The apprehension is amplified in newer buildings because there have been increased penetration of IT infrastructure in building control systems and greater integration and interconnection of building controls with other systems. The potential security vulnerability of a building can extend to the smart grid as we move to implement two-way communication between buildings and the grid, and of course could also impact corporate business systems. The overarching security concern is more about network security and less about physical security, although the two are certainly related.
The threat simply is that someone can penetrate a building’s systems via an unsecured network to cause damage, disruption, theft or possibly even loss of life. For traditional IT systems, the threat may be loss of communications, unauthorized access to sensitive data, theft of intellectual property, disruption of equipment which may include physical security systems such as access control and video surveillance, loss of data and impediments to business continuity. For the other building systems such as HVAC control, electrical distribution, lighting, elevators, etc., the threat is disruption of critical building infrastructure which also impedes or can halt normal operations.
Depending on the building use and building control system, a security threat may be related to life safety, for example disrupting emergency power, lighting and HVAC in a critical healthcare space. The threat to building systems is not hypothetical: The infamous Stuxnet cyber-attack in 2010 eventually affected programmable logic controllers (PLC), a controller that is often used in industry, commonly in buildings elevators, pumps, drives and lighting equipment.
In general, the building automation industry and facility management have treated the security of building control networks as a secondary or tertiary issue, if at all. The most popular security approach for a building management system (BMS) is to isolate the BMS — by not letting it connect to any other network. But that alone is a false sense of security. The BMS at a minimum will have fire systems, HVAC, access control, elevators and possibly lighting connected into it, potentially allowing access from one of those networks or one of the devices on those networks.
Minimal or partial security measures may be in place for some buildings, but not the comprehensive security measures required to minimize network vulnerability. It’s fair to say that most traditional building management systems are not secured. In fact, many legacy BMS systems have “back doors” allowing the BMS manufacturer or local control contractor to monitor, manage or update the systems.
It is interesting that while oftentimes the recent security concern is about newer buildings, it is older buildings with legacy BMS systems that are probably much more vulnerable to attack. The legacy systems are likely to be running older operating systems, databases, and web browsers, some of which may no longer be updated with security patches. In addition, the vulnerabilities of older systems are public knowledge and well known to hackers, thus minimizing the effort and time for an attack.
The automation industry has rightfully strived for standards for systems, moving from proprietary implementations by manufacturers to open and transparent communication protocols. There are many benefits to open standards: compatibility of products, customization, avoiding being locked-in to one manufacturer, interoperability, competitive costs, more support options, etc.
At the same time, open and transparent standards would seem to increase the vulnerability of BAS networks, basically providing all the information hackers would need to assess vulnerabilities and potential approaches for an attack. This is akin to giving the car thief the keys to the car. It is important to note that having a proprietary protocol does not inherently make a system secure. If the attack is performed on the BAS server or workstation rather than directly on a controller, then the protocol is irrelevant. There are also tools such as gateways which are used for integration to such systems and which can also provide an avenue for attack.
However, one of the upsides of the open standards movement is that it allows those communication protocols to incorporate network security-related attributes. Most major BAS standards have incorporated some security mechanisms. The security aspects of BACnet are probably the most advanced, at the other end of the spectrum is Modbus which has no inherent security capabilities.
There are two main attack scenarios to consider: a remote attack originating from outside the building LAN and a local attack from inside the LAN. The first is much more likely but also much easier to mitigate. The second is potentially much more dangerous and difficult to deal with. A cyber-attack on a BAS network is either going to go after the network, trying to access or disrupt the communication or exchange of data, or the BAS devices, namely the controllers, actuators and sensors. The BAS network could be accessed physically, possible via wireless communication, but also through a network device, such as a compromised controller. The attacks on the devices are likely to emanate from the network or physical manipulation of the device.
Developing, testing and deploying security measures in buildings needs to be an ongoing process actively built into the operation of the building. Here are some suggestions for the first steps:
- Assign a dedicated network administrator for building control systems with responsibility for ongoing network security. The network administrator should coordinate security efforts and responses, as well as internal and external assistance.
- In the event the Facility Management is spearheading the effort coordinate with the IT department early on. Take a comprehensive approach – assess every building system, its vulnerabilities and what the loss or disruption of the systems will mean to building operations and occupants as well as the financial impact.
- Identify the probable avenues of attack and monitor for telltale signs of an ongoing attack. Start with the use of IT security measures on the building automation networks.
- Understand that while the IT security measures are valuable, they may not apply to all systems or portions of building control systems. For example, at the field or application control level you may find controllers with limited processing power and memory, and utilizing a limited bandwidth network. Not likely candidates for IT-type security.
- Provide physical security in areas or spaces where BAS equipment is located and BAS network cable runs.