BAS and Cyber-Security Traditionally building systems including BAS have been protected partially through obscurity, and largely through physical protection.

Paul Ehrlich, Ira Goldschmidt & Angela Lewis Building Intelligence Group As published   April Issue - Column

During the President’s recent State of the Union address one of the key initiatives identified dealt with the issue of Cyber-Security.  This was supported by a new White House initiative focused on protecting critical infrastructure from attacks.  What is interesting about this initiative is that it is much broader than just computer networks and IT systems, but also includes industrial systems including those used to control the power grid and critical infrastructure.  This, and other recent industry efforts, has raised questions about security and the level of protection against potential attacks for building automation system. 

Background:

Traditionally building systems including BAS have been protected partially through obscurity, and largely through physical protection.  Gaining access to a building control system and enabling or disabling systems, or even changing setpoints required accessing the building and entering mechanical and electrical rooms, which are typically secured. However as we have moved toward control systems that are network (or Internet) enabled, it is now possible to access these systems through the building network or even remotely through the Internet.  At the same time the systems have become increasingly less obscure.  Older, proprietary BAS systems could only be accessed through a desktop computer application.  This was typically located in a secured area and was protected by user name and password.  As we have moved to open systems including those that utilize BACnet, LonTalk, and Tridium Niagara, it becomes possible to access the systems using tools other then a workstation leading to more paths for potential breaches.  In fact one of the goals of an open protocol control system is to make communications easy, which in turn can make these systems potential targets for attacks. Within the industry many have long been aware of this potential vulnerability, but recent events have led to a broader awareness of this issue. 

Protection:

There is work going on within the industry to better protect systems including changes to the open protocol standards, as well as software patches and improvements from suppliers and new products coming on the market intended to provide added protection.  In the meantime, however, there are several recommended approaches that should be used to provide security protection for any BAS.  These include:

• [an error occurred while processing this directive]Physical Security:  Protecting access to communication links, networks, and workstations within the building remains critical.  This includes placing controllers, network routers, and locked cabinets within a secured room.  It also means common sense measures such as not using default passwords or writing the password on a post it note attached to the workstation.
• Network Security:  The best option today to protect systems that are on shared networks is the use of a Virtual Local Area Network (VLAN).  A VLAN uses software within the network to limit communications to only those nodes that are authorized. A well-configured VLAN will only allow for dedicated ports to talk to each other and will typically lock this to a set of specific addresses.  Set up and maintained properly a VLAN is the best tool available for protecting BAS information.  Beyond the VLAN the use of an Internet firewall, which limits communication between the building network and the public Internet is also required.
• Regular Software Updates:  Just like you need to keep the software on your PC up to date, regular updates of BAS devices are also required.  Working with your controls contractor or systems integrator is recommended.

While arguably the risk to an attack on a BAS is less serious then that of a power plant, it is still a risk and one that we can not afford to have occur.  Following this issue and utilizing designs to protect systems is highly recommended. 

About the Authors

Paul and Ira first worked together on a series of ASHRAE projects including the BACnet committee and Guideline 13 – Specifying DDC Controls. The formation of Building Intelligence Group provided them the ability to work together professionally providing assistance to owners with the planning, design and development of Intelligent Building Systems. Building Intelligence Group provides services for clients worldwide including leading Universities, Corporations, and Developers. More information can be found at www.buildingintelligencegroup.com  We also invite you to contact us directly at Paul@buildingintelligencegroup.com or ira@buildingintelligencegroup.com

[an error occurred while processing this directive]
[Click Banner To Learn More]

[Home Page]  [The Automator]  [About]  [Subscribe ]  [Contact Us]