Article

Securing buildings with intelligent room automation

How BlueRange can ensure cybersecurity for smart buildings.

The networking of the world

In the modern world, the Internet and digitalization permeate all areas of society, politics and the economy. The connectivity megatrend affects companies, authorities and private users alike. Networking based on digital infrastructures promotes the interaction of individuals, systems and things. Based on constantly available data and information in real time, completely new possibilities arise in the form of innovative technologies, automated processes and intelligent networks. This is also the case in the area of ​​smart buildings, in which networked components ensure optimal room control using decentralized, sensor-based room automation, completely autonomously and above all efficiently and sustainably.

Challenges of digitalization

Alongside all the opportunities for all markets and industries to develop new solutions for a better world, the vulnerability to unauthorized access and the risk of becoming a victim of a cyber attack are increasing. According to the Federal Office for Information Security (BSI)1, there has been a dramatic increase in both attempted and successful attempts to compromise systems. A worrying trend that is particularly affecting small and medium-sized companies and local authorities. The constant threat in cyberspace is higher than ever. The question is not if, but when an attack will occur. Cyber ​​attacks and sabotage threaten the security of everyone involved and pose an enormous economic risk. Affected companies experience not only significant financial damage, but in the worst case scenario, the total failure of their systems and even the loss of all data.

The Cyber ​​Resilience Act

Against the background of this development, it is imperative to introduce comprehensive countermeasures and make companies “fit” for these challenges. However, an increased duty of care for operators and users of systems would be too short-sighted. Rather, manufacturers must be obliged to invest in the security of their products in order to achieve a higher level of security in the long term. To this end, the European Parliament recently passed a new regulation, the so-called Cyber ​​Resilience Act, or “CRA-E” for short. With a transition period of 24 months for the EU member states to prepare for implementation in national law, binding requirements for the cybersecurity of products with digital components for the European market must be met. Strictly speaking, this means any hardware and software that can have a data or network connection during use, i.e. communicate digitally. These products are manufactured by companies and sold to end customers. But they are also used in companies for production, as well as purchased as preliminary products and further installed or refined, and are thus part of supply chains2. All companies that manufacture such products must comply with and ensure compliance with the requirements. There are also obligations for dealers and importers.

Cybersecurity as a permanent companion

Cybersecurity describes all measures to protect electronic systems, networks, programs and data, but also end devices such as computers and smartphones, to ward off digital attacks. The aim is to use specified standards to significantly strengthen the resilience of networked products that are brought onto the EU market against cyber attacks and to continuously eliminate vulnerabilities with regard to security gaps in systems. This begins with the requirements analysis and conception according to the “security by design” approach and accompanies the entire development process of a product. Resilience refers to the ability to be well prepared for such events and to be able to react quickly and effectively in an emergency to avert damage. Manufacturers must therefore ensure cybersecurity throughout the entire life cycle of their introduced products so that operators and users benefit from greater security. These include measures such as:

  • Delivering products with no known vulnerabilities and a secure default configuration that provides the ability to roll back to its original state.
  • Authentication, identity or access management that ensures protection against unauthorized access.
  • Protecting all data stored or in use or transmission using the latest encryption technologies.
  • Vulnerability management in the form of regular security testing.
  • Providing post-sale security updates for the life of the product or five years, whichever is shorter3.

Products and components in circulation are thus continuously protected and pose a significantly lower safety risk even after prolonged use.

Risk classes for connected products

The Cyber ​​Resilience Act divides products with digital elements into four risk classes depending on their function, intended use and criteria such as the extent of possible impact. A distinction is made according to the following classifications4:

UNCRITICALCRITICAL Class ICRITICAL Class IIHIGHLY CRITICAL
Storage media, graphics programsBrowser, password manager, antivirus program, firewall, VPN, physical network interfaceOperating systems, desktop and mobile devices, microcontrollers, chip cards, smart meters, robot sensors, all IoT devices, routers, firewalls for industrial useNot yet defined, are relevant for the resilience of the entire supply chain.

Certain legal requirements apply to each category: While a self-assessment by the manufacturer will be sufficient for non-critical products in the future, more stringent requirements apply to critical products. This primarily concerns the conformity assessment, which is based on EU-wide harmonized standards and is indicated by the CE marking. Class II products must generally undergo an assessment by certified third parties5.

