Innovations in Comfort, Efficiency, and Safety Solutions.
|Cybersecurity and Facility IT
How should we look at cybersecurity risks in the age of Facility IT?
Budiardjo, Facility IT Evangelist
As published on New Deal blog
There isn’t a day that goes by where cybersecurity isn’t in the news lately. From data breaches at large consumer-facing companies, DoS (Denial of Service) attacks on websites, political influence hacking, stories of personal credit exploits, as well as debates of future wars fought in cyberspace. The benefits we enjoy from our digital devices come at a cost; the risk that bad actors gain access to our increasing cyber footprint, with all of the perils that are implied.
Nowhere has cybersecurity threats been felt more than in small and large enterprises that make up the world’s commercial infrastructure. IT departments across the world treat cyber threats as if their livelihoods depend on it because it does! The question posed here is the relationship between cybersecurity and building systems that are increasingly becoming part of the critical infrastructure of commerce. How should we look at cybersecurity risks in the age of Facility IT?
to understanding cybersecurity is the concept of attack surfaces. An
attack surface is a digital interface point where a bad actor can
breach a system’s security, either to steal assets or implant malware.
This could be the USB socket, an Ethernet connection, WiFi access
points, as well as the connection to the public Internet. An innocent
user with a USB flash drive or a misconfigured firewall can potentially
bring down billion dollar corporations to its knees, given a motivated
attacker. IT departments have become adept at minimizing their attack
surfaces, despite cries from users who desire the “dangerous”
flexibility of doing what they want to do.
seems that there is nothing an IT security person like to say more than
“no,” to any request to connect a new device to their network. This
seems to be the default reaction when they try to bring their BAS
devices into an IT infrastructure. Is this paranoia on their part? Or,
is this an indication on the state of BAS cybersecurity, or lack
Cybersecurity in Building Systems
Building automation systems (BAS), including HVAC, lighting, energy management, and physical security started to be installed in buildings in the 1980s, well before the Internet was in broad use. Through the 1990s and 2000s, building systems were mostly non-IP, except at the supervisory PC-based user interface. This was a blessing from a cybersecurity perspective since it made malicious encroachment of IT networks almost impossible, this is security through obscurity.
The side effect of this was that for the BAS industry, cybersecurity was not much of a concern. Decades of this behavior has left many installed systems with default passwords if any, and general nonchalant attitudes on the subject. There has also been little reason to care, since “what’s the harm in hackers changing a temperature setpoint,” and why would anyone want to do that! So went the common wisdom.
This approach was also seen in the minimal security consideration in the initial 1990s work to create the BACnet network communication standard, created under the auspices of the industry body ASHRAE. Although BACnet has included optional network security functionality since the standard was first published in 1995, that functionality has been rarely implemented. A competent engineer can today crawl into the plenum area of a building and connect to a simple 2-wire network of these systems, and change all manner of parameters of an operation with impunity. The addition of BACnet/IP to the BACnet standard in 1999 didn’t help; in fact, it made matters worse on the security front. No wonder that BAS has gotten a bad wrap by those in IT concerned with security.
Creating an Air Gap
default reaction by many who absolutely need to install IP-based BAS
devices is to separate their network from the IT network, either
physically or virtually. This effectively creates an “Air Gap” between
the BAS network and the IT infrastructure. The irony of this approach
is that having fought to get IP into BAS devices, we were basically
reverting back to the decade-old security through obscurity model. Hey,
if that was the best practice for decades, why not continue, so the
common wisdom would suggest.
pressure to install the latest IP-based devices, with the IT
departments still viewing BAS as “dangerous,” this seems to be where
things are right now. Will this approach be the best practice for years
to come? Are the challenges of integrating IT with OT (Operational
technology, a.k.a. BAS) so difficult that air gapping is the only way
Cybersecurity in the age of Facility IT
the promise of Facility IT is to come to be, air gaps virtual or
otherwise cannot be the ultimate solution. The industry must declare a
mission to make its systems secure enough to be a well-regarded citizen
of a secure IT infrastructure. I regard this as a key objective of
Facility IT, to be able to truly deliver on the promise of intelligent
buildings and productive facilities for owners and occupiers.
The structure of Facility IT is key to our way forward on cybersecurity. Facility IT separates core BAS functionality (real-time sensing, the sequence of operations, and controls) from the IT and enterprise-centric functionalities (analytics, big data, ERP integration, etc.). This separation is not an air gap; it’s an information interface, forming a surface that can be managed and monitored using standards, in a similar manner to other secure interface areas in the IT infrastructure. Think of this as a building firewall.
As per the original tenets from the New Deal for Buildings (see white paper here), this is best established by the wide adoption of standards that understands and serves BAS systems. As noted by many over the past months, this should be the BACnet standard. At the time when the white paper was released, the BACnet committee had not made the necessary steps to make it truly “IT-friendly.” In 2019, this should change with the expected release of BACnet/SC (Secure Connect).
well, BACnet/SC can become the answer to shedding the “air gap”
mentality. BACnet/SC should be the answer to any BAS/OT engineer
requesting their system to be integrated with the IT infrastructure.
Explained well, IT security experts will understand the security
delivered by the standard, as something that abides the norms expected
by most cybersecurity experts.
excited to see how the Facility IT space can innovate once this
cybersecurity challenge is solved with BACnet/SC. I suspect that the
floodgates will open on many products and services that can leverage a
secure infrastructure from the depths of BAS devices all the way to the
age of secured Facility IT is nearly upon us.
[Click Banner To Learn More]
[Home Page] [The Automator] [About] [Subscribe ] [Contact Us]