Second part of this article based on the protection of building automation systems.
by Levi Tully*
In the first part of this article published in issue 22-1 (January /February) we analyze the cybersecurity aspect of automation systems and the importance of protecting these valuable assets against threats and vulnerabilities. Now we will look at some recommendations to apply to these systems.
It is possible to follow very simple recommendations to facilitate this protection:
System design and configuration
1. Supplier security recommendations.
to. Request that security recommendations be sent as a qualifying element.
b. Ensure that recommendations are followed.
c. Audit the configuration.
2. Network integrity.
to. Install on secure networks.
b. Do not open gaps in the firewall with incoming connections.
c. Use non-standard ports.
d. Have a dedicated network for the automation system.
3. Encryption.
to. Data transmission.
b. Storage and transmission of credentials.
c. Install a BACnet virtual private network (VPN).
4. Contingency and recovery plan.
to. System audits.
Authentication
1. Disable public access.
to. Disable or change all default credentials.
2. Assign unique credentials for each user and process.
to. Define user roles and permissions.
b. Set least privileges.
c. Use credential audits to disable unused accounts.
3. Apply password management policies.
to. Use of strong passwords.
b. Regular change of passwords.
c. Consider using passphrases.
4. Enable automatic disconnection due to inactivity.
Server Configuration
1. Supplier security recommendations
to. Request that security recommendations be sent as a qualifying element.
b. Ensure that recommendations are followed.
c. Audit the configuration.
2. Secure the operating system server.
3. Secure the software server.
4. Maintain the security of the servers.
External influences
1. Implement physical security.
2. Use virtual private networks (VPNs).
3. Train users.
BACnet is the ASHRAE standard for an open building automation protocol. The ANSI/ASHRAE 135-2016 A Data Communication Protocol for Building Automation and Control Networks is designed to standardize communications between building automation devices regardless of their manufacturer, enabling data exchange and interoperation of equipment and systems. This ideal is facilitated by technology that incorporates a few core values including (ASHRAE SSPC 135,2018):
- Designed for control, operation and monitoring in the building automation domain.
- Powerful data and service model that reaches semantic definitions.
- Interoperability between versions and suppliers.
- Large installed base.
- Scalability (Including support for low-cost twisted pair networks).
- Scope of the network security architecture.
Some fundamental components of BACnet communication in Ethernet and IP networks are warning signs for IT professionals and present challenges to protection schemes in compliance and adherence to common security controls already established in the IT domain. The traditional BACnet/IP data link:
1. Transmit data in plain text format, putting the confidentiality and integrity of the data at risk.
2. Communication on IP networks requires static IP addresses for BACnet broadcast management.
3. Requires firewall port entry, penetration, and forwarding rules.
4. It is perceived as an outdated data transport method.
Penetrating a facility's firewalls with standard, open-protocol, and easily accessible requests and responses is a risk to data confidentiality and integrity, however, access from outside a trusted LAN is often crucial to data availability.
Following the traditional model of remote connectivity for BACnet/IP and IP networks, firewall entry rules and port forwarding are common.
The RC-RemoteAccess BACnet Virtual Private Network (B/VPN) is expressly designed to strengthen the synergy between BACnet and traditional methodologies while providing protection schemes that are inherently adhered to the security controls commonly established in the IT domain using secure WebSocket connections over TLS.
A B/VPN network meets the requirements of modern IP infrastructure and IT security. The use of Transport Layer Security (TLS) enables the secure exchange of NPDU packets across a wide range of IT environments. The latest in TLS technology facilitates secure BACnet communication.
A B/VPN network introduces a new model that eliminates the need for inbound connections through the firewall by facilitating secure outbound connections.
B/VPN networks are based on a logical distribution and link model that provides protocol-based connections between client and server nodes. The connection is initiated from the client node to the server or distributor.
Once the B/VPN client/server model is established, communications are bidirectional. Through this model, operators and technicians can access their BACnet facilities remotely, and BACnet networks can be securely combined using an established model analogous to a traditional VPN but designed for BACnet data transmission.
B/VPN networks have modernized and revolutionized the integration of BACnet and IT.
Where is the cybersecurity of building automation systems a concern? Here... wherever it is here. All building automation systems should be properly secured. All facilities deserve to be protected in a timely manner.
When should we start thinking about the cybersecurity of building automation systems? Now.
The goal of securitization should be to "improve business capabilities by mitigating risk to an acceptable level" (Stoneburner, Hayden, & Feringa, 2004).
For more information about cybersecurity you can visit our website: www.reliablecontrols.com
* Levi Tully, Application Engineering Manager, Reliable Controls Corporation.
* Translation and adaptation: Rodolfo Zuñiga, Application Engineer - Latin America of Reliable Controls Corporation ([email protected]).
References
- BBC. Hackers 'hit' US water treatment systems. (2011, November 21). Retrieved January 28, 201 8, from http://www.bbc.com/news/technology-15817335
- Granzer, W., Praus, F., & Kastner, W. (2010, November). Security in Building Automation Systems. IEEE Transactions on Industrial Electronics, 57(11), 3622-3630. doi:10.1109/TIE.2009.2036033
- O'Harrow Jr., R. (2012, July 11). Tridium's Niagara Framework: Marvel of connectivity illustrates new cyber risks. Retrieved January 28, 2018, from https://www.washingtonpost.com/investigations/tridiums-niagara-framework-marvel-of-connectivity-illustrates-new-cyber-risks/2012/07/11/gJQARJL6dW_story.html?utm_term=.e743b8a75b7c
- Paul. IBM Research Calls Out Smart Building Risks. (2016, February 05). Retrieved January 28, 2018, from https://securityledger.com/2016/02/ibm-research-calls-out-smart-buildingrisks/
- Paul. (2016, November 08). Update: Let's Get Cyberphysical: Internet Attack shuts off the Heat in Finland. Retrieved January 28, 2018, from https://securityledger.com/2016/11/lets-get-cyberphysical-ddos-attack-halts-heating-in-finland/
- Snyder, L. (2014, December 17). Hackers Pose Threat To Building Automation Systems - Facilities Management Building Automation Feature. Retrieved January 28, 2018, from http://www.facilitiesnet.com/buildingautomation/article/Hackers-Pose-Threat-To-Building-Automation-Systems--15557?source=part
- Stoneburner, G., Hayden, C., & Feringa, A. (2004). SP 800-27 Rev A: Engineering Principles for Information Technology Security (A Baseline for Achieving Security), Revision A. National Institute of Standards and Technology, Information Technology Laboratory: Computer Security Division. Gaithersburg: NIST. Retrieved November 17, 2015, from http://csrc.nist.gov/publications/PubsSPs.html#SP800
- Zetter, K. (2013, June 03). Researchers Hack Building Control System at Google Australia Office. Retrieved January 27, 2018, from https://www.wired.com/2013/05/googles-controlsystem-hacked/
- Zetter, K. (2013, June 03). Vulnerability Lets Hackers Control Building Locks, Electricity, Elevators and More. Retrieved January 28, 2018, from https://www.wired.com/2013/02/tridium-niagara-zero-day/
