3 Steps to Building Automation System Cybersecurity
Cybersecurity is a topic that keeps senior executives up at night. Consumer data breaches and email hacking are constantly in the headlines. The truth is that any system connected to the internet is at risk — including a building automation system (BAS).
It is common for organizations to purchase (or create) a BAS, implement the solution, and then more or less forget about it, leaving the entire network and its controllers alone, sometimes for decades, until there is a failure. This mentality can create an environment where network security needs are not addressed. An intrusion into a BAS can lead to compromised building security and unplanned downtime of critical systems that can have rippling effects across a company’s (or a tenant’s) business processes.
Here are three core points of cybersecurity that facility managers should pay attention to. Failing to do so is to risk paying the price in security breaches and cybersecurity events.
1. Define required levels of security
In order to address the security needs of an organization’s BAS, a facility manager has to define the required uptime of the BAS controls. It is also necessary to know what sort of information is stored on the computers within the organization, as well as the type of information traveling on the network.
For example, a plant which produces steam may require 100 percent uptime on the controller communicating with the boiler producing steam while a heat-pump in an office building might only require 20 to 50 percent uptime to maintain a room’s temperature. The more valuable a piece of equipment is, the more likely it is to be targeted in a cyber-attack. Once risk is known it becomes easier to distribute resources and protect the most critical devices.
Properly securing a network can be an expensive endeavor; knowing what devices can cause harm if compromised indicates where to apply resources. A component such as a JACE should be seen as high risk because it is a critical device, can have a high amount of exposure (if they have been placed on the open web with a public IP address), and can face a high level of threat (they can appear on the website shodan.io, and if an attacker gains control of it they can control the BAS). There are ways to mitigate risk as long as risk is properly identified.
Looking solely at devices is not adequate to determine risk. Risk must also be determined by looking at the overall organization’s risk. An organization must be aware of internal as well as external threats to cause the organization harm. For organizations with low amounts of risk, access to a BAS may be justified through a virtual private network and firewall. An acceptable level of risk has to be defined. The organization’s upper management needs to decide whether the benefit of having certain levels of access outweighs the risk that access brings.
Facility managers should be aware that controllers are known to be less secure than a traditional MAC/Windows/Linux computer, and this lower level of security makes the act of pivoting across a network much easier. Since the BAS often communicates with a main computer, the BAS can be used in cyber-attacks (by botnets controlling zombie devices) or by malware to attack non-BAS systems. If a BAS is accessible to the internet over a virtual private network or is located on the open internet, it is risky to have it communicate even indirectly with devices that are mission-critical or that store mission-critical information.
In some cases, an independent network specifically designed for the BAS should be created in order to protect other information on the network.
The ideal configuration for a BAS would be to have the network take on an onion topology, with information protected through security layering. Getting further into the network, the security increases with multiple methods of ensuring information integrity. These methods can include firewalls and various unidirectional gateways to prevent sensitive information from passing through. Going still deeper into the network, the security increases and in these regions of heightened security, the most critical devices are placed, those that can have an effect on the lives of people and are mission critical.
In some instances, a facility may wish to implement wireless communication in a BAS. Often this is done for cost purposes or to get around having to pull cable in hard-to-reach areas. Before enabling wireless communication on devices, facility managers should be aware that it is easier to park by a building and attack a BAS wirelessly than it is to plug directly into a building’s network undetected.
2. Engage IT personnel
An IT network administrator knows the type of information traveling on the network, the protocols the network uses to communicate, what devices store valuable information, and the physical layout of the network. Engaging IT personnel makes it easier to configure the BAS security and integrate it into an organization’s overall cybersecurity strategy. For instance, some organizations will not want to utilize specific communications protocols or allow certain features of a protocol. For example, allowing plain-text in any form of data transmission could damage overall security. It is important to listen to IT personnel and work with them to come to a solution.
Additionally, IT personnel’s knowledge of critical devices/information is very important when it comes to layering of network security. IT staff can help identify devices that may contain mission-critical information. They will be able to help those creating a BAS impose network segmentation and even help justify an entirely separate network for the BAS if necessary. It is essential that those creating the BAS inform IT personnel which controllers can have a critical impact on cybersecurity if compromised and to explain the physical consequences of a cybersecurity event affecting the BAS. Even though IT often reports to the chief information officer or chief security officer, who are ultimately responsible when a breach of security does occur, it can never be assumed that those responsible for cybersecurity fully understand the potential security risks a compromised piece of equipment poses.
Many buildings have an Ethernet network already, which may be difficult to fully map out without aid. IT personnel should know which devices are connected to what ports. They should also have a network layout to show graphically where things are. These resources will help segment the BAS network if creation of an entirely separate network is not possible. Network layouts will help everyone involved come to logical conclusions about where to connect and why a specific area is optimal.
IT personnel can help roll out updates to a BAS. They may be able to provide remote access in some instances for patches and updates. Unfortunately patches and updates to most controllers are often put off. As a result, security holes might exist for weeks or months before a patch. Patching all devices on the BAS network incrementally as the patches come out is a best practice for preventing breaches. An IT professional should be engaged to coordinate patches and avoid issues with any other devices on the network such as firewalls, servers, and other computers which may have been installed for the BAS.
3. Develop appropriate policies and procedures
An organization needs to consider the extent of access to the BAS as well as when access will be granted. There should be independent accounts for each user or programmer and logs should be enabled for a BAS to keep track of access and any commands given. Logs are invaluable if and when a breach occurs and can help to prevent future intrusions.
Having a cybersecurity strategy for a BAS is essential in today’s connected world. No more are BAS systems able to work in isolation from the rest of a company’s infrastructure. By evaluating these three areas, facility managers have taken a giant step towards securing the system and minimizing risk.
Matthew Schwartz is director of engineering at Parallel Technologies. Bashar Shehadeh is network solutions architect for the firm.