Why Building Management Systems Are At Risk Of Cyberattack
But the last 15 years have seen tremendous synthesis of traditional operational systems with networked information systems. That means that facility managers — many of whom are operating a facility or campus that includes access points to a corporate or organizational network — must be aware of the risk of cyberattack on their building management systems.
Traditionally, because building controls are seen as the purview of a select few who understand them, says Jim Sinopoli, principal at Smart Buildings, BAS was seen as useless because a hacker wouldn't understand the system he or she had hacked into. That has changed.
Most organizations have Internet-accessible controls for the BAS. In a Building Operating Management survey, 84 percent of respondents said they had BAS connected to the Internet. When that's the case, hackers have multiple potential entry sites. For example, hackers can sometimes use information about a BAS that is publicly available over the Internet to gain access to the system.
Which bears the question, what do hackers want to gain from an attack? The answer isn't easy, say experts. Gaining access to the BAS system might enable hackers to change temperature setpoints, for example. In a facility that requires strict adherence to setpoints — a laboratory with fragile cultures, or a data center with specific cooling needs — the results could be serious and expensive.
"There are two basic camps of hackers," says Fred Gordy, operational manager at McKenney's, which offers mechanical contracting and other services. "There's the thrill seekers who just want to see what they can do — and that happens every day and a lot — and then there are those who seek to accomplish a goal." For the latter camp, says Gordy, who is also chairman of the InsideIQ Building Automation Alliance Cybersecurity Committee, 80 percent of the time or more the aim is to infiltrate the corporate network via a BAS, and to get past those controls to accomplish a larger goal or seek a more specific target.
It's easy these days to bridge networks. Gordy says it's common in facilities and engineering departments to have a supervisor machine, one that has a web server for the control system. To simplify things, often a second network card is added to the machine for access to the corporate network. Once that happens, it's easy for an attacker to enter via the BAS and pivot to the organizational network.