SD-LAN Helps Mitigate Smart Building Physical Cybersecurity Risks

According to a recent Fortune Business Insight industry analysis report, the global smart building market is expected to grow at a compound annual growth rate of 12.6% through 2026. Much of this growth revolves around the implementation and management of IP-based physical security technologies such as surveillance cameras, door access controls, alarms, and contact tracing tools. Building owners have seen the potential of first-generation smart building technologies and are looking forward to deploying next-generation smart tools to improve the overall safety and privacy of occupants.

Because of the criticality of smart building physical security devices, it is becoming increasingly important that they be properly protected from cyber security risks, both known and unknown. Implementing cyber security safeguards is also useful when seeking to purchase cyber security insurance policies. As Rick Varnell, Chairman, Advisory Board of Building Cyber Security, a leading non-profit physical cyber security organization, states: “The number of cyber security claims is up substantially this year compared to the previous 12 months. That is why it’s so important stakeholders integrate the right cyber security tools that adhere to certain standards and frameworks that insurance companies look for. Doing so will help demonstrate that core cyber security processes and procedures are followed. Proving that a building or campus meets all the necessary cyber security protection standards will ultimately lead to lower policy premiums.”

The protection of smart building physical security devices often proves to be a challenge as many of these IoT devices are notoriously insecure out of the box. While IT security administrators could address cyber security mitigation directly at the device level, a more innovative approach involving SD-LAN technologies is proving to be far more effective and easier to manage.

If one steps back and looks at what is required to mitigate the cyber security risks of smart building technologies, three key trends emerge. First, IT support staff must have the visibility necessary to ensure operational uptime of critical devices. Second, additional security measures should be wrapped around insecure smart building sensors that connect to the corporate LAN. Finally, a network should be built to help facilitate the integration of modern cyber security technologies such as artificial intelligence for IT operations (AIOps) and zero-trust cyber security frameworks.

Let’s look at how SD-LAN architectures can help accomplish these smart building cyber security requirements.

How SD-LAN helps reduce smart building physical cyber security risks

The same software-defined (SD) technologies that are commonplace throughout corporate WANs and data centers are beginning to take hold within the LAN. While the advantages of an end-to-end SD-LAN include network agility and efficiency gains over traditionally deployed networks, SD-LAN also offers several cyber security benefits. These benefits happen to align well with what needs to be accomplished to mitigate smart building cyber security risks.

Because SD-LAN architectures use a centralized control plane for configuration management and network/device monitoring, it allows administrators to categorize end-devices into highly granular groups. These device groups can then have unique switchport operational configurations and security policy applied via configuration templates. This is useful for ensuring that all smart building security devices deliver accurate and uniform port security no matter where the devices are deployed on the LAN.

Another cyber security advantage due to SD-LAN’s centralized control plane is that it becomes a single-source of configuration truth. The ability to configure switchport security policy once, then use built-in automation tools to push policy out to all ports that require changes takes seconds as opposed to hours. It also significantly reduces the chances of a configuration error, which could lead to the opening of vulnerabilities that could later be exploited. Having this level of security-policy assurance is essential when looking to implement advanced security tools and frameworks such as AIOps and zero-trust.

Finally, the ability to manage the entire network from a single pane of glass management interface lowers the overall risk of lost or stolen network credentials. Stolen usernames and passwords can be used by bad actors to modify switchport configurations with the intention of exploiting weaknesses within smart building physical security devices. SD-LAN architectures significantly reduce the number of usernames and passwords required to manage a LAN. It also disallows anyone from locally connecting to a network switch to make unauthorized changes. Eliminating these risks goes a long way toward better securing the LAN and all devices that reside on it.

When looking at specific cyber security challenges for smart building physical security devices, an SD-LAN can:

Eliminate the complexity of deploying and managing 802.1x and MAC address authentication switchport features

• Because devices are organized into groups, port security policy is configured once and applied to all devices that require changes.
• As smart building security devices move within a building, the network keeps track of the device, and port policies automatically move with them.
• Unauthorized devices can be placed into a virtual walled-garden VLAN, safely separating them from the rest of the network.

Continuously monitor for unauthorized LAN configuration changes

• Due to the SD-LAN architecture’s ability to manage and automate the monitoring of a network from end-to-end, the control plane can monitor for unauthorized changes made at the local switch level -- then stop or revert those changes. This prevents the ability to disable LAN port security features with the intention of compromising smart building technologies.

Simplify configuration management to reduce unintended gaps in LAN security

• An SD-LAN management interface limits the types of switch configurations that can be made. This prevents the accidental enablement of obscure configuration commands that can lead to unknowingly creating a gap in cyber security posture.

Virtual traffic segmentation for multi-tenant buildings

• For multi-tenant deployment scenarios, SD-LANs can easily and safely be configured to segment tenant traffic into individual virtualized networks.

Monitoring of specific switchports that connect to critical physical security devices

• When devices are organized into configuration policy groups, SD-LAN can also be configured to flag certain devices or groups as being “mission-critical”. Doing so allows administrators to keep a closer eye on the uptime and operational status of these devices at the port level.

Provide configuration cleanup/remediation of legacy brownfield network configurations

• For brownfield SD-LAN implementations that use third-party switch hardware, a vendor-agnostic SD-LAN platform can automatically scan and audit active switchport configurations. The platform can then use AI to automatically identify and eliminate incorrect or unnecessary commands that could potentially lead to a network or device compromise.

Mitigating smart building physical cyber security risk starts at the LAN

As buildings become increasingly complex from a cyber security risk perspective, it’s important to build smart building physical security projects atop a fully secure and operationally aware LAN. The manual processes and lack of visibility required to support smart building technologies can be a recipe for disaster. Thus, the mitigation of smart building cyber security risk is shaping up to be one of the key driving factors that propels SD-LAN technologies into the mainstream.