Cyber security in building automation systems: How FMs can secure their BAS
David Brunsdon is a Certified Ethical Hacker (CEH) and Cybersecurity Analyst and Consultant at Dark Ivy Consulting, specializing in security in building automation systems. With 20 years spent studying and teaching in the field, he’s an expert in cyber security, as well as in securing building automation systems and making them operate better.
Many people, including many building owners and Facility Managers (FMs), may be less familiar with the often greater risks that can come from the actual building that houses all those computers and hard drives.
Understanding Building Automation Systems Security
When it comes to cyber security issues, sometimes what you don’t know can hurt you quite a bit. Many of us understand the need for strong passwords and being wary of clicking unknown links. We ‘get’ that you have to keep computers and data safe.
Today, building automation systems (BAS), also known as building management systems (BMS), are quite sophisticated. A BAS can be responsible for running HVAC systems, lighting systems, security systems, alarm systems, emergency systems, energy management monitoring for intelligent buildings, and even connecting smart buildings with edge devices via Internet of Thing (IoT)—all through their own separate and integrated system.
That building network is typically far more vulnerable than what’s called your ‘corporate’ (i.e.: regular) network. And because information technology departments don’t have access to it, the responsibility for shoring up a BAS and keeping it secure typically falls to FMs.
We asked David about security in building automation systems and risks of an insecure BAS, along with what FMs need to know and do to maintain true cyber security across all their networks.
Why should facility managers care about cyber security in their building automation system network?
These are invisible systems, but we depend on them. When they just stop working, our lives are significantly disrupted. System after system is insecure, and while there’s usually a good reason for it, it’s still a disturbing trend.
And what’s really gotten bad is that the amount of ransoms that are getting paid is at an extremely high rate, which has created a very powerful network of information brokers, essentially. If you get ransomed today, you will likely get a link to an actual online store where you can pay for your decryption key. They actually operate storefronts now! Thanks to the money that they’ve received from their income, these hackers are able to develop illicit businesses with full functionality. It’s alarming.
Why are there so many issues with security in building automation systems and why are so many buildings insecure?
A building likely has an IP network that their staff works on all day. And that network is protected and maintained by an IT staff. The typical set up of a building automation system is totally independent of that corporate network. There is what we call an ‘air gap’ between the two, because there’s literally a gap. They have no physical connection, and they shouldn’t be able to talk to each other.
That second network, the BAS, is not typically maintained by the IT department. It’s often maintained by a mechanical contractor that may not have anyone on staff who is skilled or even interested in cyber security. So that second network often goes neglected, and then it goes unpatched. It just falls behind.
And of course, that more vulnerable building automation system is often installed with the building itself, using components that existed at the time it was built. So a BAS can easily be 20 or 30 years old or more.
IT departments are often aware of the vulnerabilities of the BAS, and they don’t like the situation. But they are usually not familiar with its components or able to improve it. If they had a choice, they’d just rip that vulnerable network out. But of course, they don’t have the choice, because the building needs it.
So when FMs bring me in to help manage this type of situation, I either work with the IT department to help them understand the BAS network and its vulnerabilities, or with the contractor who is servicing the building network to help them bring it into 2021.
What can happen if a building automation system isn’t secure?
There was a misconception for years that BAS security wasn’t a big deal. There was a lack of creativity, almost—people just thought, ‘what’s a hacker going to do, turn off my AC?’ And decades ago, a building might only have AC on their network, so it wasn’t as big of a concern.
But things have changed. Building systems have become more integrated, and so a BAS or building control system no longer consists of just control systems for heating and air conditioning anymore. It’s moved into lighting, access control systems, people counting, and lots more.
Today, a hacker can do all sorts of things once they gain remote access to your building. They could cause your building to be evacuated. They could lock out your access to the BAS in the wintertime, and make you pay to get your building operational. In some buildings, like factories, building systems can control essential processes on the floor, so disrupting them is an even bigger deal.
So what a hacker would do is take control of the system and make it inoperable. And they make it really hard to fix. So that puts the company in a real bind, and they end up paying the ransomware because they just need to get out of the bad situation.
I’m pushing for people to fix the situation in advance. This is much easier than waiting for the bad situation to happen in the first place.
Can a vulnerable BAS threaten your corporate IT network?
Absolutely. Security consultants always tell companies to never, ever combine the BAS and the IT network and bridge that air gap. But it happens both accidentally and on purpose. There have been some big hacks that have occurred this way. It’s called pivoting, and it’s a big problem in the industry.
So if you have a building that’s 30 or 40 years old, maybe there’s more people working there in the building’s current state, and they need more ports. They might end up using the wrong ports, not realizing they’ve bridged the air gap, and now hackers can go from the building automation to the critical network.
The gap can also be broken by something as simple as an IT person plugging their laptop into the building automation network, while they’re still on the wifi of the corporate network. That’s an accidental break that is so easy to make, but it can have big consequences.
