Do You Know Your BAS Cybersecurity Risks?
November 6, 2019 - Building Automation
By Kevin T. Smith
Building automation systems (BAS) provide fundamental services for commercial office spaces, campuses, hotels, and retail facilities, and their use results in energy savings, cost savings, and technology integration that can tremendously increase productivity. Most practitioners realize that the connectivity and control of infrastructure and equipment these systems provide can have a significant impact on cost, physical security, and life safety; but unfortunately, the cybersecurity of many of these systems can often be an afterthought. If you are a building owner or facility manager using BAS devices, do you know your cybersecurity risks?
Building control systems connect, manage, and control equipment and devices in buildings over computer networks. Internet connectivity in such systems brings tremendous opportunities, but it also can bring great challenges. It is well known that the cost-savings and technology integration capabilities of these systems provide great value to facility owners and tenants, but the potential network exposure of the building’s equipment can provide significant cybersecurity risks. Internet-connected building systems are targets because the technologies involved connect the virtual Internet world to a place where changes can be made in the real physical world. Alarmingly, there exist many hacker-friendly tools that allow bad actors to search for, discover, and exploit Internet-connected devices, and many websites even provide these tools and also advertise the locations and IP addresses of building systems that are exposed on the Internet.
What are your risks? They could be significant depending on the type of equipment that your system is controlling. If you are the owner of a grocery store chain, what would the cost impact be if a hacker shut down refrigeration to your stores, causing your food inventory to spoil? If you have valuable assets in your retail store, could a hacker unlock your doors and go on an after-hours “free” shopping spree? If you are a property manager with tenants that expect a certain level of service, what impact would there be if a hacker turned the temperature in your building to be so uncomfortable that your tenants left? Could a bad actor maliciously alter your equipment to cause an incident that threatens human life in and around your building? All of these are serious questions with measurable costs which include, but are not limited to, safety, financial liability, lost customers, and damage to brand and reputation.
From a risk-management perspective, BAS cybersecurity is complicated because multiple parties are involved between the release of BAS systems and the ultimate management of these systems in buildings:
• Building automation systems are released by manufacturers;
• Systems integrators take these systems and configure them and connect them on customer networks;
• The way building data networks are set up on an enterprise’s core networking infrastructure is typically overseen by facility groups or an IT department;
• Facility managers operate and maintain the BAS over time.
Therefore, for the building automation solution, cybersecurity is a journey that the whole value chain is on together, and this includes the BAS vendor, value-added resellers, systems integrators, IT networking infrastructure providers, facility managers, and the end-customer building owners and their tenants. Building cybersecurity is a team effort.
Anyone along that chain of roles could increase the cyber-risk of the overall system by not abiding by cybersecurity best practices. Every party involved must intentionally focus on cybersecurity and work in partnership with others involved. Out of the box, a BAS needs to be designed with a cybersecurity defense-in-depth mindset, and it’s critical that customers know how to secure that system. Then the BAS needs to be set up appropriately and securely configured utilizing the manufacturer’s cybersecurity guidance and industry cybersecurity best practices. Once configured, BAS security also depends on the security configuration of the network, which should be set up using networking and defense-in-depth best practices. At the same time, the security of each device relies on the physical security of the environment where the device is placed. Finally, the system needs to be continuously managed, monitored, and updated as the vendor releases security updates. At each level, following best-practice security involves not just technology but training operators in processes, procedures and the proper use of information technology.
If your systems aren’t securely configured, if they aren’t patched and updated, if they aren’t proactively monitored, and if they are set up to be exposed on the Internet or exposed to even internal networks that aren’t managed effectively, you are asking for trouble. A holistic, defense-in-depth security approach is needed. The building owner needs to oversee this process, and needs to make sure that someone is actively – and proactively - focusing on cybersecurity, making sure that your networks and assets are periodically and consistently assessed for cyber risks to be mitigated. A successful approach begins with establishing cybersecurity processes for your organization. It involves training all the right people in those processes and making sure they understand the proper and secure use and configuration of the technologies and networks involved. Getting all of that done can seem daunting. You can get started by looking at guidance from organizations like the National Institute for Standards and Technology (NIST) that can be tailored to any organization. You can get even more specific control system guidance from organizations like the National Cybersecurity and Communications Integration Center (NCCIC)’s Industrial Control Systems Cybersecurity Emergency Response Team (ICS-CERT) and the International Society of Automation (ISA)’s ISA99 focus on Industrial Automation and Control Systems Cybersecurity in their ISA 62443 series of standards.
Finally, it’s important that care is taken when connecting any device to your network, including a building control system or other edge device. For any device you are considering connecting to your network, ask five questions: (1) Is the manufacturer cyber-aware and does it have a documented cybersecurity process? (2) Will the manufacturer support the device and support security updates and patches to that device in a timely manner? (3) Have you or has someone else done a cybersecurity or risk evaluation on the product? (4) How will the device be connected to the network and are there controls set up on the network itself to reduce risks? (5) Who will be configuring this device when connected to your network and who will be proactively monitoring and managing that device?
Certainly, this article has just scratched the surface of what is needed. I am hopeful that it does raise some awareness on this important topic of building automation cybersecurity.
Kevin T. Smith is the Chief Technology Officer of Tridium, Inc.