NeverCry Cyber Defense for Building Systems
Joel Rakow, Ed.D.
Chairman CEO Peer Exchange | Publisher "Not the WSJ" | Senior Partner Fortium Partners - Cybersecurity
More than 50% of successful cyber attacks gain their first point of entry via building systems, as reported by the Harvard Business Review and Microsoft IoT Signals. This is the result of building systems being installed with too little attention being paid to the security.
First Layer of Defense. The NeverCry Cyber Defense provides the first, and often, the only layer of defense against cyber attacks. Fortium typically provides the NeverCry service at the behest of facility management, or the IT organization, or Procurement.
The NeverCry Cyber Defense is initiated when the VAR receives a notice from its customer requesting a VAR to raise it is standards and transparency regarding the VAR’s cybersecurity practices. The VAR is referred to Fortium as a 3rd-party resource, but may select another resource, or use their own internal resources.
No Budget Impact. The NeverCry Cyber Defense is deployed by the VAR using the tools, skills and processes identified by more than 80 CIOs of nationally prominent U.S. companies. To date, VARs readily accept financial responsibility in exchange for increased likelihood of retaining its customer, plus other benefits.
NeverCry Deliverables. Fortium prepares VARs to deploy the NeverCry Cyber Defense by providing the following tools and learning experiences to building system VARs:
? Dedicated, qualified CISO as the NeverCry leader and security advisor
? A Cybersecurity Hygiene, with 30-60 security controls specific to the building system and the applicable market segment
? Preparedness experiences for VAR's field personnel delivered across 20 ten-minute sessions of coaching and discussion over 4 to 6 months
? Prototype contract language enabling end user and VAR to achieve mutual assurance and protection against legal liabilities and other issues
? An efficient and effective approach to IT security questionnaires
? Guidance for customer-facing personnel and senior management cybersecurity matters
? Templates and coaching on “as-built” inventory lists for IoT devices
? Facilitation of annual review and improvements for cybersecurity hygiene
Samples of these deliverables are available upon request.
Second Layer of Defense. Add a second layer of defense using either a software-defined network (SDN), or a software-defined perimeter (a.k.a. Host Identity Protocol, or HIP). The SDN unifies the building systems (and other IoT devices) and serves as the IoT firewall. The HIP encrypts the identity of the IP address, rendering the IoT device invisible to unauthorized traffic. This enables you to manage access to your building systems.
This is today’s best practice for Facility Managers, with or without the assistance of the CIO or CISO. These two layers comprise a commercially viable defense against attacks that seek to use your building systems as the initial point of entry.