twice - received the Chauncey Award, EPRI; Professor of the Year, Washington University in St. Louis (1992-1995). He is the author of more than 200 peer-reviewed publications, editor of seven collections of manuscripts, and served on the editorial boards of six academic journals.
In summary, Dr. Amin’s professional contributions have primarily been in three areas:
- defense networks, combat & logistics systems - C4I (1982-1997)
- modernization, efficiency, security & resilience of interdependent national critical infrastructures, including power, energy, communications, finance, and transportation (1997-present), and
- technology/business/policy foresight & strategy (1997-present).
Dr. Amin holds B.S. (cum laude), and M.S. degrees in electrical and computer engineering from the University of Massachusetts-Amherst, and M.S. and D.Sc. degrees in systems science and mathematics from Washington University in St. Louis, Missouri.