Building automation systems require important protection measures against latent security risks and unauthorized access.
By Levi M. Tully*
People and property are paramount to the mission of most organizations. To reduce risk, organizations close doors to properly secure facilities, pay significant attention to the security of information technology (IT) networks and infrastructures. However, unless they take specific steps to secure their operational technology (OT) systems, their personnel and property, along with their operational readiness, are very likely to be exposed to significant risk.
Hidden in the engine rooms and ceilings of modern buildings are complex electrical and mechanical systems that protect the health and well-being of people and the facilities they serve. A building automation system uses networks of microprocessors and sensors to automatically monitor the built environment and manipulate its equipment to delicately balance a healthy indoor environment with efficient use of resources.
Like IT systems, building automation systems create, process and store electronic data. When a building automation system integrates with IT systems and infrastructure to monitor and manipulate physical processes, it becomes an OT system.
Although similar, OT systems differ significantly from IT systems. The logic that runs in an OT has a direct and immediate effect on the physical world. This influence can present a significant risk to health and safety of human lives, serious damage to the environment, financial impact, and a negative influence on an organization's ability to execute its mission (Stouffer et al., 2015).
Unauthorized access to OT systems and data is increasingly exploited to cause inconvenience to tenants, disrupt facility operations, and damage equipment or facilities (ASHRAE SSPC 135, 2020). It can pose a significant risk to an organization's reputation. Just as we protect IT assets from unauthorized access through cybersecurity, OT systems must provide protection commensurate with the security controls already in place in the IT domain. These controls must be commensurate but appropriate to the different needs of OT, which requires protections that are not common in the IT field (Granzer et al., 2010; Boeckl et al., 2019).
The underlying principle is known as hardening, or the process of improving the security of an information system by reducing vulnerability exposure. Risk cannot be completely mitigated; the goal of hardening is to enhance business mission or capabilities by mitigating risk to an acceptable level (Stoneburner et al., 2004). For OT systems, this means preserving data integrity and availability.
Each organization must conduct an objective assessment of the potential impact on normal business operations in the event of an OT incident and must balance security controls with performance requirements. There are many public and private resources and standards for comprehensive OT cybersecurity. Fortunately, common sense and a few simple steps can drastically improve the protective posture of any OT system.
Before you start
A qualified vendor backed by the system manufacturer is ideally positioned to provide secure design recommendations that reduce vulnerabilities in your hardware and software. Request OT strengthening expertise as a vendor qualification and work closely with a qualified vendor to establish strengthening guidelines appropriate to your organization's needs.
Insurance by design
Articulate appropriate cybersecurity protection measures and acceptance criteria during the design phase rather than during execution or commissioning. IT and OT networks are different, with different requirements for access, security, and performance. Their vulnerabilities expose installation and operational readiness to separate risks.
Consider segregating these disparate systems into dedicated network zones with a single access point and common security requirements (ISA/IEC 62443, 2019). This improves the security and resilience of IT and OT networks while minimizing interaction and interdependencies. Physical separation is ideal but not strictly necessary.
During the design phase, develop a continuity and recovery plan appropriate to your organization's needs and resources for a security or network incident. Designate an entity that is responsible for OT's cybersecurity plans, execution, and response. If this is not the entity responsible for IT security, the two should coordinate closely (Stouffer & Pillitteri, 2021). At a minimum, a continuity plan should consider the following:
* What is the process for keeping assets patched and updated?
* What is the response to a network incident or outage? How can the OT be separated from the network and operated in isolation?
* What is the process for system backup? Frequent backup and secure storage of OT databases, operational logic, and configuration minimize recovery and downtime.
Work closely with your provider to ensure reinforcement guidelines are followed during implementation. Until properly protected, isolate embedded devices, physical and virtual workstations, and servers from production networks and the Internet.
Patch and update operating systems and applications using the resources of the manufacturer or a trusted source. Audit configuration with the vendor at delivery time and prior to deployment.
Direct access to the network or the Internet through OT devices often presents a significant security vulnerability and circumvents authentication and protection measures. Carefully disable or authenticate and monitor technologies such as cloud-based services, mobile broadband, Wi-Fi, LoRaWAN, Bluetooth, and Near Field Communication (NFC) that can provide unmanaged or unattended access to the local network zone or the Internet.
Open protocol OT systems transmit data in plain text using publicly defined standard processes. This is crucial for interoperability between components, but poses a significant security vulnerability as it exposes data to manipulation. User credentials must always be encrypted in transmission and storage. Local transmission of interoperable data is acceptable for most applications. However, when you cross network boundaries, the data must be encrypted and a mechanism must be implemented to authenticate the source and destination.
The American Society of Heating, Refrigerating and Air-Conditioning Engineers (ASHRAE) standard for OT interoperability, BACnet, has evolved to deliver robust information security for data exchange across a wide range of IT environments (ASHRAE SSPC 135, 2020). Encryption of BACnet data over BACnet virtual private networks and secure connection networks is widely available.
User account management simultaneously represents one of the most effective access control mechanisms and the most dangerous vulnerabilities for effective network security. To ensure accountability, each user should be assigned unique credentials and permissions appropriate to the intended level of system access and interaction.
This means carefully controlling who can access the system, what they can see, and what they can modify. Proper user account management is fairly simple, but often ignored or taken for granted, and should include the following steps:
* Disable public and default user accounts.
* Enable automatic closure of inactive user accounts.
* Minimize superuser administrators. Consider dual authorization so that no individual user can change security controls or credentials.
* Consider a role-based access system that ranks users by the specific permissions required to perform daily tasks rather than the people performing the tasks (Reliable Controls, 2019).
* Implement the least privilege. Start with zero confidence for every role. Add access and permissions only when proven necessary for operational efficiency (Stouffer & Pillitteri, 2021).
* Enforce a reasonable password management policy with appropriate strength. Consider passwords that are hard to guess but easy to remember. Unnecessarily complex password requirements often result in poor personal security hygiene and vulnerable passwords (e.g. recorded in Post-it notes).
As the system goes live it is important to take inventory of OT assets. Document the devices that make up the system and how each asset is used. Identify the most critical assets. Check and delete all unauthorized assets. It is essential to maintain good safety hygiene. Keep assets up-to-date and fully patched.
Train users on why cybersecurity is an organizational priority, on their responsibilities, and on how to look for things out of the ordinary that may be evidence of a cybersecurity incident. Regularly audit trader activity and disable unused accounts. Revoke access that is not strictly necessary. Disable accounts immediately when someone leaves the organization (Stouffer & Pillitteri, 2021).
The health and well-being of people and property in the built environment depends on complex mechanical and electrical systems that are critical to operational readiness and consume significant resources. OT's poor cybersecurity is a clear and present threat to our people and our property. A thoughtful approach to OT system security doesn't have to be onerous or complex.
Even a simple strategy enhances mission capabilities by mitigating risk to an acceptable level. Properly operated and secured, these systems ensure the comfort and well-being of the facilities and their occupants.
* Levi M. Tully is executive vice president of sales for Reliable Controls Corporation in Victoria, British Columbia, Canada. You can reach him on [email protected].