The threat of cyber attacks against Building Management Systems (BMS) is a growing concern both inside and outside of the buildings industry. One recent event, the much publicized attack against retail giant Target (nearly 1800 department stores across the US), resulted in the theft of 40 million payment card numbers over a 19-day period. This breach occurred because Target had provided an outside heating, ventilation and air conditioning (HVAC) supply company external network access. This then allowed hackers a path from which to launch an attack against more critical systems within the Target network.
Until very recently, no one was addressing the potential cyber risks to these types of systems within the US government network of nearly 9,000 federal facilities. Cyber threats to these systems were still considered “an emerging issue,” and a cyber expert recently warned government agencies such as the General Accounting Office (GAO) that such systems were not designed with cybersecurity in mind.
From fiscal year 2011 to fiscal year 2014, the number of cyber incidents involving industrial control systems, including building and access control systems, rose from 140 incidents to 243 incidents, a 74% jump. The financial costs of these types of incursions run into the hundreds of billions of dollars each year.
Addressing the threats is a team effort
So what can building owners and other stakeholders do in the face of these rising threats? In the domain of building management systems, security is not only the responsibility of the building owners, but also of the manufacturers and partners who provide products to the end users.
On the manufacturer side, a secure development lifecycle is required. This means that the products are developed with security in mind and are “hardened” by the time they make it into the hands of the end user. Manufacturers like Schneider Electric follow a disciplined process which involves the following steps:
- Train – Deliver security training to those working in development labs. Each role in the development cycle that influences the product in any way receives the training
- Require – Adhere to global and/or national security regulations
- Design – Conduct threat modeling and architectural reviews
- Implement – Ensure secure code practices and scan all the software codes related to the product
- Verify – Execute both functional (black box) and structural (while box) security testing
- Release – Generate documentation and process details to securely deploy the offering
- Deploy – Offer full security lifecycle services for customers
- Respond – Provide assistance and support when incidents and vulnerabilities are reported
On the end user side, adherence to proper processes and procedures will help to minimize the level of risk. Processes should be designed to limit the chances of human error opening the door to cyber attack vulnerabilities. Unsecured laptops, workstations, work areas, and lax password management (including not revoking credentials and access when an employee leaves the company) can all increase the risk of exposure. Business procedures should also be designed in such a way that potential insider threats such as sabotage, fraud, theft or leaking of intellectual property or classified / confidential information are discouraged.
The work involved in maintaining robust defense in depth and breadth is ongoing. Conventional IT security solutions should be incorporated into Building Management System networks. Training of people who manage BMS networks is a critical success factor. Vigilance and due diligence should include a disciplined maintenance of the BMS systems with the latest updates.
For more information, download our free white paper, “Defending Against Cyber Threats to Building Management Systems.”