Tweet

May 2019
Column
AutomatedBuildings.com

Innovations in Comfort, Efficiency, and Safety Solutions.
Belimo

(Click Message to Learn More)


Tighten Up on Cybersecurity

Formal cybersecurity defense rests on the evaluation tripod: Capabilities, Threats, and Mission.

Toby ConsidineToby Considine
TC9 Inc


The New Daedalus

Contributing Editor


Articles
Interviews
Releases
New Products
Reviews
Cube-USA
Editorial
Events
Sponsors
Site Search
Newsletters
Belimo
Archives
Past Issues
Home
Editors
eDucation
Distech Controls
Training
Links
Software
Subscribe
Control Solutions, Inc

Last month the focus of the issue was Cybersecurity. Cybersecurity is a complex issue with many facets, but it doesn’t need to be as hard as it is. A big problem is evaluating the tools, figuring out what they really do, and deciding what problems to solve.

Most security products promise the world, but it is hard to compare them and to understand what problem they solve. Marketing language alone describes what each product does, and it often hard to compare the claims and evaluate the risks.

It’s time to tighten up the Cybersecurity language, to evaluate threats to buildings and what harm they may cause.

Formal cybersecurity defense rests on the evaluation tripod: Capabilities, Threats, and Mission. Evaluation of the value of cybersecurity always depends on two of them. What will a Threat do to degrade a system Capability? How does each Capability support the organizational Mission?  And so on. Looking at the risks of systems in a building in this light

Readers of Automated Buildings are well aware of System Capabilities. The Smart Building sales cycle attaches those capabilities to the Mission. Different organizations have different missions, so the capability provided by a given building-based system may support different missions in different ways.

The Threat is too often ill-defined. What does an attack do, and what is supported by preventing each attack? How do we compare one security product to another? Evaluating the vendor claims too often seem like flim-flam, with no clear means to evaluate risks. The automated building industry itself makes this worse, as poorly defined claims are made in a language that prevents comparison or risk analysis.

J2 InnovationsIn April, I met with proponents of the cybersecurity taxonomy developed by the US Department of Defense to defined and classify threats The DOD Cybersecurity Analysis and Review (DODCAR) defines a taxonomy of cybersecurity threats, creating a standard language to discuss security, Each threat is defined in terms of what it does and how it works.

Building System integrators can look to each of these threats, and consider how each might degrade the capabilities provided by their systems. By looking to the missions that they see their systems into, they can evaluate the risks and costs of each vulnerability.

I recommend learning DODCAR and using it to clean up product claims, and to evaluate imprecise security language, and to understand where to get the most benefits from improved cybersecurity.

https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/ctr-nsa-css-technical-cyber-threat-framework.pdf



footer

Haystack Connect 2019
[Click Banner To Learn More]

[Home Page]  [The Automator]  [About]  [Subscribe ]  [Contact Us]

Events

Want Ads

Our Sponsors

Resources