It seems to be that the older a building is and the longer the BAS has been in place, the more likely people are to have forgotten about maintaining the air gap, which can lead to bigger problems.
Do small and medium sized businesses need to worry about building automation network security threats?
This used to be considered a big business issue only, but that’s really changed. Small-sized businesses make easy targets for new hackers who are trying to practice their skill. And most small businesses aren’t really doing anything to protect themselves, because they think anonymity will protect them. They think they’re safe because they’re small. But they’re actually in danger because they’re a vulnerable target.
Which industries are particularly vulnerable to BAS cyber attacks?
Nothing seems to be off limits anymore. There’s all sorts of reasons to attack a network. Sometimes it’s simply financial, and sometimes it’s the work of ‘hacktivists.’
Industries like oil and gas, pharmaceuticals, and any companies that test on animals, for example, can be targeted by people who actually want to do damage first and foremost. A ‘hacktivist’ is not likely to actually give you your decryption key when they ransomware you. They’re going to ransomware you, take your money, and then destroy your data anyway, because that’s the most damage they can do.
So when ransomed, it’s important to really identify whether the hackers are doing this for the money, or if there is something else going on.
As far as other businesses that could be targeted, any business with online assets that can be interacted with by the public, like shopping carts, make better targets for hackers.
How can facilities teams make building automations systems more secure?
There are some key things that FMs are just not doing. No one is looking at their BAS from the outside-in to try to understand the network as it looks to would-be hackers, so that they can then fix any holes they see. This is called a penetration test, where you hire an ethical hacker such as myself to assess the security of your building, and it’s something FMs need to do.
FMs should also talk with the mechanical contractor or whoever is responsible for the BAS, to clearly identify what their security policy is and what their plan is to maintain the security of the system. Remember, it’s important they don’t just install a ‘secure’ network and then leave, as these systems need to be maintained. Otherwise, security starts to go down over time.
And FMs should also understand there’s two major factors involved in a better plan for BAS security architectures and systems. There are mechanical contractors that maintain the BAS technology, and they could definitely stand to have some cyber security training or a cyber security expert on their team. But also the IT department needs training on what they don’t know. These are all risks that come with a BAS.
Security and the BACnet protocol
I’m also a believer in the BACnet communication protocol. I think it’s a great protocol. It’s true it lacks security, but it does what it’s supposed to do really well.
I don’t like closed protocols, but that’s for non-security reasons. The closed protocols do have their security benefits, no doubt about it. I don’t like them because when a building manager chooses a system with a proprietary protocol, they are locked into that system. They still have to keep the same service technicians, even if they don’t do a good job or they overcharge.
So, my preference is for FMs and building managers to help ensure their BACnet system is more secure. And BACnet Secure Connect is an excellent tool for doing that.
BACnet/SC is a VPN, but it only works on the BACnet protocol. It closes a firewall that is one of the major vulnerabilities inherent in these networks. So I want everybody to move to either BACnet Secure Connect or another VPN. It’s a really easy way to help secure your building management system.
Is there a common mistake you see FMs making?
Stop checking email on the computer that is on the air gap network. It’s so bad to check email on the operator station! But people check their email on it all the time, and guess what? They just got hit by a phishing attack, and now they’ve lost control of their network.
I believe anyone can get tricked into clicking the wrong link. Check your email on the corporate network. Check your email on your phone. And stop checking on the building automation network!
If there was one thing every facilities manager should do right now to make their building more secure, what would it be?
Go to shodan.io and try to find your building. This is a search engine for buildings, and it will show you all the exposed systems. Not just BAS, but also webcams or any other systems that are online. You really do not want to find your building here.
So find out what your exposure is by going to Shodan and seeing if you can locate yourself. And if you can find yourself, talk to somebody who can plug whatever hole is in there, so you will stop showing up on the search engines for people who are looking for networks to exploit.
Shodan is a great resource because it’s used by security experts and by hackers. If you can’t find yourself on the site, it’s not a guarantee that you’re secure. But you’re definitely in a better spot than all the people that do show up there.
How can a facilities manager embrace BAS networks and technologies like workplace sensors and other integrations, while still maintaining good cyber security hygiene?
We need these technologies—some of them are optional, but some of them really aren’t.
And so as an FM, I would be looking at what kind of policies I can put in to secure my network. One important policy would be to never check email on that network, like we discussed.
Another policy could be restricting access to your systems. Let’s pretend you don’t have BACnet/SC, meaning it’s easier for nefarious actors to gain access to your system. An FM-directed policy could be to not allow access to the system from 11pm to 6am. Another policy could be to only allow connectivity from your geolocation. So you don’t accept a connection from Eastern Europe, for example.
Having a whitelist of IP addresses that are the only ones allowed to access the system would be another policy an FM could implement to help beef up network security.
Ultimately I believe that security comes from the top down. The number one thing a facility manager can do is influence policy. This is a big part of cyber security and a step in the right direction to achieving security in building automation systems.
OfficeSpace works with facilities managers to create safe working systems with integration and optimization. To learn more, get in touch.