The protection of this kind of technology is a growing need. Below is an analysis and series of recommendations.
by Levi Tully*
What is the relationship between building automation systems and cybersecurity?
Building Automation Systems (BAS) play an integral role in the health and well-being of any organization's most valuable assets: its people and its property. These systems provide automatic control and human interaction with mechanical systems that are often complex, expensive and critical in the operation of a building, as well as consuming a significant amount of energy. The design, installation and proper operation of building automation systems is critical to the sustainability of the modern built environment.
Mostly through information management, these systems give the possibility to engineers and facility managers to manage their environment and cultivate their built portfolio.
There is a natural and growing synergy between building automation and information technology (IT). Since these systems primarily transact facility information, building automation systems depend on the IT infrastructure and systems of the facilities and organizations they serve. (Granzer, Praus, & Kastner, 2010).
This collaborative technology has become known as Cyber Physical Systems (CPS). These systems mix cybernetics, mechatronics, and design and process sciences. CPS represent the synergy found between physical and software components, particularly between physical systems and information technology.
The phenomenon is increasingly called IT/OT to highlight the similarities and convergence of Information Technology (IT) and Operational Technology (OT) systems. The latter is a relatively recent term, used to encompass the direct monitoring and/or control of devices, processes, and physical events.
Most of the standards and protocols in use today in industrial and building automation were defined in the last century, when the TCP/IP protocol suite was expensive and unavailable for the smaller devices that are common in building automation. However, with the widespread availability of IP network infrastructures today, building automation systems are often a component of a building's networks that can be shared with other applications and can be professionally managed by an IT department. "There is an urgent need for more IT-friendly solutions that are more consistent with standard IT infrastructures" (ASHRAE SSPC 135, 2018).
The information and technology implicit within these shared IT systems are valuable assets that must be protected against vulnerabilities and threats. Due to the standardization of their integration, building automation networks should provide "protection schemes in line with and adherence to security controls already established in the IT domain" (Granzer, Praus, & Kastner, 2010). However, this, traditionally, has not been the case.
The Washington Post conducted an interview about cybersecurity with executives at an innovative manufacturer who revolutionized the industry by incorporating building automation systems into the internet. In the interview, executives commented that for more than a decade "few people thought about the security of commercial control systems on the internet." They noted that "attacks seemed unlikely" because hackers had not traditionally targeted these systems; concluded that they and their clients "generally assumed that control systems were somehow contained by their darkness" (O' Harow, 2012).
In a 2015 survey, IBM researchers found that 84% of building managers surveyed reported that their automation systems were connected to the internet, while only 29% had taken action or were in the process of taking action to improve the cybersecurity of their systems (Snyder, 2014). Is there any reason to worry?
Why is the cybersecurity of building automation systems a concern?: The main security threat in BACnet systems are people who, intentionally or accidentally, modify the configuration or control parameters of a device (ASHRAE SSPC 135, 2018).
Unauthorized access to a building automation system and its data could be used to:
- Misuse operational information such as occupancy schedules.
- Cause discomfort in the occupants.
- Interrupt the operation of systems.
- Contribute to damage to equipment or systems.
- In November 2011, the industrial control system of a water treatment plant in South Houston was penetrated when "a password of only three characters had been used to protect the system" (BBC, 2011).
A distributed denial-of-service (DDoS) attack resulted in the loss of heat in two buildings in the eastern Finnish city of Lappeenranta, local media reported, the latest example of the effects of cyberattacks on interconnected infrastructure.
According to a statement released by local IT management firm Valtia, and a report from the Finnish Communications Regulatory Authority, the attack was detected after a building automation system used at two properties began to emit strange alarms and could not be accessed remotely. The cause was a sustained denial-of-service attack that was flooding the system with fake internet traffic, causing it to restart every few minutes and denying Valtia's remote administrators access to the device. The attack lasted from Nov. 3 to Nov. 4, according to Simo Rounela, Valtia's CEO, according to the website Metropolitan.fi.
