BTL Mark: Resolve interoperability issues & increase buyer confidence
The purpose of this article is to try and put all of this cybersecurity “stuff” into some order that can hopefully help people in the BAS industry decide what is important for them.
New Deal for Buildings
2019 seems to be the year of cybersecurity in BAS, at least the year where cybersecurity is becoming a topic of significant interest for the industry. Quite rightly so.
Not a day
passes it seems that a new security initiative, product, company,
standard, or (on the bad side) intrusion vector comes across our desks,
if not pertaining to BAS, then to IoT or the IT/OT axis.
Is that good? Yes, the subject is important. Is it confusing? Regrettably, it’s a complex issue, global in nature, so there are many perspectives and motives that make it complicated.
The purpose of this article is to try and put all of this cybersecurity “stuff” into some order that can hopefully help people in the BAS industry decide what is important for them. It’s not an easy task, but let’s give this a go…and I’ll try and inject a little levity!
plane stuff (70,000 ft and above)
Much of what we hear about cybersecurity daily
in the news are issues that are beyond the influence of most
individuals and companies. I am talking about state-sponsored
cyber-hacking as well as the counter activities that other
state-sponsored organizations (using our tax dollars) perform to keep
us safe. Should we ignore these issues?
I suggest we keep track of these but keep them in their place, yet recognizing these issues could show trends that may impact BAS down the road.
and robbers (monitoring)
This side of cybersecurity is perhaps the one in which we have the most experience. Most (hopefully all) of us using Windows would have some form of antivirus monitoring apps such as Norton or McAfee. The role of these apps working within a device is to monitor incoming information to make sure it is not harmful, using blacklists and whitelists and other techniques to prevent malware to operate in the device.
Because cybersecurity is a dynamic thing, the biggest issue with this approach of malware detection is that they need to be constantly updated. This would be hard for BAS devices that are not frequently updated. For desktop-class computers and laptops, on the other hand, this remains a useful tool to detect malware.
Hospitals and doctors (hygiene)
This is very much a people issue; cybersecurity hygiene is a colloquial term referring to best practices and other activities that computer system administrators and users can undertake to improve their cybersecurity while engaging in common online activities, such as web browsing, emailing, texting, etc.
I have always thought the term “hygiene”
strange in this context, but it is really a good way of thinking about
it. The same way we keep our bodies clean with tools such as soap and
detergents, keeping our digital selves and our buildings clean requires
the same dedication to hygiene.
Smoke and mirrors (zero trust security)
A growing sector in cybersecurity is Zero Trust. It is a security concept centered on the belief that organizations should not inherently trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access.
Zero trust security is an important
approach for BAS networks, especially as they start to operate on
corporate IT networks and the Internet.
Cryptography lies at the heart of much of
cybersecurity today. From the Greek word “kryptůs” for “hidden,
secret”, it is the practice and techniques for secure communication in
the presence of third party adversaries. Today cryptography is
fundamentally in the mathematics domain using increasingly large keys
and algorithms to make it almost impossible for a third party to break.
As a system user, it’s important just to know that your communication is being encrypted using the acceptable mechanism and keys/certs appropriate for the task.
Candid Camera (privacy)
An increasing aspect of cybersecurity is
protecting the privacy of people, whether they are users of the system
or the broader general public such as occupants in buildings. In
Europe, this is very much encapsulated in GDPR (General Data Protection
Regulation) enacted by the EU in May 2018. California’s SB-327 is the
first in the US, and odds are that we’ll see more of this at state and
federal levels in the US before long.
For BAS, the concern here is knowing if
your system’s activities maintain or impacts any personally
identifiable information (PII). If you do, you should tread carefully.
Roads and bridges (infrastructure)
Like many of the issues of BAS and the
convergence with IT, this issue is in front of the mind. We rely on our
roads and bridges to safely drive to work and run errands. In a similar
vein, the networks we rely upon for BAS, both private and public, will
require good design and constant maintenance for the secure transfer of
Since IP is today core to BAS, having a basic understanding of IP should be a requirement for all engineers and business professionals working in the space. The basics are not rocket science.
Buildings and facilities (BACnet)
Once you get into the building--the very domain of BAS--we really need to consider the cybersecurity of the Building Automation Control Network, aka BACnet. After decades of standards battles, the industry has adopted BACnet. Now the industry must secure it.
While BACnet/SC secures the connection between BACnet devices, it’s worth noting that what building owners need is to secure the whole building, not just those BACnet/SC devices. As such, additional technologies and features are needed atop of BACnet/SC. Look out for these offerings in the next few months.
Going underground (tunneling, VPN and the likes)
A set of technologies that are gaining traction involve hiding network communications in some form of virtual private networks (VPN) by using strong encryption. This technique is very effective and becoming much easier to implement as vendors market products and services that target BAS, IoT and OT systems.
While these solutions provide an effective
solution to a problem, BAS professionals should consider the long-term
consequences of managing what is effectively a wide-area virtual
network. It is unknown what IT organizations are going to make of this
since it is typically these organizations that want to manage all
[Click Banner To Learn More]
[Home Page] [The Automator] [About] [Subscribe ] [Contact Us]