Cybersecurity Solutions for Building Automation Systems
April 10, 2019 - Building Automation
By Ken Sinclair
Cybersecurity solutions cannot be a self-serving or an isolated approach they need to be part of a holistic solution. Our current issue presents a holistic cybersecurity resource for our industry. We feel it is very applicable to other industries and will become a go-to resource. As with all our publications, all articles will remain online; we still have our first issue from 20 years ago online. Special thanks to all our cyber experts that made this issue possible; please read all their views.
I have avoided this discussion in the past because understanding and highlighting all the potential security and privacy concerns could paralyze us. For some 20 years plus, we have operated in a Wild West manner, mashing our machines with the open Internet and achieving amazing things quickly. I do not want to lose this platform of global innovation and participation.
My concern is that in fencing every risk we will be the ones behind the fences immobilized and paralyzed, victims of our own thoughts. I have grave concerns that the risk of over-regulation could be worse than our worst cybersecurity concerns.
Nevertheless our building automation systems are considered not secure. We need to fix this as we install more and more sophisticated smart building technologies, many of which involve IT systems; we have become IT people. We need to think like IT people, we need to revisit our existing systems security and clean up our mess.
In this issue, we gathered the views of several sybersecurity experts to provide us with advice on how to proceed without immobilizing ourselves. I am extremely pleased and amazed at the width and depth of coverage.
Anto Budiardjo and Ken Sinclair discuss the fact that "Our collective success is based on our weakest link." and why we assemble this collection of industry experts to speak to cybersecurity.
James Lee, CEO, Cimetrics, Inc., puts it this way: "Our collective success is based on our weakest link. Our industry is inherently collaborative. We seldom work alone on a project, and partnering is our modus operandi." His article is The Need for Holistic BAS Cybersecurity: “The first and most important aspect for all players in the industry is that cybersecurity is everyone’s business, not just the experts. Yes, cybersecurity is a complex subject, but we are not all going to nerd out on the intricacies of ciphers, zero-day threats, certificates, and so on.
“What every single professional must demand is that our devices, systems, and buildings are secure from cyber threats. Every proposal, project meeting, and company planning session going forward must discuss how cybersecurity is being addressed in that instance.
“This leads to my second point: Our collective success is based on our weakest link. Our industry is inherently collaborative. We seldom work alone on a project, and partnering is our modus operandi. This means not only does each player need to deal with cybersecurity in their work, but it is the task of everyone to ensure others in the value chain deliver solutions that are secure.”
“A useful tool many other industries use to chart their process of bringing cybersecurity to the forefront is the National Institute of Standards and Technology (NIST) Cybersecurity Framework, a comprehensive set of standards, guidelines, and best practices created through a collaborative process by the U.S. government agency responsible for cybersecurity matters.”
Fred Gordy of Intelligent Buildings, LLC, provides cybersecurity evaluation of building control systems. IB performs a series of assessments both before the site visit and once on site; there are several tools and methods used to complete a holistic cybersecurity evaluation of building control systems.
In his article, The State of BAS Cybersecurity, he says: “In 2018 the number of assessments we performed increased to more than double of 2017. This was due in part to the growing awareness of the need for securing building control systems, but also the real and present danger of attacks to building control systems. In this article, I will share the results of assessments and BAS attacks we have first-hand knowledge of.”
Anto Budiardjo has been encouraging me to get this discussion to be the theme for April. I agree. In Cybersecurity: The Gatekeeper to Value, he says: “On the technology front, IoT (Internet of Things) is driving down the cost of hardware; open source is democratizing software development, and communication technologies from 5G to WiFi are making connectivity cheap and ubiquitous. From a social perspective, we are all living super-connected lives with our smartphones as a must-have tool for both business and personal use. With that in mind, there is very little standing in the way of the BAS industry from leveraging this pervasive connectivity to achieve IT convergence and increase the value of what it offers.”
Marc Petock, Lynxspring, Inc., contributing editor, wrote The Business Side of Cyber Security Why it Matters: “In today’s data-driven economy and smart-based buildings, it is essential we collect, store, and adequately protect data and proprietary secrets. Failure to do so will significantly damage a company’s brand, have an adverse effect on operations, and directly impact revenue and profitability.
“The frequency of cyber attacks is only going to accelerate over the coming years. Therefore it is vital that we have a full understanding of the inherent business risks and implications. Balancing cybersecurity priorities with business flexibility and agility is a tough challenge. But it’s a challenge every organization faces as it strives to drive growth, achieve competitive advantage, and maximize operational and performance efficiencies.
