The State of BAS Cybersecurity IB performs a series of assessments both before the site visit and once onsite. There are several tools and methods we use to complete a holistic cybersecurity evaluation of building control systems.

Fred Gordy Intelligent Buildings, LLC

Just a little over six years ago building control systems and cybersecurity were words that were not usually together in the same sentence much less a concern for most building owners and integrators. In 2017 we at Intelligent Buildings (IB) began to see a significant increase in number building cyber assessment we performed. In 2018 the number of assessments we performed increased to more than double of 2017. This was due in part to the growing awareness of the need for securing building control systems, but also the real and present danger of attacks to building control systems. In this article, I will share the results of assessments and BAS attacks we have first-hand knowledge of.

THE ASSESSMENT PROCESS
IB performs a series of assessments both before the site visit and once onsite. There are several tools and methods we use to complete a holistic cybersecurity evaluation of building control systems. Some are considered traditional IT type tools; however, the majority are exclusive to the BAS world and created by IB. In some of my past articles, I have discussed what separates BAS from ICS and IT applications. These differences necessitated the need for IB to create tool sets unique to the building control industry. These tools are built on established principals of NIST and over 100 years of combined BAS knowledge that IB possesses.

HOW BUILDINGS ARE SCORED
Scoring is comprised of methodologies for NIST and BCS-CAMP (Building Control System Cyber Assessment Methods and Procedures) elements. The score is mathematically calculated based on the answers provided by the system SME(s). The letter grade is derived from the calculated numeric value. This methodology results in consistency across multiple buildings and systems within the portfolio as well as compared to other like properties and systems. A BCET letter grade is described as:

NIST: IDENTIFY – PROTECT – DETECT – RESPOND – RECOVER

Identify - Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
The activities in the Identify function are foundational for effective use of the framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enable an organization to focus and prioritize efforts consistent with its risk management strategy and business needs. Examples of outcome categories within this function include Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy.

Protect - Develop and implement the appropriate safeguards to ensure the delivery of critical infrastructure services.
The Protect function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome categories within this function include Identity Management and Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology.

Detect - Develop and implement the appropriate activities to identify the occurrence of a security event.
The Detect function enables the timely discovery of cybersecurity events. Examples of outcome categories within this function include Anomalies and Events; Security Continuous Monitoring; and Detection Processes.

Respond - Develop and implement the appropriate activities when facing a detected security event.
The Respond function supports the ability to contain the impact of a potential cybersecurity incident. Examples of outcome categories within this function include Response Planning; Communications; Analysis; Mitigation; and Improvements.

Recover - Develop and implement the appropriate activities for resilience and to restore any capabilities or services that were impaired due to a security event.
The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity incident. Examples of outcome categories within this function include Recovery Planning; Improvements; and Communications.

The following table shows what the majority of the buildings scored in each of the NIST functions of the buildings assessed. The chart below the table is all scores (A through F) and the percentage of buildings that scored each letter grade.

THE BUILDING ASSESSMENT

The following building assessment statistics are derived by assessing people, processes, and technology associated with the building. The activities include reviewing control application configuration files, OS configuration, basic physical security of systems, policy documentation, system drawings, capturing network information for device inventory, and remote exposure. Scores can be A, B, C, D, or F.

The following table shows what the majority of the buildings scored in each of the building assessment categories. The chart below the table is all scores (A through F) and the percentage of buildings that scored each letter grade.

The following chart is a list of some of the elements we check during an assessment. The percentages that are shown are of all the building assessments performed by IB over the past two years. The bar for each element indicates the percentage of compliance. For example; 5% of the systems assessed had changed the default ports changed. 20% of the systems assessed had up-to-date antivirus/malware. 50% of the sites assessed had one or more devices exposed directly to the web and could be accessed remotely.
 

BAS ATTACKS - NEGATIVE OPERATIONAL IMPACT

In the past two years, we have observed first-hand the aftermath of attacks. The number of attacks to control systems from 2017 to 2018 increased by 75%. The attacks have ranged from ransomware to equipment directly and specifically attacked. There have also been several cases of negative operational impacts due to IT not correctly testing and implementing updates and patches.

In all the cases listed below, there was no disaster recovery plan or incident response plan in place. The systems were either directly exposed via a public IP, and remote access was controlled by the vendor and not the building owner. Additionally, there was little to no forensic evidence. Audit and access logging were either not set up or not set up to contain the number of records necessary to build a complete picture of the attack.

The items listed below are some examples of what we documented.

In conclusion, the majority of the buildings we assess the repeating theme is that systems are not prepared and the employees using them need to be educated. Policies, change management, user management, disaster recovery, and incident response are non-existent. All the devices connected to the control network are not known. The vendor is the primary controller/administrator of local and remote access.

Building owners are beginning to address their control systems cybersecurity, but attackers are continually educating and evolving themselves. To put it in the words of a speaker I heard when I first started my building control system cybersecurity journey, "Folks, this is a problem for which there is no solution." I would like to add even though there is no solution; there are preventative measures you can take to lessen your chances of being the next victim.