October 2019

Innovations in Comfort, Efficiency, and Safety Solutions.

(Click Message to Learn More)

Security vs. Security

The purpose of this article is to try and put all of this cybersecurity “stuff” into some order that can hopefully help people in the BAS industry decide what is important for them.
Anto Budiardjo

Anto Budiardjo,
 New Deal for Buildings

Contributing Editor

Security vs. Security

New Products
Securing Buildings News
Site Search
Past Issues
Secured by Cimetrics
Control Solutions, Inc

2019 seems to be the year of cybersecurity in BAS, at least the year where cybersecurity is becoming a topic of significant interest for the industry. Quite rightly so.

Not a day passes it seems that a new security initiative, product, company, standard, or (on the bad side) intrusion vector comes across our desks, if not pertaining to BAS, then to IoT or the IT/OT axis.

Is that good? Yes, the subject is important. Is it confusing? Regrettably, it’s a complex issue, global in nature, so there are many perspectives and motives that make it complicated.

The purpose of this article is to try and put all of this cybersecurity “stuff” into some order that can hopefully help people in the BAS industry decide what is important for them. It’s not an easy task, but let’s give this a go…and I’ll try and inject a little levity!

Spy plane stuff (70,000 ft and above)

Much of what we hear about cybersecurity daily in the news are issues that are beyond the influence of most individuals and companies. I am talking about state-sponsored cyber-hacking as well as the counter activities that other state-sponsored organizations (using our tax dollars) perform to keep us safe. Should we ignore these issues?

I suggest we keep track of these but keep them in their place, yet recognizing these issues could show trends that may impact BAS down the road.

Cops and robbers (monitoring)

This side of cybersecurity is perhaps the one in which we have the most experience. Most (hopefully all) of us using Windows would have some form of antivirus monitoring apps such as Norton or McAfee. The role of these apps working within a device is to monitor incoming information to make sure it is not harmful, using blacklists and whitelists and other techniques to prevent malware to operate in the device.

Because cybersecurity is a dynamic thing, the biggest issue with this approach of malware detection is that they need to be constantly updated. This would be hard for BAS devices that are not frequently updated. For desktop-class computers and laptops, on the other hand, this remains a useful tool to detect malware.

Hospitals and doctors (hygiene)

This is very much a people issue; cybersecurity hygiene is a colloquial term referring to best practices and other activities that computer system administrators and users can undertake to improve their cybersecurity while engaging in common online activities, such as web browsing, emailing, texting, etc.

I have always thought the term “hygiene” strange in this context, but it is really a good way of thinking about it. The same way we keep our bodies clean with tools such as soap and detergents, keeping our digital selves and our buildings clean requires the same dedication to hygiene.

Smoke and mirrors (zero trust security)

A growing sector in cybersecurity is Zero Trust. It is a security concept centered on the belief that organizations should not inherently trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access.

Zero trust security is an important approach for BAS networks, especially as they start to operate on corporate IT networks and the Internet.

Y3J5cHRvZ3JhcGh5 (cryptography)

Cryptography lies at the heart of much of cybersecurity today. From the Greek word “kryptůs” for “hidden, secret”, it is the practice and techniques for secure communication in the presence of third party adversaries. Today cryptography is fundamentally in the mathematics domain using increasingly large keys and algorithms to make it almost impossible for a third party to break.

As a system user, it’s important just to know that your communication is being encrypted using the acceptable mechanism and keys/certs appropriate for the task.

Candid Camera (privacy)

An increasing aspect of cybersecurity is protecting the privacy of people, whether they are users of the system or the broader general public such as occupants in buildings. In Europe, this is very much encapsulated in GDPR (General Data Protection Regulation) enacted by the EU in May 2018. California’s SB-327 is the first in the US, and odds are that we’ll see more of this at state and federal levels in the US before long.

Control Solutions, Inc For BAS, the concern here is knowing if your system’s activities maintain or impacts any personally identifiable information (PII). If you do, you should tread carefully.

Roads and bridges (infrastructure)

Like many of the issues of BAS and the convergence with IT, this issue is in front of the mind. We rely on our roads and bridges to safely drive to work and run errands. In a similar vein, the networks we rely upon for BAS, both private and public, will require good design and constant maintenance for the secure transfer of information.

Since IP is today core to BAS, having a basic understanding of IP should be a requirement for all engineers and business professionals working in the space. The basics are not rocket science.

Buildings and facilities (BACnet)

Once you get into the building--the very domain of BAS--we really need to consider the cybersecurity of the Building Automation Control Network, aka BACnet. After decades of standards battles, the industry has adopted BACnet. Now the industry must secure it.

While BACnet/SC secures the connection between BACnet devices, it’s worth noting that what building owners need is to secure the whole building, not just those BACnet/SC devices. As such, additional technologies and features are needed atop of BACnet/SC. Look out for these offerings in the next few months.

Going underground (tunneling, VPN and the likes)

A set of technologies that are gaining traction involve hiding network communications in some form of virtual private networks (VPN) by using strong encryption. This technique is very effective and becoming much easier to implement as vendors market products and services that target BAS, IoT and OT systems.

While these solutions provide an effective solution to a problem, BAS professionals should consider the long-term consequences of managing what is effectively a wide-area virtual network. It is unknown what IT organizations are going to make of this since it is typically these organizations that want to manage all network nodes.


[Click Banner To Learn More]

[Home Page]  [The Automator]  [About]  [Subscribe ]  [Contact Us]


Want Ads

Our Sponsors