Security vs. Security The purpose of this article is to try and put all of this cybersecurity “stuff” into some order that can hopefully help people in the BAS industry decide what is important for them.

Anto Budiardjo, Editor,  New Deal for Buildings Contributing Editor

Articles

Interviews

Releases

New Products

Reviews

Editorial

Events

Sponsors

Site Search

Newsletters

Archives

Past Issues

Home

Editors

eDucation

Training

Links

Software

Subscribe

2019 seems to be the year of cybersecurity in BAS, at least the year where cybersecurity is becoming a topic of significant interest for the industry. Quite rightly so.

Not a day passes it seems that a new security initiative, product, company, standard, or (on the bad side) intrusion vector comes across our desks, if not pertaining to BAS, then to IoT or the IT/OT axis.

Is that good? Yes, the subject is important. Is it confusing? Regrettably, it’s a complex issue, global in nature, so there are many perspectives and motives that make it complicated.

The purpose of this article is to try and put all of this cybersecurity “stuff” into some order that can hopefully help people in the BAS industry decide what is important for them. It’s not an easy task, but let’s give this a go…and I’ll try and inject a little levity!

Spy plane stuff (70,000 ft and above)

Much of what we hear about cybersecurity daily in the news are issues that are beyond the influence of most individuals and companies. I am talking about state-sponsored cyber-hacking as well as the counter activities that other state-sponsored organizations (using our tax dollars) perform to keep us safe. Should we ignore these issues?

• We can learn a lot from intrusions such as Stuxnet, everything from the dangers of USB to the lengths bad actors would go through, and the impact such intrusions make to control systems.
• CISCP (Cyber Information Sharing and Collaboration Program), created by the US government for public-private cyber information dispersal, is especially relevant for critical facilities.
• Watch out for intrusions into consumer IoT devices that are now everywhere; bear in mind that many BAS devices have much in common with those consumer IoT devices.
  

Cops and robbers (monitoring)

This side of cybersecurity is perhaps the one in which we have the most experience. Most (hopefully all) of us using Windows would have some form of antivirus monitoring apps such as Norton or McAfee. The role of these apps working within a device is to monitor incoming information to make sure it is not harmful, using blacklists and whitelists and other techniques to prevent malware to operate in the device.

• Without constant updates, this type of defense becomes more and more ineffective over time.
• This type of monitoring is not prevalent in BAS devices mainly since connecting them to the Internet is a relatively new thing.
• Because BAS devices are seldom updated (due to the cost of testing, etc.), this technique is unlikely to be widespread in edge devices.

Because cybersecurity is a dynamic thing, the biggest issue with this approach of malware detection is that they need to be constantly updated. This would be hard for BAS devices that are not frequently updated. For desktop-class computers and laptops, on the other hand, this remains a useful tool to detect malware.

Hospitals and doctors (hygiene)

This is very much a people issue; cybersecurity hygiene is a colloquial term referring to best practices and other activities that computer system administrators and users can undertake to improve their cybersecurity while engaging in common online activities, such as web browsing, emailing, texting, etc.

• Top of the list here is the nightmare of managing Usernames and Passwords, and our bad habits of writing them down on Post-it notes.
• Another bad hygiene habit is BAS control devices that allow their default username/password to be used, not forcing users to change the password.
• Phishing is another example of threats that can be mitigated by our behavior, to me this is the scariest, having been almost caught a number of times. Use good email spam filters and be careful when you click on a link in an email.
  
• Two/Multi-Factor Authentication is a great technology for humans, but the system has to be architected in a way that can use this to benefit from this technique.

I have always thought the term “hygiene” strange in this context, but it is really a good way of thinking about it. The same way we keep our bodies clean with tools such as soap and detergents, keeping our digital selves and our buildings clean requires the same dedication to hygiene.

Smoke and mirrors (zero trust security)

A growing sector in cybersecurity is Zero Trust. It is a security concept centered on the belief that organizations should not inherently trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access.

• Packet sniffing is the relatively new discipline of looking at network data packets and establishing whether or not they are legitimate to be traversing the network. A great deal of awareness can be gleaned from watching packets, especially with the help of AI.
  
• Another way to think about zero-trust security is the creation of a layer of security above the network fabric, by encryption at either the data or application layers. In this way, the secured layer is not impacted by breaches in the underlying infrastructure.

Zero trust security is an important approach for BAS networks, especially as they start to operate on corporate IT networks and the Internet.

Y3J5cHRvZ3JhcGh5 (cryptography)

Cryptography lies at the heart of much of cybersecurity today. From the Greek word “kryptós” for “hidden, secret”, it is the practice and techniques for secure communication in the presence of third party adversaries. Today cryptography is fundamentally in the mathematics domain using increasingly large keys and algorithms to make it almost impossible for a third party to break.

