As building management systems (BMSs) become more intelligent, collecting information from hundreds if not thousands of devices distributed throughout a building or campus, they are also becoming more susceptible to a risk that has long been associated with IT systems: security breaches.
As IT managers know well, the risk of a cybersecurity breach is all too real and not at all uncommon. In PWC’s 2014 US State of Cybercrime Survey, more than three quarters of respondents (77%) said they detected a security event in the past 12 months. More than a third said the number of security incidents detected increased as compared to the previous year.
Typically, respondents are detecting far more than a single event; the average for 2013 was 135 per organization. And then there are the organizations that are unaware they’re being targeted. As the PWC report says:
Underscoring the threat, the FBI last year notified 3,000 US companies—ranging from small banks, major defense contractors, and leading retailers—that they had been victims of cyber intrusions.
Of course it’s not just U.S. companies that are having security issues. Another PWC study, the 2015 Global State of Information Security Survey, collected data from from 9,700 respondents representing more than 150 countries. They reported 42.8 million security incidents, an increase of 48% from the previous year’s survey. Since 2009, the survey shows security incidents rising at a staggering 66% compound annual growth rate.
Given statistics like that, facilities managers would do well to take steps to secure their intelligent BMSs .
The issue is the BMSs are attached to the company’s network, along with other IT systems. Those networks are also likely attached to the Internet, which potentially opens the BMS to attack from outside intruders. As a result, facilities managers now have to take steps to secure their BMSs, just as IT departments secure their data centers and systems.
The good news is the “best practices” IT groups have developed over the years can be applied to the BMS systems. In this post, I’ll touch on a few that have to do with network security.
In a nutshell, network security focuses chiefly on securing “points of entry,” meaning the avenues which intruders use to attack a corporate network. These include Web interfaces, USB ports, and building automation devices communicating using open protocols.
Any device having a Web interface, meaning you can connect to it via a Web browser, should be of concern. If you can reach it via a Web browser, so can potential intruders. A best practice is to visit the BMS device manufacturer’s web site to locate information about Web interface security and potential vulnerabilities. Any device needing to be accessed via the Internet should be placed behind a firewall.
USB ports are another concern. Software drivers associated with these ports are designed to automatically run programs found on devices inserted into the ports. The USB designers felt this “Auto Run” feature would be convenient.
It may be, but it’s also dangerous. Should a user unknowingly insert a device containing malware, it will automatically run. Once loaded onto the device it can potentially infect computers across the company network.
USB devices are the subject of common social engineering attacks. Various techniques are employed to trick users into inserting USB flash drives into devices. An attacker may just drop them in the corporate parking lot or give them away as prizes. So the best practice with USB devices is to only use devices for which you know the total usage history.
Another issue relates to some of the “open” protocols used in the BMS industry. Such protocols are inherently insecure and have vulnerabilities that may allow an intruder to inject commands into the controlling device. A best practice is to physically secure any network segments that support traffic carrying open protocols. This means keeping open protocol segments separate from any Internet connected network segments.
These are just a few of the ways you can help ensure security of your BMS. For lots more, check out the Schneider Electric white paper, “Five Best Practices to Improve Building Management Systems (BMS) Cybersecurity.”