Understanding Common Cybersecurity Weaknesses in Buildings
Knowing where your building automation system might be vulnerable to cyberattacks is the first step to preventing them.
The primary reason BAS can be an organization’s weakest digital link is that it was conceived and designed before the internet’s rapid growth.
BAS began with the development of proprietary direct digital controllers, explains James Lee, CEO of Cimetrics, Inc. “When BACnet became a standard in 1995, there were several networking protocols here and in Europe. It was not clear back then that TCP/IP would become the predominant protocol for the internet and beyond.”
BAS systems also stood alone, separate from IT networks. For buildings, which measure new technological advances in decades, the one-year-or-less development cycle of the IT world opened up a wealth of new opportunities to improve building operations and energy management. One way was tapping the communication potential of the internet.
Today, the BAS is using Building Internet of Things (B-IoT) devices, machine learning, cloud computing, predictive analytics, WiFi, and many other valuable tools that help make the built environment more responsive to building occupant needs, while simultaneously using energy resources wisely.
“We’re seeing a convergence of IT and BAS,” says Lee. “Now we need to bring cybersecurity through the full digital spectrum from the top application layer down to the end device.”
Building owners shouldn’t just assume that their systems are cybersecure.
“Many of the systems are decades old,” notes Chris Kwong, chief technical officer at Delta Controls. “They may have IP connectivity but may be several years behind in levels of security due to expired and not renewed service contracts.”
Kwong also points out that the BAS industry was focused on convenient accessibility and easier operational efficiencies. User access and network port access were accidentally left open, allowing potential internal attacks.
“BAS is not typically designed around a performance specification in regards to security,” explains Hans-Joerg Schweinzer, president and managing director of Loytec Gmbh.
Cybercriminals capitalize on two vulnerabilities — one technical and one operational — according to Andy McMillan, president and managing director of BACnet International.
The majority of vulnerabilities involve operational practices. “This is where 80 to 90 percent of BAS vulnerabilities lie,” explains McMillan. Examples include using group passwords or leaving ports open.
Anto Budiardjo, editor of New Deal for Buildings, agrees: “The weakest link is the people within the building.”
The technical side accounts for far less risk because IT departments have been forced to deal with cyberattacks for years, as the business used the digital highway to transmit information long before BAS systems went online. As a result, IT departments have implemented many cybersecurity best practices.
Now that building operations and IT operations are converging, the two departments need to work together more closely. Given the level of cyberattacks occurring, there’s no time to waste.
“Our experience has shown us that the average time between an IoT device being exposed to the internet and the first attack on that device is less than five minutes,” points out Kevin T. Smith, chief technology officer of Tridium.