The building automation industry is now at a point where there are legitimate and reasonable concerns regarding the security of building control systems, especially in smart buildings. Jim Sinopoli, Managing Principal of Smart Buildings, LLC, USA which provides engineering and consulting services for the design and operation of integrated building technology systems explains as to what such an attack would mean for building operations, occupants and owners and how to prevent them.
The potential security vulnerability of a building can extend to the smart grid as we move to implement two-way communication between buildings and the grid, and of course could also impact corporate business systems. The security concern is more about network security and less about physical security, although the two are certainly related.
Types of security threats
The threat simply is not only that someone can penetrate a building’s systems via an unsecured network to cause damage. For traditional IT systems, the threat may be loss of communications, unauthorized access to sensitive data and theft of intellectual property. The threat may also mean disruption of equipment which may include physical security systems such as access control and video surveillance and impediments to business continuity. For some other buildings the threat is disruption of critical building infrastructure which also impedes or can halt normal operations. A security threat may also be related to life safety, for example, disrupting emergency power, lighting and HVAC in a critical healthcare space.
False sense of security
In general, the building automation industry and facility management have treated the security of building control networks as a secondary or tertiary issue, if at all. The most popular security approach for a building management system (BMS) is to isolate the BMS — by not letting it connect to any other networks. But that alone is a false sense of security.
The BMS at a minimum will have fire systems, HVAC, access control, elevators and possibly lighting connected into it, potentially allowing access from one of those networks or one of the devices on those networks. Minimal or partial security measures may be in place for some buildings but not the comprehensive security measures required minimizing network vulnerability. It’s fair to say that most traditional building management systems are not secured. In fact, many legacy BMS systems have “back doors” allowing the BMS manufacturer or local control contractor to monitor, manage or update the systems.
Old buildings v/s New buildings
It is interesting that while the recent security concern is about newer buildings, it is older buildings with legacy BMS systems that are probably much more vulnerable to attack. The legacy systems are likely to be running older operating systems, databases, and web browsers, some of which may no longer be updated with security patches. In addition, the vulnerabilities of older systems are public knowledge and well known to hackers, thus minimizing the effort and time for an attack.
The automation industry has rightfully strived for standards for systems, moving from proprietary implementations by manufacturers to open and transparent communication protocols. There are many benefits to open standards: compatibility of products, customization, avoiding being locked-in to one manufacturer, interoperability, competitive costs, more support options, etc.
At the same time, open and transparent standards would seem to increase the vulnerability of BAS networks, basically providing all the information hackers would need to assess vulnerabilities and potential approaches for an attack. However, it is important to note that having a proprietary protocol does not inherently make a system secure. If the attack is performed on the BAS server or workstation rather than directly on a controller, then the protocol is irrelevant. There are also tools such as gateways which are used for integration to such systems and which can also provide an avenue for attack.
However, one of the upsides of the open standards movement is that it allows those communication protocols to incorporate network security-related attributes. Most major BAS standards have incorporated some security mechanisms. The security aspects of BACnet are probably the most advanced, at the other end of the spectrum is Modbus, which has no inherent security capabilities.
There are two main attack scenarios to consider:
• A remote attack originating from outside the building LAN which is much more likely but also much easier to mitigate.
• A local attack from inside the LAN which is potentially much more dangerous and difficult to deal with.
A cyber-attack on a BAS network is either going to go after the network, trying to access or disrupt the communication or exchange of data, or the BAS devices, namely the controllers, actuators and sensors. The BAS network could be accessed physically, possible via wireless communication, but also through a network device, such as a compromised controller. The attacks on the devices are likely to emanate from the network or physical manipulation of the device.
Preventing a Security Breach
• Assign a dedicated network administrator for building control systems with responsibility for ongoing network security. The network administrator should coordinate security efforts and responses, as well as internal and external assistance.
• In the event of facility management spearheading the effort, coordinate with the IT department early on. Take a comprehensive approach – assess every building system, its vulnerabilities and what the loss or disruption of the systems will mean to building operations and occupants as well as the financial impact.
• Identify probable avenues of attack and monitor for telltale signs of an ongoing attack. Start with the use of IT security measures on the building automation networks.
• Understand that while the IT security measures are valuable they may not apply to all systems or portions of building control systems. For example, at the field or application control level you may find controllers with limited processing power and memory and utilizing a limited bandwidth network. Not likely candidates for IT-type security.
• Provide physical security in areas or spaces where BAS equipment is located and BAS network cable runs.
• Encrypt your network traffic.
• Secure any wireless network
• Take into consideration the human aspects of security, the employees bringing in their own laptop, etc. Develop policies regarding passwords, configurations, settings, and a comprehensive training program.
• Make sure you have secure backups of all databases that cannot be accessed or deleted from the network.
• Consider creating honeypot systems that are purposely insecure and monitor them for signs of attack in order to let you know when someone is targeting your systems.
In case of an attack
Perhaps even more importantly, you should also make plans for what to do in case prevention fails and an attack is underway. Develop strategies for identifying ongoing attacks and shutting off web access, VPNs, servers, even ports on network switches that are used by BAS network controllers in response to an attack. In most cases controllers will continue operating on schedules and sensor inputs when disconnected from a management server, which may be a better option than letting the attack continue.
There is no point in deploying a security program that only addresses a limited portion of the vulnerabilities. That’s simply an admission that some systems are not safe. Comprehensively securing a building not only involves access control and video surveillance or an IT security program. It must also include the building control and automation systems. The control systems are different types of networks and have never had any comprehensive security measures. But the new and changing technology as well as system integration requires the control systems be brought under a security umbrella.