Making BAS Readily Accessible but Protected from Cyber Attack

Paul Ehrlich, Ira Goldschmidt & Angela Lewis Building Intelligence Group As published   April Issue - BAS Column

Chances are you have heard about the data breach at Target that occurred late last year, in which customers’ information including credit card numbers were obtained through a cyber attack.  Perhaps, like our family, your card data was taken, resulting in unauthorized charges and eventual cancellation and replacement of cards. 

The details as to how this attack occurred are still under investigation and the results of what is found could have a major impact on both network and credit card security.  During this ongoing investigation, information about the attack has been appearing online and in the media.  Some of this information has been fairly accurate while other parts have been speculation.  For example, a few weeks ago the website www.KrebsOnSecurity.com revealed that the credentials to access the Target network were stolen from an HVAC and refrigeration contractor.  This information appears to be accurate, but the site then went on to speculate that the contractor may have had access to the Target network in order to monitor the control systems for HVAC and refrigeration. That turned out to be false; the contractor had access to get work orders and to submit invoices.  But even having this issue raised has caused concern for many owners about control systems being a potential security weakness.  While this may not have been the case with the Target attack, there are several security concerns regarding control systems including protecting from attacks both within and from outside of the network.  Internal protection is best handled through the use of a VLAN within and enterprise network or with a protected, dedicated controls network.  Remote access however is more complicated.

One of the benefits of today’s BAS solutions is that they can be readily accessed both on site and remotely.  Most systems are web-based so there isn’t even any software required.  Remote access provides many benefits including the ability for the building operator to see systems from anywhere, and to get support from contractors and the design team without having them on-site. The challenge is to provide remote access for those who are authorized, but not to allow remote access to be an entry point for a hacker who may attempt unauthorized access to the control system or other network assets.  There are several potential solutions for remote access that you may want to consider:

IT Controlled Access:

[an error occurred while processing this directive]When the control system is on the owner’s enterprise network, remote access is generally controlled by IT.  The owners IT group is generally able to provide remote access using standard tools.  For example a contractor may need to have network VPN access, which may require special tokens, passwords, or in some cases, a dedicated laptop. This approach generally provides a good level of security but can take time to setup and management can be a challenge.

BAS on the Internet:

To simplify remote access, systems can be installed with a BAS router directly connected to the Internet through a DSL, wireless or cable modem.  This approach makes access easy, but can expose both the BAS and potentially other devices on the network to an attack.   In the past we have counted on this being “security through obscurity” but as cyber attacks become more sophisticated, this is becoming a risky approach.

BAS Firewalls:

Vendors are starting to offer specialized firewalls intended to provide limited network access for BAS systems.  These are generally a combination of hardware and software that provide authentication and access.  One product to evaluate is the Lynx Spring Cyber Pro (http://lynxcyberpro.com), which can be used either on an enterprise network or from a dedicated facilities network.  The use of a specialized network security device may provide the best of both worlds – providing the security benefits of a VPN, with the simplicity and flexibility of having the system directly on the network.

About the Authors
Paul and Ira first worked together on a series of ASHRAE projects including the BACnet committee and Guideline 13 – Specifying DDC Controls. The formation of Building Intelligence Group provided them the ability to work together professionally providing assistance to owners with the planning, design and development of Intelligent Building Systems. Building Intelligence Group provides services for clients worldwide including leading Universities, Corporations, and Developers. More information can be found at www.buildingintelligencegroup.com  We also invite you to contact us directly at Paul@buildingintelligencegroup.com or ira@buildingintelligencegroup.com

[an error occurred while processing this directive]
[Click Banner To Learn More]

[Home Page]  [The Automator]  [About]  [Subscribe ]  [Contact Us]