Attacks and Vulnerabilities
Building Management Systems
Critical infrastructure
News
Reports
System Design & Architecture
Technology & Solutions
Threat Landscape
Vulnerabilities

TIA and UL Solutions release SPIRE 2.0, an updated cybersecurity assessment criteria for smart buildings

October 30, 2023
TIA and UL Solutions release SPIRE 2.0, an updated cybersecurity assessment criteria for smart buildings

The Telecommunications Industry Association (TIA) and UL Solutions have released a white paper that provides an overview of cybersecurity market shifts, trends, and global regulations and initiatives impacting today’s smart buildings. It also outlines how the new SPIRE Cybersecurity Assessment Criteria Version 2.0 addresses these impacts and provides an improved building-centric and streamlined approach to facilitate a more effective and efficient cybersecurity assessment process. 

Titled, ‘SPIRE 2.0 Cybersecurity Assessment Criteria: Keeping Pace with the Evolving Cybersecurity Landscape,’ the white paper identified that while attacks on IT systems primarily target sensitive data and can result in significant financial losses and damaged reputations, cyberattacks on OT (operational technology) building systems can have physical consequences, such as building shutdowns, outages, leakages, or even explosions. They can even impact the safety and lives of building occupants, which is an enormous liability for building owners and operators. 

“While threats to OT systems were primarily theoretical before 2020, consequential attacks have more than doubled annually,” the document identified. “Attacks on OT systems in a smart building can have more detrimental consequences when the facility is considered part of a critical infrastructure sector whose assets, systems, and networks are vital to national security, the economy, or public health and safety.”

The white paper also observed that an ever-increasing range of connected IoT (Internet of Things) devices and sensors deployed in smart buildings enable everything from energy and resource metering, space optimization, and predictive maintenance to environmental monitoring and control, asset tracking, and life and property safety. 

“These devices create more entry points into OT and IT systems, expanding the cyberattack surface. IoT devices are typically customized for specific functions with limited computational ability that can technically and financially inhibit incorporating adequate security measures,” the white paper said. “They also comprise many software and hardware components from a wide range of vendors across a vast global supply chain that rely heavily on third-party open-source software at greater risk for gaps in poorly written or undermanaged code.” 

Due to these vulnerabilities, cybercriminals increasingly regard IoT devices as low-hanging fruit to access and exploit. High-risk vulnerabilities in IoT-related code bases jumped 130 percent over the past five years, with the first two months of 2023 alone seeing a 41 percent increase in attacks targeting IoT devices compared to 2022. With more IoT devices and sensors come various cloud-based solutions leveraging open-source code to enable integration across diverse workloads. Open-source software vulnerabilities, misconfigurations, storage of large data sets, and lack of access restrictions are giving rise to more cloud-based security threats. 

The document also detailed that cloud exploitation cases grew by 95 percent, and nearly 40 percent of businesses experienced data breaches in their cloud environments in 2022. “While cloud providers are using emerging technologies like artificial intelligence (AI) and machine learning (ML) to help identify anomalies to detect malicious activity and software-related weaknesses, cybercriminals are also now leveraging these technologies to scan for vulnerabilities, automate malware, crack passwords, analyze stolen data, and formulate content used in social engineering attacks,” it added.

The white paper also raised that increasing cyberattacks and an expanding attack surface have given rise to several government, corporate, and industry initiatives based on various international cybersecurity standards and frameworks. “Several of these initiatives call out the need to comply with the latest National Institute of Standards and Technology (NIST) standards, including NIST Cybersecurity Framework (CSF), NIST 800-82 Guide to Industrial Control Systems (ICS) Security, and NIST 800-53 Security and Privacy Controls for Information Systems and Organizations.” 

It added that others may require compliance with standards from the International Organization for Standardization and the International Electrotechnical Commission (ISO/IEC), UL Solutions, TIA, or others.

The white paper also detailed that cybersecurity is becoming a key component of corporate governance under environmental, social, and governance (ESG) frameworks, requiring policies and procedures with oversight and reporting related to procurement, risk assessments, incident management, response, and disaster recovery. “Complying with growing legislation and governance requirements places more pressure on smart building owners and operators. At the same time, industry standards addressing cybersecurity are expanding their scopes to include coverage for emerging technologies, supply chain risk management, and governance,” it added. 

Based on the evolving cybersecurity landscape and feedback from multiple SPIRE Version 1.5 verified smart building assessments and program participant expertise, TIA and UL Solutions have significantly redesigned the SPIRE smart building assessment criteria for cybersecurity. SPIRE Cybersecurity Assessment Criteria Version 2.0 provides an improved building-centric approach to more closely address requirements and performance related to the built environment, including expanding OT exposure and the vulnerabilities that come with OT/IT convergence. 

The updated criteria also consider growing governance requirements from a global perspective with support for international standards and frameworks while adding clarification and context to streamline the assessment process. 

SPIRE Version 2.0 cybersecurity assessment criteria are structured as question-and-answer sets, grouped by category into the following sections that provide a high-level yet straightforward framework that is technology and standards agnostic. These include governance covering policies, procedures, and oversight to ensure effective smart building cybersecurity; assets comprising of identification and protection of critical assets, including data, networks, devices, hardware, and software; architecture made up of design and configuration of cybersecurity infrastructure, networks, systems, and technologies; and access comprised of management of access controls for users and systems, including authentication, permissions, account management, and authorized access. 

SPIRE Cybersecurity Assessment Criteria Version 2.0 considers governance by documenting roles, policies, and procedures, including risk assessments for critical systems, change control, training, and incident response. The criteria address the vulnerabilities that come with gaps between IT and OT roles by considering users, assets, and policies related to smart building systems across IT and OT environments.

SPIRE Cybersecurity Assessment Criteria Version 2.0 addresses cybersecurity for all building assets, including the procurement, management, and maintenance of devices and systems. This includes supply chain security considerations to ensure that smart buildings are protected from cybersecurity risks from external vendors, such as open-source software used in IoT devices, systems, and platforms. 

The white paper added that the criteria to respond to vulnerabilities that come with IT/OT convergence by addressing the need for proper firmware updates, obsolescence monitoring, backups, and compliance with standards, legislation, and corporate requirements. The criteria don’t just address those deploying and operating smart building systems and devices but also the vendors that supply them.

SPIRE Cybersecurity Assessment Criteria Version 2.0 addresses the configuration, documentation, and protection of building systems, networks, and data via encryption, regular vulnerability scanning, and conformance to recognized industry standards and best practices. The criteria explicitly address the segmentation of various IT and OT functions to prevent an attack on one from impacting the other.

SPIRE Cybersecurity Assessment Criteria Version 2.0 addresses secure access to building systems and devices by ensuring that only individuals who need to have access are authorized to do so via user management policies and procedures such as multi factor authentication, policies regarding remote access, and thorough documentation that logs what asset is accessed, when, and by whom.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings