Award winning manufacturer of IT-based building automation.
For the last ten years the whole industry has been talking about IP, Web, interoperability and open systems. Security however, has been mostly left behind, somewhere in the pre-internet age.
Nino Kurtalj, President,
in Building Automation Systems and usage of the IP
infrastructure as a key-building-data-highway is moving building
automation into a family of Information Communications Technology (ICT) services. Professionals
from the industry believe that this direction will be a
rising tide which will affect us all. The new environment makes
building automation systems less expensive to install through usage of
the existing IT infrastructure and opens a path to true integration
instead of just coexistence. This is great, but there is one big "BUT“
- such a direction brings all the issues that ICT is
struggling with to the table.
The complete integration of building systems with the much larger
information technology connected enterprise, and integration of
networked facilities on a global basis is raising security issues with building automation systems. Most of the products on the
market are not really ready for the full ICT approach, neither are the
integrators. Truth is we have had connectivity for years.
However, we have not had integration. This is a whole new ball
The usage of common IP protocols and general operating systems are resulting in remarkably less separation between the outside world, the building management systems, and Building automationNetworks (BAN). However, it is a double-sided sword. Automated systems are now under risk of attack from a variety of malicious threats.
Microsoft Windows is mostly providing operating systems at the desktop
and within the building automation server area. Unfortunately, Windows
is a very popular target for network attacks.
We will see more and more announcements like the one from the Cisco issued in May 2010. According to Cisco the problems were related to default password and privilege escalations. This potentially allowed attackers to gain control over the device and manipulate the data.
Another example from last year was the Stuxnet Trojan that attacked Siemens PLCs. The infection probably happened through a USB, that spread over the windows network using an unknown vulnerability in Windows. On the infected machine, it looks at running Siemens Simatric WinCC software, then automatically uses a default password that is hard-coded into the software to access the control systems Microsoft SQL database. Can you imagine, according to Wired's Threat Level blog the password has been available on the Internet for several years?
Ok, it looks simple, we just need to change the default password and there is no more threat! Unfortunately, Siemens announced "don't do it". Changing the password would interrupt communication between WinCC and the database. Furthermore, they said they were examining ways to increase the security. Microsoft was working on a patch, and they provided instructions for a workaround.
Here are some well known incidents from the past:
These are not scenarios from the movies. This is real life! Wow, I was taken aback. The whole industry has for the last ten years been talking about IP, Web, interoperability, open systems. However, security has mostly been left behind, somewhere in the pre-internet age. The truth is most of the BMS servers have been working for years without any upgrade of the operating system, and in most cases the OS of choice is from the Windows family. Also not mentioned is that the BMS software in most cases is the same version as the one that was first installed. For computers running Microsoft XP SP2, or Windows 2000 there is no more support in terms of patches. Therefore, computers running those versions of OS will be vulnerable until they are upgraded to newer versions. How many such systems are still operating?
Let's look at the BMS and ICT system security differences.
Anti-virus is widely used in ICT, in BMS it is often impossible to deploy.
The lifetime of equipment in ICT is between three to five years, in
our industry it could reach twenty years. In ICT outsourcing is widely
used, in BMS rarely used for operations. Patching of the system in
ICT is on a daily basis, in BMS in most cases vendor approval is
requested, which means slowly. Security skills and awareness are fairly good in ICT, in BMS in most cases very poor.
If we talk to people from operations, we get answers, like "We do not need ICT security since our network is completely separated from the rest of the corporate network.“ If you ask them do they use notebooks during servicing and tracing problems, the answer will be yes. Therefore, any attack targeted for a particular infrastructure is possible.
is opening up a totally new line of events. The traditional HVAC
department will not be aware of what they should do, or interested in
things further. Until real damage happens the corporate and
management levels will not understand that the BMS is important for
corporate health. Until that time, we will have a
situation where the BMS is treated as a small part of the HVAC or
lighting system, where the chillers, AHU units and lighting
fixtures manufacturers are the key to successful operations, not the
BMS. The idea of splitting the BMS away from the HVAC and lighting contractor
is in most cases considered sacrilege, not to mention the thought of involving ICT
security people during the design phase of the facility network.
All of this will change for sure when a big infrastructure gets
caught with major damage. And that will happen sooner than we can
imagine. We are becoming a "hot" industry, "the one". One that is good to be
in. We have opened our protocols, created standards, integrated our
devices into the IP networks, but we have not up to now, made them secure by ICT
As an example, consider the economic impact of a company-wide attack on
the lighting system; most of today's lighting systems in large
buildings are fully automated. Such an attack could create a message
switching on and off lights. That will cost the owner some
money but will do more damage to the image of the owner. Other
scenarios could be shutting off the power of the building or elevators,
heating up the space during the summer or cooling during the
What shall we do?
Because we do not have secure building protocols, we shall need to build secure building networks with Firewalls and VPNs, as well as look for solutions like BrightCore. Brightcore is including well known security standards like radius authentication, LDAP directory services, and integration with Identity management solutions. Further, we must look for a solution that has AES strong encryption with a 256 -bit encryption key like BrightCore. This has to be considered for regular user access to the system if we want to use BMS data and applications outside the BMS room.
Another consideration is the usage of Firewalls between the Building
Automation Control Network and the Eneterprise network. One of the
best variations is the usage of a pair of firewalls positioned
between the enterprise and the building automation networks. Some
common servers like SQL servers for the history data should be
positioned between the firewalls in a DMZ zone. The first firewall will
block arbitrary packets from preceding to the control network or shared
SQL server data. The second firewall will prevent unwanted traffic from
a compromised server entering the control network. Having
such clear separation allows one firewall to be managed by BMS experts
and the other one by ICT experts. This type of approach will create a very
strong defense situation. If we need to access the networks from
outside, we should access through VPN.
Until we reach the Web services and HTML5 future this is one of the best scenarios, since we still do not have a good event mechanism within web structures. The Web service model will open a new class of information reach applications, anywhere anytime across a globe. There is a lot of work to be done before we can really reach the "Internet of things" but for now properly securing our networks will be good enough.
[Click Banner To Learn More]
[Home Page] [The Automator] [About] [Subscribe ] [Contact Us]