• There are many types of cryptography techniques, too many to explore here. One we use on a daily basis is TLS/SSL certificates that websites use so visitors can be assured they are viewing pages from the site they expect, not some malicious site.
• In many cases, the secureness of the connection comes down to the number of bits used in the keys; in other words, the complexity of the keys. Today, this is typically 128, 256, 512 bits or higher.
• A shared secret mechanism is often used for two cloud servers in which both ends know a common key and communication between them is encrypted and decrypted using that same key. Most API mechanisms work using this method.
  

As a system user, it’s important just to know that your communication is being encrypted using the acceptable mechanism and keys/certs appropriate for the task.

Candid Camera (privacy)

An increasing aspect of cybersecurity is protecting the privacy of people, whether they are users of the system or the broader general public such as occupants in buildings. In Europe, this is very much encapsulated in GDPR (General Data Protection Regulation) enacted by the EU in May 2018. California’s SB-327 is the first in the US, and odds are that we’ll see more of this at state and federal levels in the US before long.

• Within the EU there is no choice but to abide by GDPR, and you’ll probably need to hire lawyers!
• Even outside of the EU, we should be conscious of what data we store about people and also of GDPR if your users could be in Europe. For cloud-systems, your users can, of course, be anywhere!
• While BAS is not about individuals, the occupancy of a room is a proxy of a person’s behavior. If an occupancy sensor knows the comings and goings of the occupant in room X, is that encroaching on the privacy of the room’s occupant?
• California’s SB-327 is very specific about smart devices, something that will impact BAS.
  

For BAS, the concern here is knowing if your system’s activities maintain or impacts any personally identifiable information (PII). If you do, you should tread carefully.

Roads and bridges (infrastructure)

Like many of the issues of BAS and the convergence with IT, this issue is in front of the mind. We rely on our roads and bridges to safely drive to work and run errands. In a similar vein, the networks we rely upon for BAS, both private and public, will require good design and constant maintenance for the secure transfer of information.

• Much of the networking infrastructure used by BAS will be IP, specifically TCP/IP. The huge benefit of using IP is that the rest of the world uses it, and there are many products and techniques that understand IP, which is very different from when BAS used proprietary protocols.
• A broad area of IP encompasses networking components such as switches, routers, and firewalls. Also included in this category is the media used from Ethernet cabling to fiber and wireless. Get to know these.
• Since the Internet is used more and more these days in BAS, you should be aware of the interfaces to the Internet, including ISP, wireless providers, as well as how Internet service is provided by providers.

Since IP is today core to BAS, having a basic understanding of IP should be a requirement for all engineers and business professionals working in the space. The basics are not rocket science.

Buildings and facilities (BACnet)

Once you get into the building--the very domain of BAS--we really need to consider the cybersecurity of the Building Automation Control Network, aka BACnet. After decades of standards battles, the industry has adopted BACnet. Now the industry must secure it.

• BACnet was created in the early 1990s to solve a specific problem of displacing multiple proprietary protocols that were typically RS-485 type serial networks. As such, while there were some security provisions in early BACnet, they were mostly ignored as security was not a concern in those days.
• With the convergence with IT, specifically using IP, BACnet needs to take security seriously. To do this, the BACnet Committee is about to release BACnet/SC (Secure Connect) that makes communication between BACnet devices as secure as between your browser and your bank.
• The industry is eagerly awaiting the broad adoption of BACnet/SC over the course of 2020.

While BACnet/SC secures the connection between BACnet devices, it’s worth noting that what building owners need is to secure the whole building, not just those BACnet/SC devices. As such, additional technologies and features are needed atop of BACnet/SC. Look out for these offerings in the next few months.

Going underground (tunneling, VPN and the likes)

A set of technologies that are gaining traction involve hiding network communications in some form of virtual private networks (VPN) by using strong encryption. This technique is very effective and becoming much easier to implement as vendors market products and services that target BAS, IoT and OT systems.

• Think Elon Musk’s Boring Company, nonstop from one end of LA to the other, without anyone on the surface knowing about your trip, and do that securely!
• A key standard for VPN is OpenVPN, which is used by many vendors offering secure connections from the Internet into private networks without any risky port-forwarding.
• Some solutions from vendors include the management of the connections between multiple sites, effectively creating a virtual network overlay that can span a campus or the globe.

While these solutions provide an effective solution to a problem, BAS professionals should consider the long-term consequences of managing what is effectively a wide-area virtual network. It is unknown what IT organizations are going to make of this since it is typically these organizations that want to manage all network nodes.