As the smart buildings sector becomes increasingly connected and remote work becomes the norm, secure remote access to operational technology (OT) systems for real estate owners and operators has become a necessity. Unsecured access to a building network can lead not just to risk of data loss and reputational tarnish, but OT systems like the BMS, HVAC and elevators could be compromised or even encrypted making buildings un-occupiable. Real estate organizations commonly rely on Virtual Private Networks (VPNs) and desktop sharing apps like TeamViewer to facilitate remote access. However, these technologies are increasingly the targets of hackers as they provide an easy point of entry for ransomware attacks and data breaches. Read more to understand these risks and learn about a more secure alternative: modern cloud-based remote access platforms.
What’s wrong with a VPN?
VPNs have been a popular choice for remote access to OT systems in smart buildings for remote access and device-to-device connections due to their ability to create secure, encrypted connections between devices over the internet. However due to their popularity, and their architecture, they are popular targets of hackers such as the recent Fortinet exploit by the Chinese government. While most real estate systems are not the targets of nation states, these common vulnerabilities can be exploited by any bad actor. VPNs are a major exploit for building systems and can expose owners and operators to significant cybersecurity risks, including
- Inadequate authentication: Most VPNs rely on usernames and passwords for authentication of user and their external device, which can be easily compromised through phishing attacks or brute force.
- Limited controls: VPNs do not usually provide fine-grained access controls. Once someone is connected to a building network via VPN they can often move laterally from device to device, which can lead to unauthorized access to sensitive resources in smart buildings.
- Lack of audit trail: The architecture of VPNs allows for logging of user authentication to the VPN, but once the end user is connected to the remote network there is no visibility into what systems and applications they access. In the case of an incident it is difficult to perform audits for reporting, and it can delay the discovery of root causes, giving bad actors more time to do damage.
- Direct connection from users’ desktops: VPNs typically allow users to connect directly from their desktop to the remote system. These devices may be from vendors and not directly managed by IT, reducing controls and opening up the chance of for malware or viruses to accidentally be introduced into OT networks.
What about remote desktop sharing apps?
They are even worse. Desktop sharing apps, such as TeamViewer, allow users to remotely access and control computers over the internet. These are often installed on the BMS or building access control head-ends for remote access by vendors and facilities teams. While these apps can be convenient, these are notoriously insecure, so much so that the parent company of TeamViewer was hacked and all their user information was stolen. Some of the challenges with desktop sharing applications are:
- Weak authentication: Like VPNs, desktop sharing apps often rely on weak authentication methods, such as passwords. This makes them susceptible to attacks that could grant unauthorized access to sensitive OT systems in smart buildings. Also, like VPNs there is no mechanism in place to ensure the endpoint is a known device, weakening perimeter security.
- Lack of granular controls: Like VPNs, there is no granular control of access. Typically, the remote desktop access applications give the user access to the full desktop, meaning they can run all applications and browse any connected networks to move laterally to other devices.
- Software vulnerabilities: Desktop sharing apps can have vulnerabilities that, if exploited, could lead to unauthorized access or the execution of malicious code. Often these applications are left continuously running, making the exploits more readily available to bad actors.
- Decentralized management: Desktop sharing applications are typically installed on the end device and are not centralized managed. This lack of centralization makes it difficult to manage users, particularly keeping user lists up to date with high turnover or a large number of vendors.
Cloud-based remote access to the rescue!
To mitigate the risks associated with VPNs and desktop sharing apps, real estate owners and operators should consider cloud-based remote access. These platforms compliment a zero-trust architecture by providing a single secure tunnel from known cloud infrastructure, instead of multiple connections per user connections with VPNs. This approach offers numerous advantages:
- Stronger authentication: Cloud-base remote access solutions use bookended certificates to provide a higher level of authentication than username/password combinations. Certificates are less susceptible to phishing attacks and can also be combined with other authentication factors for increased security, reducing the risk of unauthorized access to smart building OT systems.
- Fine-grained access control: Cloud-based remote access solutions allow for the implementation of granular access controls, ensuring that users have access only to the specific devices and resources they need to perform their tasks in smart buildings.
- Simplified management: Cloud-based solutions typically offer centralized management, making it easier to monitor and control remote access across the organization. This can help prevent misconfigurations and reduce the risk of unauthorized access in smart buildings.
- Enhanced security: Cloud-based solutions often include built-in security features, such as data encryption, intrusion detection, and monitoring capabilities, further bolstering the organization’s security posture in the smart building sector.
- Scalability: Cloud-based remote access solutions can easily scale to accommodate the changing needs of real estate owners and operators, whether it’s expanding their remote workforce or adjusting to fluctuations in demand for access to OT systems in smart buildings.
- Improved performance: Cloud-based remote access solutions can offer better performance than traditional VPNs, ensuring that latency and bandwidth constraints do not negatively impact OT system performance in smart buildings.
In today’s hyperconnected world, real estate owners and operators must carefully consider the cybersecurity risks associated with remote access to operational technology systems in smart buildings. While VPNs and desktop sharing apps like TeamViewer have traditionally been popular choices for remote access, they come with significant security vulnerabilities that can expose organizations to data breaches and other cyber threats.
To address these risks, real estate owners and operators should consider adopting a cloud-based remote access solution that uses bookended certificates for enhanced security. This approach offers a more secure, scalable, and manageable solution that enables organizations to provide remote access to their OT systems in smart buildings without compromising on security.
By making the shift to a cloud-based remote access solution with bookended certificates, real estate owners and operators can effectively mitigate the risks associated with VPNs and desktop sharing apps, protecting their critical OT systems in smart buildings and ensuring the continued success and security of their operations.