Smart buildings with networked components

For sensor-based room automation, this means that all components with digital elements that are used in the building and are networked together for intelligent room control are subject to the Cyber ​​Resilience Act. These can include lights, valves for heating and cooling, ventilation units, air conditioning systems and sun protection. Based on the values ​​provided by room sensors, these actuators ensure an energy-optimized building and a pleasant room climate fully automatically. In order to enable sensors and actuators to communicate with each other, BlueRange is networked via a Nordic microprocessor (nrf52840), which is installed on a microcontroller in the component, e.g. a light. The software part installed there, the firmware, is responsible for establishing the connection to the BlueRange Mesh using Bluetooth-based radio technology. In addition, there is a microcontroller for the control intelligence of the light with the corresponding firmware from the light manufacturer for executing the light control. These digital elements in the lamp product are classified as critical Class II products according to the Cyber ​​Resilience Act and require special measures to meet stricter cybersecurity requirements. This also applies to smart meters that are connected to consumers and feed measurement data into the system. Or the BlueRange Gateway for the TCP/IP connection to forward sensor data to the BlueRange server or third-party systems for visualization and further evaluation.

BlueRange makes a significant contribution to security

In the context of smart buildings, it is crucial to establish network and information security as an integral part of the communication of networked components. In contrast, many buildings that use a conventional bus system have been exposed to constant risk for years. To date, wired KNX and BACnet components have not been secured. Through unprotected access, it is possible to read data streams and even intervene to control them.

In contrast, BlueRange secures its BLE-based wireless mesh end-to-end using 128-bit AES (Advanced Encryption Standard) encryption. This ensures secure communication between network participants such as sensors and actuators within the BlueRange Mesh. Network connections established via the BlueRange Gateway to the BlueRange server or connected third-party systems are encrypted using the TLS protocol (Transport Layer Security). In addition, secure data transmission is ensured via the communication protocol HTTPS (Hypertext Transfer Protocol Secure) and MQTTS (Message Queuing Telemetry Transport Secured).

As a basis for the digitization of new and existing buildings, BlueRange’s IoT platform enables the central management of BlueRange-enabled devices for sensor-based room automation. This also includes updating the parts, the digital elements, on the physical products of the manufacturers connected in the BlueRange OEM partner network. Using over-the-air updates (OTA), all integrated components can be conveniently updated remotely. This includes the manufacturer’s own firmware for the control logic of the component as well as the BlueRange firmware for the mesh part. In addition, operating system, BlueRange gateway software and mesh firmware updates can be rolled out automatically for the BlueRange gateway. The corresponding download URLs for update packages provided by BlueRange and relevant OEM manufacturers can be stored via an update configuration in the BlueRange dashboard. By activating auto-updates, an update plan can be mapped and carried out automatically on a regular basis. An update view informs the operator transparently about the availability of new software packages. Updates can be rolled out directly to registered components with older versions. In this way, components used can be consistently updated to the latest software version without having to carry out time-consuming manual interventions on site in the building.

BlueRange enables data protection-compliant operation, either in the company’s own infrastructure in the building (on premises) or in a German encrypted cloud (SaaS). In addition to data sovereignty, BlueRange’s multi-client capability also ensures strict data separation between organizations. Access control is ensured via central user management in the BlueRange IoT platform. Created users and user groups receive their access rights via integrated authorization management. Managed users receive individual user data consisting of user name and password for system access. Passwords can be reset and reassigned at any time. Defined password policies ensure that passwords are enforced for all users in an organization.

Conclusion

Due to the ever-increasing threat posed by cyberattacks, manufacturers of building components for sensor-based room automation are responsible for permanently protecting their networked products against digital attacks. Professional patch management and the provision and implementation of regular security updates can significantly increase the security of a system for intelligent room control. The BlueRange Mesh and the BlueRange IoT platform make it easy for operators to keep integrated components future-proof at all times. In addition, state-of-the-art encryption technologies and an authentication and authorization system protect against unauthorized access. This means that any threat to building operations due to security-relevant vulnerabilities in the selected room automation system can be permanently avoided.

Join the Evolution

Andre Maas

Andre Maas

Jonas Kaufmann

Jonas Kaufmann