The digitization of building automation systems can result in energy and operational savings, occupant comfort as well as safety, and also lower the total cost of ownership. Cheaper, smarter, more pervasive edge assets are rapidly replacing proprietary devices across a variety of applications that are varied, complex, and increasingly interconnected, including HVAC, energy management, lighting control, video surveillance, and so on.
Associated cyber risks must be actively monitored and managed in advancing securely from proprietary/legacy systems to the edge. Poorly defended OT systems can be as exploited as entry points into large public buildings or structures to cause chaos. The notorious Target hack demonstrated how an HVAC system could be used to ultimately steal sensitive financial information for upwards of 40 million people.
Extending Xaptum’s SASE (Secure Access Service Edge) fabric to connected, dispersed smart facilities provides the following key benefits:
To tackle the expansion of attack surfaces and mitigate lateral threats, the ENF uses default-deny firewall rules in isolating OT endpoints, while protecting their data and masking their public identities. It enables microsegmentation of assets within facilities into policy-based security zones.
ENF is foundationally designed to extend IT-grade firewall and security mechanisms to dispersed OT endpoints. It enforces Zero Trust Networking security between OT and IT with built-in identity and access management (IAM) at scale, thereby facilitating a seamless convergence.
OT endpoints are assigned unique, permanent IP identities to allow persistent remote tracking from a central pane-of-glass dashboard. Building operators and their insurers can leverage the resulting visibility (into previously invisible OT networks) to assess underwritten risks, while instrumentalizing end-to-end data trails to quantify exposure.
As a standards-compliant IP network, the ENF allows for the use of any vulnerability/threat tool. Xaptum can host this for building operators (e.g., the open-source IDS/IPS tool Snort) or they can configure an ENF network tap to send a copy of all traffic to further leverage third-party inspection.