The Power and Convenience of Networked BAS Come With Cybersecurity Concerns As Well
Part 1 of a 4-part cover story on cybersecurity and the BAS.
The advent of building controls that are out on the Internet is a reminder that even the best of intentions can also produce potentially bad side effects. Facility managers have grown accustomed to the power of networked building automation systems (BAS) and are exploring the rapidly expanding Building Internet of Things (IoT). Networked controls have provided convenience, connectivity, better operational efficiency, occupant comfort, and remote control ability. But they have also introduced a new world of vulnerability to computer hackers, whose job, at least right now, is usually a cakewalk, according to cybersecurity experts.
Ask some of these experts how easy or difficult it is to penetrate building control systems at present and you hear laughter — not to make light of the situation, but to indicate how easy it is. Billy Rios, whose Silicon Valley-based company WhiteScope works on embedded security problems, says the general state of building control protection and readiness is very poor. Fred Gordy, director of cybersecurity for the consulting firm Intelligent Buildings, estimates only about 15 to 20 percent of BAS are “fairly substantial and resistant” to intrusion. “Some of the guys I respect through the industry — we’re all basically waiting for ‘Cyber 9-11,’ ” he says. “We know it’s coming.”
Rios also sees a growing brazenness in hackers, with ransomware and denial of service. “They want you to know that they’re there, because they’re telling you to pay a ransom or fee,” he says. “Gone are the days when you could just kind of silently ignore this and your business continues to function. Now these attackers are disrupting your business, taking away your communications, your IT assets, your patient data. What’s different is the way they’re now trying to monetize this.”
While some facility managers might take comfort in thinking a hacker would have little interest in playing around with their lighting, elevator, or HVAC systems, there’s a bigger potential problem — that the BAS is simply a fairly easy entry point and that, once the BAS has been breached, the hacker can “pivot” into the corporate network, and do far greater damage there.
Another tricky part of the challenge is that a single weak link in the long chain of protection — which ranges from integrators and other vendors to facility managers and building occupants — can expose the system to an intruder. For that reason, it is crucial that every link follows best practices, and stays up to date as these evolve, says Ronald Zimmer, president and CEO of the Continental Automated Buildings Association (CABA). “There are so many parts to it,” he says, “that it’s staggering to know the potential vulnerabilities of systems.” He expects many more intrusions to occur. “The reality is that the majority of buildings do have vulnerability that can be hacked.”
The picture is not all bleak, though. The means of better protecting building control systems from intrusion are, for the most part, not terribly expensive or sophisticated, the experts say. And while building owners and operators need to be more aware of the dangers, the number of attacks their building may be receiving, and the consequences of a successful attack, Zimmer says that, overall, the level of knowledge, company protections, and BAS quality are improving rapidly. The growing involvement of the insurance industry in cyber damage policy-writing could, in effect, enforce best practices. And it is conceivable that the spate of major computer hacks in the last few years — such as Target, Operation Stuxnet, and a German steel mill, which did not involve building controls — has thrown enough of a spotlight on vulnerabilities that it is beginning to raise the cyber consciousness of many facility managers.
This is the fourth article in our ongoing Building Internet of Things series.
Read the first article about data here.
Read the second article about startups here.
Read the third article about building automation systems here.
Read the fifth article about LEDs here.
Read the sixth article about cross-industry collaboration here.
Read the seventh article about mobile here.
Read the eighth article about getting started with IoT here.