Building automation systems ("BAS") ease property managers’ daily operations—from reducing energy consumption to cutting maintenance costs—but the very aspects that make BAS attractive can be a gateway to cyber attacks. Understanding BAS cybersecurity can help you protect your facility and your inhabitants’ wellbeing.
TARGET’S CYBER ATTACKERS HIT THE BULLSEYE
For example, consider the 2013 Target breach, Cyber attackers gained access to personal identifiable information from 70 million customers as well as data for 40 million1 credit and debit card numbers by breaching Target’s network through their Heating, Ventilation, and Air Conditioning (HVAC) system. The impact to Target’s reputation was colossal. Later that year, the US Department of Homeland Security revealed that hackers broke into a highly secured "state government facility," and tinkered with the building’s temperature. However, largescale enterprises aren’t exclusively targeted. Due to the number of systems connected to the internet, there is an increased potential for cyber attackers to infiltrate your properties you don’t follow the appropriate BAS cybersecurity measures.
IS YOUR PROPERTY AT RISK?
Remote Access allows a BAS vendor to monitor and service several systems from a central location, eliminating the need and cost of conducting onsite visits. However, remote access to the BAS increases risk exposure to malicious actors, which could disrupt building operations.
In the 2013 Target breach, attackers gained access to Target’s payment system network by using the credential a vendor used to access the HVAC systems remotely. This access was needed by the technician to access the ventilation system for maintenance and troubleshooting of the heating and ventilation system. Threat actors often use widely available and free tools to find potentially open and vulnerable systems on the Internet.
Figure 1 shows the results of a tool called “Shodan.” This tool allows anyone to find devices that are on the Internet with the use of a couple of key words. Notice how the tool shows the geographic dispersion of the systems along with vendor information and operating system. Please keep in mind that we omitted some of the search details to protect facilities’ security from cyber threats.
Inherent insecurity further demonstrates that not all that glitters is gold when it comes to the enhanced ease of BAS. Building Automation Systems lack the protections built in to traditional applications and systems. They cannot run antivirus software or host-based firewall (think Windows Firewall), because they do not have the computing resources. BAS are designed to monitor and control physical processes, not to run productivity software such as Microsoft Word. Additionally, security applications are prohibitive by design and could affect the system operation. Imagine what would happen if a security application installed on a BAS prevented a notification to trigger a fire suppression system.
Security patching, a process of fixing vulnerabilities in software, is also a challenge with these systems. With normal patching, there is always a risk that the system will be negatively affected. You often hear IT personnel tell horror stories about how a particular patch broke a system. Imagine if you applied a patch to a BAS that controls the elevators and the patch caused the system to close the doors on the elevator. This fear of “breaking” the system prevents many building managers from patching these systems, which can leave you vulnerable.
SO WHAT NOW?
With the proper BAS cybersecurity in place, you can enjoy the benefits of smart building systems safely and effectively. The following recommendations are the basis for establishing tactical mitigation strategies:
Step 1: Identify all building automation systems within the environment by asking the following questions:
• What is the function of the BAS?
• Where is the BAS located?
• Who manages and accesses the BAS?
• How is the BAS accessed and from where?
• Is the BAS accessible from the Internet?
• What communication protocols does the BAS use?
• Does the BAS support any security functions?
• Does the vendor release security patches specific to the BAS?
• Does the vendor notify you if they are involved in a breach of building automation security?
Step 2: Document, monitor and control access to all BAS.
Controlling access to these systems is crucial to prevent an attacker from entering your environment. Access to the BAS should be limited to those that require it. Additionally, ensure that all access is monitored and documented. This will flag suspicious activity and assist in an investigation, if necessary.
Step 3: Enable security features, if supported.
Enabling these features will make it more difficult for an attacker to compromise the system. Changing default settings associated with security is another good way to prevent attackers from circumventing these protective measures.
Step 4: Segment Building Automation Systems.
Attackers often exploit the weakest link. Given the limited security functionality of a BAS, it can become a steppingstone for an attacker to gain access to other parts of your network. Separating a BAS from other systems may prevent an attack from spreading through the network.
You now have several critical BAS cybersecurity steps to protect your smart buildings from attack, but it’s important to remember that each situation is unique. Contact your Friedman CyZen cyber security advisor with any questions you have.