Please wait, authorizing ...

Don't have an account? Register here today.


Building Automation and Cybersecurity (II)

Second part of this article based on the protection of building automation systems.

by Levi Tully*

In the first part of this article published in issue 22-1 (January /February) we analyze the cybersecurity aspect of automation systems and the importance of protecting these valuable assets against threats and vulnerabilities. Now we will look at some recommendations to apply to these systems.

It is possible to follow very simple recommendations to facilitate this protection:

- Publicidad -

System design and configuration
1. Supplier security recommendations.
to. Request that security recommendations be sent as a qualifying element.
b. Ensure that recommendations are followed.
c. Audit the configuration.
2. Network integrity.
to. Install on secure networks.
b. Do not open gaps in the firewall with incoming connections.
c. Use non-standard ports.
d. Have a dedicated network for the automation system.
3. Encryption.
to. Data transmission.
b. Storage and transmission of credentials.
c. Install a BACnet virtual private network (VPN).
4. Contingency and recovery plan.
to. System audits.

1. Disable public access.
to. Disable or change all default credentials.
2. Assign unique credentials for each user and process.
to. Define user roles and permissions.
b. Set least privileges.
c. Use credential audits to disable unused accounts.
3. Apply password management policies.
to. Use of strong passwords.
b. Regular change of passwords.
c. Consider using passphrases.
4. Enable automatic disconnection due to inactivity.

Server Configuration
1. Supplier security recommendations
to. Request that security recommendations be sent as a qualifying element.
b. Ensure that recommendations are followed.
c. Audit the configuration.
2. Secure the operating system server.
3. Secure the software server.
4. Maintain the security of the servers.

External influences
1. Implement physical security.
2. Use virtual private networks (VPNs).
3. Train users.

BACnet is the ASHRAE standard for an open building automation protocol. The ANSI/ASHRAE 135-2016 A Data Communication Protocol for Building Automation and Control Networks is designed to standardize communications between building automation devices regardless of their manufacturer, enabling data exchange and interoperation of equipment and systems. This ideal is facilitated by technology that incorporates a few core values including (ASHRAE SSPC 135,2018):

  • Designed for control, operation and monitoring in the building automation domain.
  • Powerful data and service model that reaches semantic definitions.
  • Interoperability between versions and suppliers.
  • Large installed base.
  • Scalability (Including support for low-cost twisted pair networks).
  • Scope of the network security architecture.

Some fundamental components of BACnet communication in Ethernet and IP networks are warning signs for IT professionals and present challenges to protection schemes in compliance and adherence to common security controls already established in the IT domain. The traditional BACnet/IP data link:

1. Transmit data in plain text format, putting the confidentiality and integrity of the data at risk.
2. Communication on IP networks requires static IP addresses for BACnet broadcast management.
3. Requires firewall port entry, penetration, and forwarding rules.
4. It is perceived as an outdated data transport method.
Penetrating a facility's firewalls with standard, open-protocol, and easily accessible requests and responses is a risk to data confidentiality and integrity, however, access from outside a trusted LAN is often crucial to data availability.

- Publicidad -

Following the traditional model of remote connectivity for BACnet/IP and IP networks, firewall entry rules and port forwarding are common.

The RC-RemoteAccess BACnet Virtual Private Network (B/VPN) is expressly designed to strengthen the synergy between BACnet and traditional methodologies while providing protection schemes that are inherently adhered to the security controls commonly established in the IT domain using secure WebSocket connections over TLS.

A B/VPN network meets the requirements of modern IP infrastructure and IT security. The use of Transport Layer Security (TLS) enables the secure exchange of NPDU packets across a wide range of IT environments. The latest in TLS technology facilitates secure BACnet communication.

A B/VPN network introduces a new model that eliminates the need for inbound connections through the firewall by facilitating secure outbound connections.

B/VPN networks are based on a logical distribution and link model that provides protocol-based connections between client and server nodes. The connection is initiated from the client node to the server or distributor.

Once the B/VPN client/server model is established, communications are bidirectional. Through this model, operators and technicians can access their BACnet facilities remotely, and BACnet networks can be securely combined using an established model analogous to a traditional VPN but designed for BACnet data transmission.

- Publicidad -

B/VPN networks have modernized and revolutionized the integration of BACnet and IT.

Where is the cybersecurity of building automation systems a concern? Here... wherever it is here. All building automation systems should be properly secured. All facilities deserve to be protected in a timely manner.

When should we start thinking about the cybersecurity of building automation systems? Now.