“Cybersecurity is hard and always will be. Attackers will continue to innovate with new techniques, deception, and determination. The challenge isn’t people, process, or technology; they all exist today and are available. The big issue is the internal culture at companies and the understanding of cybersecurity from a business perspective and why it matters.
“It all comes to one thing — risk. How much are you willing to take? We can no longer take a wait-and-see philosophy or ‘it’s not going to happen to us’ approach when it comes to prioritizing and aligning cyber initiatives within our buildings. As we operate in an interconnected environment, we must look at their entire ecosystem and spread and share responsibilities, creating security partnerships. Cybersecurity is no longer an individual company effort; it is a shared responsibility among us all.”
Kevin T. Smith, CTO, Tridium, says, “It is our goal that smart building owners and operators avoid the harsh realities of cyberattacks.” In his article, Towards a Cybersecurity Partnership in Connected Buildings, he says: “Over the past few months, there has been some well-needed government and media attention paid to the cybersecurity posture of control systems used in smart buildings and operational technology (OT) networks. Cyber-threat watchers note that there continues to be a significant number of these control systems that are configured in an insecure manner and exposed on the Internet. This is something that must change.
“Decades ago, organizations had to quickly become savvy about protecting their information technology (IT) networks from remote attackers. As IT networks grew, so did the cybersecurity threats — viruses, malware, and phishing attacks proliferated, and they continue to do so. Organizations that experienced early, highly publicized cyberattacks and data breaches learned painful and costly lessons. In too many of those cases, proper focus on cybersecurity awareness and best practices only happened after such an attack. Luckily, we can learn from those mistakes and lessons from the past and apply them to OT networks today. It is our goal that smart building owners and operators avoid the harsh realities of cyberattacks now by taking a proactive approach towards cybersecurity.”
“Cybersecurity is a partnership: We all have a role to play,” says Therese Sullivan, Tridium, contributing editor. In her article, Cybersecurity or Something Better, she notes: “For decades now, the vision of intelligent buildings that self-correct when they are wasting energy and self-adjust when they are providing anything less than a healthy, comfortable, and productivity-enhancing indoor environment for occupants has been driving the building automation industry forward. Today, advancements in cloud computing and machine learning, as well as greater adoption of common standards for network connectivity and data interoperability, are making the full vision a reality for some showcase buildings. At the same time, connected devices are seeping into all types of buildings in less visionary, more piecemeal ways and sometimes without sufficient IT/OT oversight. Is this moving us faster toward the intelligent-buildings-for-all future we expect? Or is this trend simply creating a larger and more attractive cyber-threat landscape for attackers, with consequences that will slow our progress.”
For our current issue, Jim Butler, CTO, Cimetrics Inc., wrote Introduction to BACnet/SC, A Secure Alternative to BACnet/IP: “For the past several years, the members of the BACnet IT working group I chair have been developing a more secure method of communication for BACnet based on widely used IT standards. This method exclusively applies to communication on IP networks, and we are calling it ‘BACnet/SC’ or ‘BACnet Secure Connect.’ I believe BACnet/SC will become a popular alternative to BACnet/IP in the future.
“I have skipped over many important details of BACnet/SC in this short article. If you are interested in learning more, I encourage you to read the white paper ‘BACnet Secure Connect’ written by members of the BACnet IT working group.”
In A Cybersecurity Framework for the World of BAS, Pook-Ping Yao, CEO, Optigo Network, offers these thoughts: “It’s been five years since the National Institute of Standards and Technology (NIST) released its cybersecurity framework. A great deal has changed in technology over those years, but the framework remains absolutely critical in our world of growing connectivity.
“And yet I still hear the confusion in the building automation world about what this framework means for us. Many buildings are slowly marching forward in that journey to ‘smart.’ Do we really have to worry about cybersecurity?
“Well, in a word: yes.”
Deb Noller, CEO, Switch Automation, offers advice on How to Safeguard your CRE portfolio against Cybersecurity Attacks. “A smart building platform is a powerful cybersecurity tool that empowers your FM team to easily perform continuous commissioning as well as regularly assess device connectivity and network integrity. Cloud-hosted smart building solutions are often the most secure, updating automatically for protection against the latest malware. Additionally, a cloud solution tends not to require the regular dispatch of software engineers for functionality customization and support. By integrating diverse hardware and software, an effective smart building solution will support a range of stakeholders, driving asset visibility and enabling more cost-effective building performance. To extend the flexibility of your FM team, consider a solution with a mobile app and empower them to communicate about critical issues quickly and effectively while on the go.”