The result? "Most of the controlled systems, such as heat distribution, ventilation and hot water were temporarily out of service," the company said in a statement. To fix it, a technician visited the buildings and removed the affected hardware from the internet until the malicious traffic could be filtered (Paul, 2016).
In 2013 it was announced that researchers from Cylance, a cybersecurity consulting firm, were able to penetrate the building automation system belonging to the Google Wharf 7 facility in Sydney, Australia.
One vulnerability allowed them remote access to system configuration files where data such as usernames and passwords are found that allow access with operator accounts and control of managed systems. It also allowed them to overwrite files to the device and gain root access in what amounts to a Windows system with a Java virtual machine running client software. At least 20,000 cases of the same system were identified around the world (Zetter, K., 2013).
Shodan, an internet-connected device search engine designed to raise awareness, has identified nearly 30,000 building automation systems from just one common platform that are exposed to the internet using standard IT default configurations. A search reveals that nearly 20,000 cases occur in the United States alone with nearly 2,000 more in Canada and growing numbers currently exceeding 800 facilities in Australia.
Shodan has also identified nearly 15,000 BACnet systems around the world that have similarly been exposed to the internet using standard IT default configurations, including the published port that is reserved for BACnet interoperability. This includes systems available with more than 9,000 in the United States, 2,000 in Canada and nearly 200 in Australia.
In 2012, the U.S. Department of Homeland Security established the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) to combat this growing threat.
According to the U.S. Government Accounting Office, the number of cyber incidents involving control systems that were reported to the Department of Homeland Security increased 74% from 2011 to 2014, with 245 incidents reported in 2014. In 2017 alone, ICS-CERT received more than 1,000 reports.
Who should care about the cybersecurity of building automation systems? Everyone involved or influenced by the automation of the built environment should take the safety of these systems seriously.
Building operators, facility executives and portfolio managers have an obligation to protect their facilities. Engineers, designers, manufacturers, suppliers, contractors and technicians have an obligation to protect their customers.
ASHRAE is a global society that fosters human well-being through sustainable technology for the built environment. Its mission is to encourage the arts and sciences of heating, ventilation, air conditioning and refrigeration to serve humanity and promote a sustainable world.
How can built environment professionals foster human well-being through sustainable technology when it comes to the cybersecurity of building automation systems?
The next step is not an insurmountable obstacle. Building automation systems have already been widely accepted in the IT domain. Increasing its standardization and security should only improve its integration into IT infrastructure and equipment.
Ultimately, each organization must conduct an objective assessment of the potential impact on the organization's assets and ability to perform its normal operations in the event of a security breach. The impact assessment of a security breach is a valuable resource that enables an organization to make informed decisions of appropriate security controls. An important outcome of this evaluation is the definition of an acceptable balance that provides the required usability and performance of the control system while maintaining an appropriate level of security. The development of a policy that articulates this balance is the responsibility of each organization.
The National Institute of Standards and Technology (NIST) Special 800 Series on Computer Security sets out the principles for Information Technology Security (ITS) best practices. In particular, NIST SP 800-27 Engineering Principles for Information Technology Security (A Baseline for Achieving Security) revision A, presents "a list of system-level security principles that must be considered in the design, implementation, and operation of an information system" (Stoneburner, Hayden, & Feringa, 2004). These engineering principles provide a fundamental reference in the design, implementation and operation of a properly protected building automation system.
These posts provide us with very simple steps to follow.
Security is the process of improving the security of a computer or information system by reducing its vulnerability area. It is achieved by relying only on a minimum number of system elements, thus reducing the exposure of vulnerabilities that can be used for unauthorized access and manipulation of information. Creating a safe environment depends on the functional requirements and expectations of the owner and end user of the system. The goal of securitization should be to "improve business capabilities by mitigating risk to an acceptable level" (Stoneburner, Hayden, & Feringa, 2004).
