True Analytics™ - Energy Savings, Comfort, and Operational Efficiency
BAS and Cyber-Security
Traditionally building systems including BAS have been protected partially through obscurity, and largely through physical protection.
Paul Ehrlich, Ira
& Angela Lewis
April Issue - Column
During the President’s recent State of the Union address one of the key
initiatives identified dealt with the issue of Cyber-Security.
This was supported by a new White House initiative focused on
protecting critical infrastructure from attacks. What is
interesting about this initiative is that it is much broader than just
computer networks and IT systems, but also includes industrial systems
including those used to control the power grid and critical
infrastructure. This, and other recent industry efforts, has
raised questions about security and the level of protection against
potential attacks for building automation system.
Traditionally building systems including BAS have been protected partially through obscurity, and largely through physical protection. Gaining access to a building control system and enabling or disabling systems, or even changing setpoints required accessing the building and entering mechanical and electrical rooms, which are typically secured. However as we have moved toward control systems that are network (or Internet) enabled, it is now possible to access these systems through the building network or even remotely through the Internet. At the same time the systems have become increasingly less obscure. Older, proprietary BAS systems could only be accessed through a desktop computer application. This was typically located in a secured area and was protected by user name and password. As we have moved to open systems including those that utilize BACnet, LonTalk, and Tridium Niagara, it becomes possible to access the systems using tools other then a workstation leading to more paths for potential breaches. In fact one of the goals of an open protocol control system is to make communications easy, which in turn can make these systems potential targets for attacks. Within the industry many have long been aware of this potential vulnerability, but recent events have led to a broader awareness of this issue.
There is work going on within the industry to better protect systems including changes to the open protocol standards, as well as software patches and improvements from suppliers and new products coming on the market intended to provide added protection. In the meantime, however, there are several recommended approaches that should be used to provide security protection for any BAS. These include:
While arguably the risk to an attack on a BAS is less serious then that
of a power plant, it is still a risk and one that we can not afford to
have occur. Following this issue and utilizing designs to protect
systems is highly recommended.
and Ira first worked together on a series of ASHRAE
projects including the BACnet committee and Guideline 13 – Specifying
DDC Controls. The formation of Building Intelligence Group provided
them the ability to work together professionally providing assistance
to owners with the planning, design and development of Intelligent
Building Systems. Building Intelligence Group provides services for
clients worldwide including leading Universities, Corporations, and
Developers. More information can be found at www.buildingintelligencegroup.com
We also invite you to contact us directly at
[Click Banner To Learn More]
[Home Page] [The Automator] [About] [Subscribe ] [Contact Us]