Cyber-Security For the last ten years the whole industry has been talking about IP, Web, interoperability and open systems.  Security however, has been mostly left behind, somewhere in the pre-internet age.

Nino Kurtalj, President, Elma Kurtalj Ltd Contributing Editor

Convergence in Building Automation Systems and usage of the IP infrastructure as a key-building-data-highway is moving building automation into a family of Information  Communications Technology (ICT) services.  Professionals from the industry believe that this direction will be a rising tide which will affect us all. The new environment makes building automation systems less expensive to install through usage of the existing IT infrastructure and opens a path to true integration instead of just coexistence. This is great, but there is one big "BUT“ - such a direction brings all the issues that  ICT is struggling with to the table.

The complete integration of building systems with the much larger information technology connected enterprise, and integration of networked facilities on a global basis is raising security issues with building automation systems. Most of the products on the market are not really ready for the full ICT approach, neither are the integrators. Truth is we have had connectivity for years. However, we have not had integration. This is a whole new ball game!

The usage of common IP protocols and general operating systems are resulting in remarkably less separation between the outside world, the building management systems, and Building automationNetworks (BAN). However, it is a double-sided sword.  Automated systems are now under risk of attack from a variety of malicious threats.

Today Microsoft Windows is mostly providing operating systems at the desktop and within the building automation server area. Unfortunately, Windows is a very popular target for network attacks.

We will see more and more announcements like the one from the Cisco issued in May 2010. According to Cisco the problems were related to default password and privilege escalations. This potentially allowed attackers to gain control over the device and manipulate the data. 

Another example from last year was the Stuxnet Trojan that attacked Siemens PLCs.  The infection probably happened through a USB, that spread over the windows network using an unknown vulnerability in Windows. On the infected machine, it looks at running Siemens Simatric WinCC software, then automatically uses a default password that is hard-coded into the software to access the control systems Microsoft SQL database.  Can you imagine, according to Wired's Threat Level blog the password has been available on the Internet for several years?

Ok, it looks simple, we just need to change the default password and there is no more threat!  Unfortunately, Siemens announced "don't do it". Changing the password would interrupt communication between WinCC and the database. Furthermore, they said they were examining ways to increase the security. Microsoft was working on a patch, and they provided instructions for a workaround.

Here are some well known incidents from the past:

• October, 2003, Aaron Caffrey, 19, brought down the Port of Houston. This is thought to be the first well-documented attack on critical US infrastructure.
• August 2003, computer systems of CSX transportation got infected by a computer virus, halting passenger and freight train traffic in Washington, DC.
• In 2003, the east coast of America experienced a blackout, while not the cause, many of the related systems were infected by the Blaster worm.
• January 2003, Ohio Davis-Besse nuclear power plant safety monitoring system was offline for five hours due to the Slammer worm.
• 2001, hackers penetrated a California Independent System Operator, that oversees most of the state's electricity transmission grid. Attacks were routed through CA, UK, and China.
• Brisbane hacker used radio transmissions in 2000 to create raw sewage overflows on the Sunshine coast.
• In 2000, the Russian government announced that hackers succeeded in gaining control of the world‘s largest natural gas pipeline network (owned by Gazprom).

These are not scenarios from the movies. This is real life! Wow, I was taken aback. The whole industry has for the last ten years been talking about IP, Web, interoperability, open systems. However, security has mostly been left behind, somewhere in the pre-internet age. The truth is most of the BMS servers have been working for years without any upgrade of the operating system, and in  most cases the OS of choice is from the Windows family.  Also not mentioned is that the BMS software in most cases is the same version as the one that was first installed.  For computers running Microsoft XP SP2, or Windows 2000 there is no more support in terms of patches. Therefore, computers running those versions of OS will be vulnerable until they are upgraded to newer versions. How many such systems are still operating?

Let's look at the BMS and ICT system security differences.

Anti-virus is widely used in ICT, in BMS it is often impossible to deploy. The lifetime of equipment in ICT is between three to five years, in our industry it could reach twenty years. In ICT outsourcing is widely used, in BMS rarely used for operations. Patching of the system in ICT is on a daily basis, in BMS in most cases vendor approval is requested, which means slowly. Security skills and awareness are fairly good in ICT, in BMS in most cases very poor. 

If we talk to people from operations, we get answers, like "We do not need ICT security since our network is completely separated from the rest of the corporate network.“  If you ask them do they use notebooks during servicing and tracing problems, the answer will be yes. Therefore, any attack targeted for a particular infrastructure is possible.

All this is opening up a totally new line of events. The traditional HVAC department will not be aware of what they should do, or interested in moving things further. Until real damage happens  the corporate and management levels will not understand that the BMS is important for corporate health. Until that time, we will have a situation where the BMS is treated as a small part of the HVAC or lighting system, where the chillers, AHU units and lighting fixtures manufacturers are the key to successful operations, not the BMS. The idea of splitting the BMS away from the HVAC and lighting contractor is in most cases considered sacrilege, not to mention the thought of involving ICT security people during the design phase of the facility network.

[an error occurred while processing this directive]All of this will change for sure when a big infrastructure gets caught with major damage. And that will happen sooner than we can imagine. We are becoming a "hot" industry, "the one". One that is good to be in. We have opened our protocols, created standards, integrated our devices into the IP networks, but we have not up to now, made them secure by ICT standards.

As an example, consider the economic impact of a company-wide attack on the lighting system; most of today's lighting systems in large buildings are fully automated. Such an attack could create a message switching on and off lights.  That will cost the owner some money but will do more damage to the image of the owner. Other scenarios could be shutting off the power of the building or elevators, heating up the space during the summer or cooling during the winter.

What shall we do?

Because we do not have secure building protocols, we shall need to build secure building networks with Firewalls and VPNs, as well as look for solutions like BrightCore. Brightcore is including well known security standards like radius authentication, LDAP directory services, and  integration with Identity management solutions.  Further, we must look for a solution that has AES strong encryption with a 256 -bit encryption key like BrightCore. This has to be considered for regular user access to the system if we want to use BMS data and applications outside the BMS room.

Another consideration is the usage of Firewalls between the Building Automation Control Network and the Eneterprise network. One of the best variations is the usage of a pair of firewalls positioned between the enterprise and the building automation networks. Some common servers like SQL servers for the history data should be positioned between the firewalls in a DMZ zone. The first firewall will block arbitrary packets from preceding to the control network or shared SQL server data. The second firewall will prevent unwanted traffic from a compromised server entering the control network.  Having such clear separation allows one firewall to be managed by BMS experts and the other one by ICT experts.  This type of approach will create a very strong defense situation.  If we need to access the networks from outside, we should access through VPN. 

Until we reach the Web services and HTML5 future this is one of the best scenarios, since we still do not have a good event mechanism within web structures. The Web service model will open a new class of information reach applications, anywhere anytime across a globe. There is a lot of work to be done before we can really reach the "Internet of things" but for now properly securing our networks will be good enough. 

[an error occurred while processing this directive]
[Click Banner To Learn More]

[Home Page]  [The Automator]  [About]  [Subscribe ]  [Contact Us]