Hackers Pose Threat To Building Automation Systems
Fifteen years after the dot com explosion, retailers are still trying to figure out the best way to combine "brick-and-mortar" stores with the "click-and-order" retail style of online shops. That balancing act is an analog of the role that the built environment and the Internet play in modern society: That is, the foundation of facilities operations is the brick-and-mortar structure, but we're increasingly integrating these structures with online methods.
But that integration brings a potential weakness that is of increasing concern: the risk that a building system connected to the Internet may be vulnerable to hackers. Hackers have used information publicly available on the Internet to gain access to building automation systems. And while the hack of the Target point-of-sale network did not involve the company's building automation system, the fact that an HVAC service provider proved to be the avenue for the attack focused attention on building systems.
Increasingly, it is vital for an organization's IT departments and facility departments to work together to close such potential attack avenues, mostly because even the savviest of managers might not fully realize the interconnection between BAS software and an organization's IT network.
We're at a point where our intelligent buildings are on a single communication backbone, creating lines of attack for hackers, says Shane Riggio, vice president of information technology at Macerich, which owns and operates regional shopping malls in the western U.S.
Human nature being what it is, however, we rarely see ourselves as networked. It's not uncommon for an organization to philosophically segment itself by department. So it is logical that facilities folks see themselves as alone in the physical plant, disconnected from most other elements of an organization except the building itself.
Except that's no longer an accurate worldview.
First, a brief background on why this has become a nascent problem. Historically, building controls have had long operational timelines, often 20 years or more. Older systems were independent of one another and were controlled via analog methods, were vendor-supported as part of the controls process, used a hardwired/serial connection, or were not networked. Many also used proprietary or legacy systems, effectively creating standalone systems in disconnected silos. True, it took more time to operate or control or maintain these systems, but they were inherently safer from attack than a networked system that uses a central IP-enabled hub to control the BAS.