The goal of securitization should be to "improve business capabilities by mitigating risk to an acceptable level" (Stoneburner, Hayden, & Feringa, 2004).
For more information about cybersecurity you can visit our website:

* Levi Tully, Application Engineering Manager, Reliable Controls Corporation.
* Translation and adaptation: Rodolfo Zuñiga, Application Engineer - Latin America of Reliable Controls Corporation ([email protected]).


  • BBC. Hackers 'hit' US water treatment systems. (2011, November 21). Retrieved January 28, 201 8, from
  • Granzer, W., Praus, F., & Kastner, W. (2010, November). Security in Building Automation Systems. IEEE Transactions on Industrial Electronics, 57(11), 3622-3630. doi:10.1109/TIE.2009.2036033
  • O'Harrow Jr., R. (2012, July 11). Tridium's Niagara Framework: Marvel of connectivity illustrates new cyber risks. Retrieved January 28, 2018, from
  • Paul. IBM Research Calls Out Smart Building Risks. (2016, February 05). Retrieved January 28, 2018, from
  • Paul. (2016, November 08). Update: Let's Get Cyberphysical: Internet Attack shuts off the Heat in Finland. Retrieved January 28, 2018, from
  • Snyder, L. (2014, December 17). Hackers Pose Threat To Building Automation Systems - Facilities Management Building Automation Feature. Retrieved January 28, 2018, from
  • Stoneburner, G., Hayden, C., & Feringa, A. (2004). SP 800-27 Rev A: Engineering Principles for Information Technology Security (A Baseline for Achieving Security), Revision A. National Institute of Standards and Technology, Information Technology Laboratory: Computer Security Division. Gaithersburg: NIST. Retrieved November 17, 2015, from  
  • Zetter, K. (2013, June 03). Researchers Hack Building Control System at Google Australia Office. Retrieved January 27, 2018, from
  • Zetter, K. (2013, June 03). Vulnerability Lets Hackers Control Building Locks, Electricity, Elevators and More. Retrieved January 28, 2018, from
Duván Chaverra Agudelo
Author: Duván Chaverra Agudelo
Jefe Editorial en Latin Press, Inc,.
Comunicador Social y Periodista con experiencia de más de 16 años en medios de comunicación. Apasionado por la tecnología y por esta industria. [email protected]

No thoughts on “Building Automation and Cybersecurity (II)”

• If you're already registered, please log in first. Your email will not be published.

Leave your comment

In reply to Some User
Free Subscription

Bienvenida a Air Conditioning for Hospitals Summit

Sesión 5: Desinfección en ambientes críticos bajo recomendaciones de ASHRAE

Esta charla estará enfocada en las recomendaciones de ASHARAE para la desinfección de ambientes críticos como lo son quirófanos o salas de hospitales, garantizando una ventilación adecuada para reducir el riesgo de infección. Nos enfocaremos en los productos que Carrier ha lanzado al mercado para cubrir esta necesidad inmediata. Ing.William Sanchez - Grupo Clima

Sesión 4: Minimizando las Infecciones Asociadas a la Atención de la Salud (IAAS)

Como se pueden minimizar las Infecciones Asociadas a la Atención de la Salud (IAAS) al proveer el flujo de aire y la presurización adecuada en los ambientes críticos. Roberto Rouanet, Business Developer Building Products - Siemens Colombia

Sesión 3: Hospitales: Salas de Presión Positiva y Negativa

Los centros hospitalarios tienen requerimientos de salas o zonas de presión positiva y negativa con el objetivo de proteger a sus pacientes, trabajadores y usuarios de las áreas de infecciosos (salas de presión negativa) o inmunodeprimidos (salas de presión positiva). Estos espacios aislados por diferencias de presión se consiguen a través de los sistemas de control de los equipos de climatización de las instalaciones. Estas salas de presión Negativa o Positiva son una parte imprescindible en centros médicos y de investigación, ya que ayudan a mantener las condiciones sanitarias necesarias para un ambiente limpio. Jose Jesús Arboledas Herranz, Responsable de proyectos especiales - KEYTER

Sesión 1: Panel - Buenas prácticas, normativas y errores en climatización para hospitales

Buenas prácticas, normativas y errores más comunes en los proyectos de climatización para hospitales Analizar cuáles son los temas en los que los ingenieros y técnicos deben capacitarse profundamente para desarrollar proyectos en esta clase de verticales que demandan instalaciones funcionales al 100% Roberto D'Anetra, Gerente - Climatiza Rómulo Laureano, Commercial Sales Manager - RGF-BIOCONTROLS Jose Jesús Arboledas Herranz, Responsable de proyectos especiales - KEYTER Roberto Rouanet, Business Developer Building Products - Siemens Colombia
Load more...

Ultimo Info-Boletin