There is an important subtlety in an effective attitude towards security risks that is often overlooked. This realistic strategy is expressed in NIST's Baseline for Achieving Security:
"Previously, risk avoidance was a common IT security goal. This changed as the nature of the risk was better understood. Today, it is recognized that the elimination of all risk is not cost effective. The goal of securitization should be to "improve business capabilities by mitigating risk to an acceptable level" (Stoneburner, Hayden, & Feringa, 2004).
To put it in perspective, in the United States in 2016 there were more than 37,000 deaths from traffic accidents, approximately 100 people a day. However, for most Americans driving is an acceptable risk. Even in less than ideal conditions, driving is necessary for the execution of your mission.
When an acceptable level of risk is defined, the costs and benefits of protective measures (or security controls) must be objectively assessed. Concurrent operational needs must be assessed. The usability and performance of the building control system and protective measures are important considerations when designing and applying security controls. The benefits of each control must provide adequate value with the direct and indirect costs associated with its implementation and maintenance (Stoneburner, Hayden, & Feringa, 2004).
Like any information system, the purpose of ensuring a building control system is to preserve the confidentiality, integrity and availability of the data that is processed, transmitted and stored (Stoneburner, Hayden, & Feringa, 2004).
Confidentiality refers to the protection from unauthorized access to personal and proprietary information.
Integrity refers to preserving the authenticity of information by preventing unauthorized modification or destruction of data.
Availability refers to timely and reliable access to information and its use by authorized users.
Note: Soon we will present the second part of this article, which will describe a series of recommendations to facilitate the protection of building automation systems.
* Levi Tully who is our Application Engineering Manager at Reliable Controls Corporation.
* Translation and adaptation: Rodolfo Zuñiga, Application Engineer - Latin America of Reliable Controls Corporation ([email protected]).
References
- BBC. Hackers 'hit' US water treatment systems. (2011, November 21). Retrieved January 28, 201 8, from http://www.bbc.com/news/technology-15817335
- Granzer, W., Praus, F., & Kastner, W. (2010, November). Security in Building Automation Systems. IEEE Transactions on Industrial Electronics, 57(11), 3622-3630. doi:10.1109/TIE.2009.2036033
- O'Harrow Jr., R. (2012, July 11). Tridium's Niagara Framework: Marvel of connectivity illustrates new cyber risks. Retrieved January 28, 2018, from https://www.washingtonpost.com/investigations/tridiums-niagara-framework-marvel-of-connectivity-illustrates-new-cyber-risks/2012/07/11/gJQARJL6dW_story.html?utm_term=.e743b8a75b7c
- Paul. IBM Research Calls Out Smart Building Risks. (2016, February 05). Retrieved January 28, 2018, from https://securityledger.com/2016/02/ibm-research-calls-out-smart-buildingrisks/
- Paul. (2016, November 08). Update: Let's Get Cyberphysical: Internet Attack shuts off the Heat in Finland. Retrieved January 28, 2018, from https://securityledger.com/2016/11/lets-get-cyberphysical-ddos-attack-halts-heating-in-finland/
- Snyder, L. (2014, December 17). Hackers Pose Threat To Building Automation Systems - Facilities Management Building Automation Feature. Retrieved January 28, 2018, from http://www.facilitiesnet.com/buildingautomation/article/Hackers-Pose-Threat-To-Building-Automation-Systems--15557?source=part
- Stoneburner, G., Hayden, C., & Feringa, A. (2004). SP 800-27 Rev A: Engineering Principles for Information Technology Security (A Baseline for Achieving Security), Revision A. National Institute of Standards and Technology, Information Technology Laboratory: Computer Security Division. Gaithersburg: NIST. Retrieved November 17, 2015, from http://csrc.nist.gov/publications/PubsSPs.html#SP800
- Zetter, K. (2013, June 03). Researchers Hack Building Control System at Google Australia Office. Retrieved January 27, 2018, from https://www.wired.com/2013/05/googles-controlsystem-hacked/
- Zetter, K. (2013, June 03). Vulnerability Lets Hackers Control Building Locks, Electricity, Elevators and More. Retrieved January 28, 2018, from https://www.wired.com/2013/02/tridium-niagara-zero-day/
Leave your comment