What Is The Building Owner's Role in Cybersecurity?
Building owners and facility managers MUST take cybersecurity seriously. One useful tool is BACnet's new Secure Connect protocol. Here's what you need to know.
Building owners have a critical role in achieving cybersecurity. “It’s their building; they are responsible to their tenants, if they provide any communication infrastructure for the space,” says Jim Young, CEO/founder of Realcomm. “Of course, if the tenant modifies or installs their own communication infrastructure, then they may be a party to the risk.”
Even with the best practices, it is impossible to eliminate all risk that a hacker will penetrate a BAS. “No building owner can totally prevent cyberattacks,” says Andy McMillan, president and managing director of BACnet International. “Anyone who thinks their building is immune is probably being too optimistic.”
Nevertheless, the building owner has to take cybersecurity seriously. If the building owner has tenants who depend on the building’s infrastructure, then the owner needs to take cybersecurity measures that are consistent with good business practice, McMillan says.
“Each owner needs to do what is commercially reasonable, such as keep app patches current, develop policies and procedures against the most common problems, and control access to the building and its operations,” he says.
Even with the best cybersecurity not every new cybercrime can be predicted before it happens. So Steve Brukbacher, director of product security operations at Johnson Controls recommends building owners look for building controls companies offering emergency vulnerability response to attacks so that all networks are secured again as quickly as possible after a breach is detected.
It’s up to the building owner to insist that every party involved with the BAS makes cybersecurity a priority.
“In the case of a BAS, security is a journey that the whole value chain is on together, including the BAS vendor, value-add resellers, systems integrators, IT networking infrastructure providers, and then end-customer building owners,” asserts Kevin T. Smith, chief technology officer of Tridium. “Anyone along this chain of roles could increase the cyber risk of the overall system by not abiding by cybersecurity best practices. This is a real challenge.”
One strategy to reduce cyberattacks, says Chris Kwong, chief technical officer at Delta Controls, is to use such standard IT practices as virtual private networks (VPNs) to secure networks or segments of networks. He also says proper use of credentials and passwords and proper management of ports with defaults to close when not in use, as well as identification of unusual traffic or events, would help keep hackers out of the BAS.
Another way to improve cybersecurity is to move from an older, less secure system to a more secure version. Normally that cannot happen overnight. During this transition period, many building owners trust encryption to protect vital information between workstations.
That can be a dangerous assumption, points out Carol Lomonaco, product manager at Johnson Controls. “If my workstation is using older IP communications and I get a worm, then when I send my colleague on a secure workstation a message, the worm also can hide behind the encryption.”
But cybersecurity is not simply a technological fix. Building owners also need “knowledgeable staff who understand risk levels and goals for systems,” says Hans-Joerg Schweinzer, president and managing director of Loytec Gmbh.
Building owners do well to learn from Equifax’s $650 million mistake, suggest the experts. That means making sure firewalls, intrusion devices, and virus/malware updates and patches, along with any certificates, are actively installed and kept current and the systems continuously monitored.
Such due diligence will not guarantee a system is impervious to attack, but it will make the facility less attractive to many cybercriminals.
BACnet/SC: What building owners need to know
BACnet Secure Connect (SC) provides a way to create secure communications connections among building automation devices within facilities and across the internet cloud. BACnet/SC uses an industry standard communications protocol called WebSocket and a cryptographic protocol known as TLS (transport layer security), which is the successor to SSL (secure sockets layer), for its message support and integrates easily with IT infrastructure.
All traditional BACnet capabilities are preserved in the new system, including earlier BACnet deployments and devices. Under development for 10 years, BACnet/SC can be aligned with existing IT standards and best practices, which allows users to create secure building automation infrastructure, as well as to unlock new cloud-based applications.
As new security innovations are available, BACnet/SC will be updated.
As an additional security measure, BACnet/SC requires that all devices on the network have a properly signed certificate before they can be connected to the network.
One detail still being finalized is how to handle certificates, according to McMillan. Buildings have hundreds, sometimes thousands of systems and subsystems. To operate on BACnet/SC’s VPN, each would need a valid certificate. And whenever an occupancy sensor or variable air volume device is replaced, the old certificate will need to be removed and the new one added. Who would be responsible for maintaining those certificates is still being ironed out.
While BACnet/SC does not have a publication date yet from ASHRAE, most experts believe it could come soon, with vendors implementing and beginning release of new products possibly as soon as 2020.