Cybersecurity for Building Automation Systems

Cybersecurity for Building Automation Systems

Rapid adoption of IoT-based systems with the promise of significantly reducing operational costs is driving rapid growth in the building and facility automation marketplace. The purpose of these systems is to improve occupant comfort, reduce energy consumption and total cost of ownership, efficiently operate building systems, and increase the lifecycle of utilities.

This digital transformation of the building automation sector involves moving away from older proprietary systems and adopting edge-to-cloud computing architectures. There is a drive to deploy lower cost sensors, both wired and wireless, to gather as much data as possible.

At the same time, the industry has a considerable installed base of legacy building automation systems, applications, devices, and networks that must be managed, maintained and gradually modernized.

Like traditional ICS sectors such as manufacturing and electric utilities, managing cyber risk for smart buildings is challenging. Owner-operators of today’s smart buildings are confronted with shrinking resources, scarce cybersecurity talent and IT/OT convergence.

Let’s look at both the promise of smart buildings and the realities of managing their cybersecurity risks.

1. Digitization of Building Management Systems Can Reduce Lifecycle Costs

The digitization of building automation systems covers a varied and complex application space. These applications include, but aren’t limited to:

  • HVAC
  • Energy management systems
  • Lighting control systems
  • Video surveillance systems
  • Access control systems
  • Elevator control systems
  • plus their attached sensors and devices (cameras, thermostats, light sensors)

Each system and device, including its multiple versions and iterations, has its own level of cybersecurity risk.

Digitizing these systems presents a huge opportunity to reduce energy and operational costs for building and facility owner-operators. For example, commercial buildings consume over 70 percent of the electricity produced in the U.S. Many buildings are older and incorporate dated legacy technology, and could significantly benefit from retrofitting the building control infrastructure to help reduce total cost of ownership and enhance security and safety.

According to the U.S. Department of Energy, both commercial and residential buildings produce about 38 percent of the greenhouse gas emissions, representing a significant opportunity for the new generation of IoT-enabled systems to reduce the sector’s carbon footprint.

New smart, digital technologies for building monitoring and control can help improve occupant comfort and provide information that can be used to operate the building as efficiently as the physical structure and equipment allows.

2. Digitization Also Increases Cyber Risk

But the increasing digitization of all buildings increases cyber risk.  Many owner-operators are realizing the importance of a sound cybersecurity strategy thanks to the opportunities afforded through digitization. Assets are increasingly connected, driving the need for secure remote building monitoring and management.

Owner-operators must also get a better perspective of the kinds of potential vulnerabilities that exist among their installed base of cyber and control system assets. Data flows must be planned and monitored, possibly making it necessary to use one-way data diodes.

Other challenging aspects of cybersecurity for smart buildings include:

IT/OT Convergence – Many end users and owner-operators in the building automation sector still view IT and OT cybersecurity as separate challenges. However, attackers are already exploiting gaps between IT and OT defenses. For example, spam phishing is commonly used to gain privileges and entry into OT systems. Hackers are using HVAC and other poorly defended OT systems as entry points into data centers and corporate IT networks.

OT Systems Incorporate More IT – The rise of the Internet of Things, Industry 4.0, and other sweeping technology initiatives are creating a huge wave of IT adoption at every level of the building system architecture. Edge computing devices are already replacing proprietary controllers in a variety of applications. ARC sees the adoption of a wider range of cheaper, smarter, more pervasive sensors.

Aside from the functions performed by the systems and their unique sensing requirements, it will be increasingly difficult to distinguish between building automation systems and enterprise-level systems from a computing perspective.

Image Courtesy of ARC Advisory Group.
Image Courtesy of ARC Advisory Group.

The Rise of OT-level Cyberattacks – Cyberattacks on smart buildings, along with related attacks on smart cities and infrastructure, can have wide-ranging impacts and can pose risks to human safety. An attack in a large public building or structure (particularly in a densely populated area), could potentially cause chaos.

Cyber-physical assets in smart buildings, cities, and infrastructure are becoming more distributed, particularly when you look at the new trend towards monitoring entire fleets of buildings from a centralized location. On a campus or in a medical complex, these systems cover multiple city blocks and can be crucial to the overall functioning of a city or community.

Expanded Attack Surface – Today’s smart buildings feature many systems and interconnections. These broaden the threat landscape for an attack. In the case of the Target retail chain hack, the HVAC system was accessed and used to gain entry to financial systems to steal the credit card information for over 40 million people.

Insecure Protocols – Exploiting insecure industrial protocols is another way attackers can disrupt operations. This is particularly true for building automation systems. Popular protocols like BACnet and LonWorks are not inherently secure and, like protocols used in the manufacturing sector, have their own vulnerabilities. Sophisticated attackers are aware of these gaps, and have easy access to the documentation needed to construct commands designed to disrupt the operation of controllers and other devices.

Ensuring Cybersecurity for Building Automation Systems

A comprehensive cybersecurity program for smart buildings incorporates the three foundations of cybersecurity for any system: people, process and technology.

Building owner-operators and companies with building portfolios will find it challenging to put in place the teams, culture and processes needed to properly deal with smart building cyber risk.

On the technology side, the good news is that innovative and mature solutions are available. OT-level cybersecurity suppliers, such as Nozomi Networks, offer products that provide:

  • Visibility and situational awareness for OT and IoT devices and networks
  • Continuous monitoring for vulnerabilities, threats and anomalies
  • Centralized OT/IoT visibility and cybersecurity for remote operations centers

While the digital transformation of building automation systems can create tremendous rewards in terms of energy and operational savings, occupant comfort and safety, and lower total cost of ownership, the cyber risks involved must be actively monitored and managed. In a rapidly changing world, I encourage smart building owner/managers to actively develop a comprehensive cybersecurity program.