Your Complete Source for Building Automation Sensors
| Security Issues with Integrated Smart Buildings
Developing, testing and deploying security measures in buildings needs to be an ongoing process actively built into the operation of the building.
Jim Sinopoli PE, RCDD, LEED AP
Smart Buildings LLC
The building automation industry is now at a point where we have legitimate and reasonable concern regarding the security of building control systems, especially in smart buildings where advanced technology is deployed. We see stories in the news regarding malicious cyber-attacks on private companies, government networks and internet sites and there are questions as to what such an attack would mean for building control systems, building operations, occupants and owners. The apprehension is amplified in newer buildings because there have been increased penetration of IT infrastructure in building control systems and greater integration and interconnection of building controls with other systems. The potential security vulnerability of a building can extend to the smart grid as we move to implement two-way communication between buildings and the grid, and of course could also impact corporate business systems. The overarching security concern is more about network security and less about physical security, although the two are certainly related.
The threat simply is that someone can penetrate a building’s systems
via an unsecured network to cause damage, disruption, theft or possibly
even loss of life. For traditional IT systems, the threat may be loss
of communications, unauthorized access to sensitive data, theft of
intellectual property, disruption of equipment which may include
physical security systems such as access control and video
surveillance, loss of data, and impediments to business continuity. For
the other building systems such as HVAC control, electrical
distribution, lighting, elevators, etc., the threat is disruption of
critical building infrastructure which also impedes or can halt normal
operations. Depending on the building use and building control system,
a security threat may be related to life safety, for example disrupting
emergency power, lighting and HVAC in a critical healthcare space. The
threat to building systems is not hypothetical; the infamous
Stuxnet cyber-attack in 2010 eventually affected programmable logic
controllers (PLC), a controller that is often used in industry,
commonly in buildings elevators, pumps, drives, and lighting equipment.
In general the building automation industry and facility management have treated the security of building control networks as a secondary or tertiary issue, if at all. The most popular security approach for a building management system (BMS) is to isolate the BMS; not letting it connect to any other networks. But that alone is a false sense of security; the BMS at a minimum will have fire systems, HVAC, access control, elevators and possibly lighting connected into it, potentially allowing access from one of those networks or one of the devices on those networks. Minimal or partial security measures may be in place for some buildings but not the comprehensive security measures required to minimize network vulnerability. It’s fair to say that most traditional building management systems are not secured. In fact, many legacy BMS systems have “back doors” allowing the BMS manufacturer or local control contractor to monitor, manage or update the systems. It is interesting that while oftentimes the recent security concern is about newer buildings, it is older buildings with legacy BMS systems that are probably much more vulnerable to attack. The legacy systems are likely to be running older operating systems, databases, and web browsers, some of which may no longer be updated with security patches. In addition, the vulnerabilities of older systems are public knowledge and well known to hackers, thus minimizing the effort and time for an attack.
The automation industry has rightfully strived for standards for systems, moving from proprietary implementations by manufacturers to open and transparent communication protocols. There are many benefits to open standards: compatibility of products, customization, avoiding being locked-in to one manufacturer, interoperability, competitive costs, more support options, etc. At the same time open and transparent standards would seem to increase the vulnerability of BAS networks, basically providing all the information hackers would need to assess vulnerabilities and potential approaches for an attack; this may look like something akin to giving the car thief the keys to the car. It is important to note that having a proprietary protocol does not inherently make a system secure. If the attack is performed on the BAS server or workstation rather than directly on a controller then the protocol is irrelevant. There are also tools such as gateways which are used for integration to such systems and which can also provide an avenue for attack.
However, one of the upsides of the open standards movement is that it allows those communication protocols to incorporate network security related attributes. Most major BAS standards have incorporated some security mechanisms. The security aspects of BACnet are probably the most advanced, at the other end of the spectrum is Modbus, which has no inherent security capabilities.
There are two main attack scenarios to consider: a remote attack originating from outside the building LAN and a local attack from inside the LAN. The first is much more likely but also much easier to mitigate, while the second is potentially much more dangerous and difficult to deal with. A cyber-attack on a BAS network is either going to go after the network, trying to access or disrupt the communication or exchange of data, or the BAS devices, namely the controllers, actuators and sensors. The BAS network could be accessed physically, possible via wireless communication, but also through a network device, such as a compromised controller. The attacks on the devices are likely to emanate from the network or physical manipulation of the device.
Tips on Preventing a Security Breach
Developing, testing and deploying security measures in buildings needs to be an ongoing process actively built into the operation of the building. Here are some suggestions for the first steps:
Perhaps even more importantly, you should also make plans for what to
do in case prevention fails and an attack is underway. Develop
strategies for identifying ongoing attacks and shutting off web access,
VPNs, servers, even ports on network switches that are used by BAS
network controllers in response to an attack. In most cases controllers
will continue operating on schedules and sensor inputs when
disconnected from a management server, which may be a better option
than letting the attack continue.
There is no point in deploying a security program that only addresses a limited portion of the vulnerabilities; that’s simply an admission that some systems are not safe. Comprehensively securing a building not only involves access control and video surveillance or an IT security program, it must also include the building control and automation systems. The control systems are different types of networks and have never had any comprehensive security measures. But the new and changing technology as well as system integration requires the control systems be brought under a security umbrella.
If you have comments or feedback about this article, we would like to hear from you at firstname.lastname@example.org.
[Click Banner To Learn More]
[Home Page] [The Automator] [About] [Subscribe ] [Contact Us]