In Cybersecurity for Modern Building Services, Toby Considine, TC9 Inc., contributing editor, writes: “This article is a collection of odds and ends, brought out by the announcement that this month is the holistic cybersecurity issue. Security, including cybersecurity, is making sure the needed information or action is reliably available at the right time to the right people.
“As noted elsewhere, many of the most useful and exciting changes in how we interact with the world, and the world with us, are in the hidden world of buildings and their services. In May 2008, I named this the service oriented building (SOB) and called for it to be a full-fledged partner with the then emerging service oriented architecture (SOA) for enterprise systems. Since then microservices have become the norm for assembling highly scalable, highly resilient, and highly secure systems.
“Service integration treats remote systems as black boxes, and the only remote integration is requesting from or providing services to that black box. Service request does not care about the mechanisms in that black box, only about the service provided. This minimizes communication between systems, already a step forward in cybersecurity. A black box providing a service can be designed so that none but the other components in the box can see or interact with them. Service oriented systems provide a smaller attack service.”
Trust is the new gold! Mirko Ross: “In fact: You need ‘trusted’ data and ‘trusted’ devices providing data services. As machine learning is relied on more often for automated decisions, cybercriminals can try to attack machine learning algorithms. Influencing the training data is highly dangerous, with the goal of manipulating the results of the machine learning algorithm predictive model.”
Please ensure you are not our weakest link due to a lack of understanding and the necessary proactive implementation. Cybersecurity is everyone’s business, not just the experts. Protect yourself while helping to secure our industry.
A list of some communities of practice for cybersecurity:
• NIST. This voluntary framework consists of standards, guidelines, and best practices to manage cybersecurity-related risk. The cybersecurity framework’s prioritized, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security. https://www.nist.gov/cyberframework
• "BACnet Secure Connect" written by members of the BACnet IT working group.
• Niagara systems integrators. “Harden Your Smart Building Against Cyber Threats.” “Cybersecurity is a top priority, and we are dedicated to continuously improving the security posture of our products and providing guidance to Niagara systems integrators, business partners, and facility managers.”
• ISASecure: IEC 62443 standards and ISASecure certification: Applicability to building control systems. The ISASecure certification program can accelerate BCS industry cybersecurity initiatives.
• The Cybersecurity and Infrastructure Security Agency (CISA) incorporates an industrial control systems (ICS) element that works to reduce risks within and across all critical infrastructure sectors by partnering with law enforcement agencies and the intelligence community and coordinating efforts among Federal, state, local, and tribal governments and control systems owners, operators, and vendors.
• The not-so-definitive guide to cybersecurity and data privacy laws. U.S. cybersecurity and data privacy laws are, to put it lightly, a mess. Years of piecemeal legislation, Supreme Court decisions, and government surveillance crises, along with repeated corporate failures to protect user data, have created a legal landscape that is, for the American public and American businesses, confusing, complicated, and downright annoying.
• The CRE Cybersecurity Forum will be held June 12 from 8:00 am to 11:45 am at the Nashville Music City Center. Every company is at a different point in the cybersecurity journey. Most real estate organizations begin by focusing on enterprise-related issues which can impact operations. Recently, with the increase in cyberattacks on the built environment, more companies have begun the task of securing the building and all its systems. While some knowledge can be garnered from critical infrastructure experiences, protecting buildings from cyber threats is a relatively new phenomenon. This session will provide insight on what a comprehensive building cybersecurity program might look like. In addition to presenting the foundational plan, some Monday morning advice on ‘where to begin’ will also be provided.
• Building a Consensus for Cybersecurity. Siemens teamed up with the Munich Security Conference and other governmental and business partners to present the Charter of Trust initiative in February 2018. One of the initiative’s key goals is to develop and implement rules for ensuring cybersecurity throughout the networked environment. The first major successes have already been achieved. https://new.siemens.com/global/en/company/topic-areas/digitalization/cybersecurity.html
Events where cybersecurity will be discussed:
Ken Sinclair is the founder, owner, and publisher of an online resource called AutomatedBuildings.com. He writes a monthly column for FacilitiesNet.com about what is new in the Internet of Things (IOT) for building automation.