Cybersecurity and Facility IT   How should we look at cybersecurity risks in the age of Facility IT?

Anto Budiardjo, Facility IT Evangelist anto@budiardjo.com As published on New Deal blog Contributing Editor

There isn’t a day that goes by where cybersecurity isn’t in the news lately. From data breaches at large consumer-facing companies, DoS (Denial of Service) attacks on websites, political influence hacking, stories of personal credit exploits, as well as debates of future wars fought in cyberspace. The benefits we enjoy from our digital devices come at a cost; the risk that bad actors gain access to our increasing cyber footprint, with all of the perils that are implied.

Nowhere has cybersecurity threats been felt more than in small and large enterprises that make up the world’s commercial infrastructure. IT departments across the world treat cyber threats as if their livelihoods depend on it because it does! The question posed here is the relationship between cybersecurity and building systems that are increasingly becoming part of the critical infrastructure of commerce. How should we look at cybersecurity risks in the age of Facility IT?

Attack Surface

Key to understanding cybersecurity is the concept of attack surfaces. An attack surface is a digital interface point where a bad actor can breach a system’s security, either to steal assets or implant malware. This could be the USB socket, an Ethernet connection, WiFi access points, as well as the connection to the public Internet. An innocent user with a USB flash drive or a misconfigured firewall can potentially bring down billion dollar corporations to its knees, given a motivated attacker. IT departments have become adept at minimizing their attack surfaces, despite cries from users who desire the “dangerous” flexibility of doing what they want to do.

It seems that there is nothing an IT security person like to say more than “no,” to any request to connect a new device to their network. This seems to be the default reaction when they try to bring their BAS devices into an IT infrastructure. Is this paranoia on their part? Or, is this an indication on the state of BAS cybersecurity, or lack thereof?

Cybersecurity in Building Systems

Building automation systems (BAS), including HVAC, lighting, energy management, and physical security started to be installed in buildings in the 1980s, well before the Internet was in broad use. Through the 1990s and 2000s, building systems were mostly non-IP, except at the supervisory PC-based user interface. This was a blessing from a cybersecurity perspective since it made malicious encroachment of IT networks almost impossible, this is security through obscurity.

The side effect of this was that for the BAS industry, cybersecurity was not much of a concern. Decades of this behavior has left many installed systems with default passwords if any, and general nonchalant attitudes on the subject. There has also been little reason to care, since “what’s the harm in hackers changing a temperature setpoint,” and why would anyone want to do that! So went the common wisdom.

This approach was also seen in the minimal security consideration in the initial 1990s work to create the BACnet network communication standard, created under the auspices of the industry body ASHRAE. Although BACnet has included optional network security functionality since the standard was first published in 1995, that functionality has been rarely implemented.  A competent engineer can today crawl into the plenum area of a building and connect to a simple 2-wire network of these systems, and change all manner of parameters of an operation with impunity. The addition of BACnet/IP to the BACnet standard in 1999 didn’t help; in fact, it made matters worse on the security front. No wonder that BAS has gotten a bad wrap by those in IT concerned with security.

Creating an Air Gap

The default reaction by many who absolutely need to install IP-based BAS devices is to separate their network from the IT network, either physically or virtually. This effectively creates an “Air Gap” between the BAS network and the IT infrastructure. The irony of this approach is that having fought to get IP into BAS devices, we were basically reverting back to the decade-old security through obscurity model. Hey, if that was the best practice for decades, why not continue, so the common wisdom would suggest.

Under pressure to install the latest IP-based devices, with the IT departments still viewing BAS as “dangerous,” this seems to be where things are right now. Will this approach be the best practice for years to come? Are the challenges of integrating IT with OT (Operational technology, a.k.a. BAS) so difficult that air gapping is the only way forward?

Cybersecurity in the age of Facility IT

If the promise of Facility IT is to come to be, air gaps virtual or otherwise cannot be the ultimate solution. The industry must declare a mission to make its systems secure enough to be a well-regarded citizen of a secure IT infrastructure. I regard this as a key objective of Facility IT, to be able to truly deliver on the promise of intelligent buildings and productive facilities for owners and occupiers.
 

The structure of Facility IT is key to our way forward on cybersecurity. Facility IT separates core BAS functionality (real-time sensing, the sequence of operations, and controls) from the IT and enterprise-centric functionalities (analytics, big data, ERP integration, etc.). This separation is not an air gap; it’s an information interface, forming a surface that can be managed and monitored using standards, in a similar manner to other secure interface areas in the IT infrastructure. Think of this as a building firewall.

[an error occurred while processing this directive]As per the original tenets from the New Deal for Buildings (see white paper here), this is best established by the wide adoption of standards that understands and serves BAS systems. As noted by many over the past months, this should be the BACnet standard. At the time when the white paper was released, the BACnet committee had not made the necessary steps to make it truly “IT-friendly.” In 2019, this should change with the expected release of BACnet/SC (Secure Connect).

Moving Forward

Positioned well, BACnet/SC can become the answer to shedding the “air gap” mentality. BACnet/SC should be the answer to any BAS/OT engineer requesting their system to be integrated with the IT infrastructure. Explained well, IT security experts will understand the security delivered by the standard, as something that abides the norms expected by most cybersecurity experts.

I am excited to see how the Facility IT space can innovate once this cybersecurity challenge is solved with BACnet/SC. I suspect that the floodgates will open on many products and services that can leverage a secure infrastructure from the depths of BAS devices all the way to the enterprise cloud.

The age of secured Facility IT is nearly upon us.