Select your language

Building Automation and Cybersecurity (II)

Second part of this article based on the protection of building automation systems.

by Levi Tully*

In the first part of this article published in issue 22-1 (January /February) we analyze the cybersecurity aspect of automation systems and the importance of protecting these valuable assets against threats and vulnerabilities. Now we will look at some recommendations to apply to these systems.

It is possible to follow very simple recommendations to facilitate this protection:

- Publicidad -

System design and configuration
1. Supplier security recommendations.
to. Request that security recommendations be sent as a qualifying element.
b. Ensure that recommendations are followed.
c. Audit the configuration.
2. Network integrity.
to. Install on secure networks.
b. Do not open gaps in the firewall with incoming connections.
c. Use non-standard ports.
d. Have a dedicated network for the automation system.
3. Encryption.
to. Data transmission.
b. Storage and transmission of credentials.
c. Install a BACnet virtual private network (VPN).
4. Contingency and recovery plan.
to. System audits.

Authentication
1. Disable public access.
to. Disable or change all default credentials.
2. Assign unique credentials for each user and process.
to. Define user roles and permissions.
b. Set least privileges.
c. Use credential audits to disable unused accounts.
3. Apply password management policies.
to. Use of strong passwords.
b. Regular change of passwords.
c. Consider using passphrases.
4. Enable automatic disconnection due to inactivity.

Server Configuration
1. Supplier security recommendations
to. Request that security recommendations be sent as a qualifying element.
b. Ensure that recommendations are followed.
c. Audit the configuration.
2. Secure the operating system server.
3. Secure the software server.
4. Maintain the security of the servers.

External influences
1. Implement physical security.
2. Use virtual private networks (VPNs).
3. Train users.

BACnet is the ASHRAE standard for an open building automation protocol. The ANSI/ASHRAE 135-2016 A Data Communication Protocol for Building Automation and Control Networks is designed to standardize communications between building automation devices regardless of their manufacturer, enabling data exchange and interoperation of equipment and systems. This ideal is facilitated by technology that incorporates a few core values including (ASHRAE SSPC 135,2018):

  • Designed for control, operation and monitoring in the building automation domain.
  • Powerful data and service model that reaches semantic definitions.
  • Interoperability between versions and suppliers.
  • Large installed base.
  • Scalability (Including support for low-cost twisted pair networks).
  • Scope of the network security architecture.

Some fundamental components of BACnet communication in Ethernet and IP networks are warning signs for IT professionals and present challenges to protection schemes in compliance and adherence to common security controls already established in the IT domain. The traditional BACnet/IP data link:

1. Transmit data in plain text format, putting the confidentiality and integrity of the data at risk.
2. Communication on IP networks requires static IP addresses for BACnet broadcast management.
3. Requires firewall port entry, penetration, and forwarding rules.
4. It is perceived as an outdated data transport method.
Penetrating a facility's firewalls with standard, open-protocol, and easily accessible requests and responses is a risk to data confidentiality and integrity, however, access from outside a trusted LAN is often crucial to data availability.

- Publicidad -

Following the traditional model of remote connectivity for BACnet/IP and IP networks, firewall entry rules and port forwarding are common.

The RC-RemoteAccess BACnet Virtual Private Network (B/VPN) is expressly designed to strengthen the synergy between BACnet and traditional methodologies while providing protection schemes that are inherently adhered to the security controls commonly established in the IT domain using secure WebSocket connections over TLS.

A B/VPN network meets the requirements of modern IP infrastructure and IT security. The use of Transport Layer Security (TLS) enables the secure exchange of NPDU packets across a wide range of IT environments. The latest in TLS technology facilitates secure BACnet communication.

A B/VPN network introduces a new model that eliminates the need for inbound connections through the firewall by facilitating secure outbound connections.

B/VPN networks are based on a logical distribution and link model that provides protocol-based connections between client and server nodes. The connection is initiated from the client node to the server or distributor.

Once the B/VPN client/server model is established, communications are bidirectional. Through this model, operators and technicians can access their BACnet facilities remotely, and BACnet networks can be securely combined using an established model analogous to a traditional VPN but designed for BACnet data transmission.

- Publicidad -

B/VPN networks have modernized and revolutionized the integration of BACnet and IT.

Where is the cybersecurity of building automation systems a concern? Here... wherever it is here. All building automation systems should be properly secured. All facilities deserve to be protected in a timely manner.

When should we start thinking about the cybersecurity of building automation systems? Now.

The goal of securitization should be to "improve business capabilities by mitigating risk to an acceptable level" (Stoneburner, Hayden, & Feringa, 2004).
For more information about cybersecurity you can visit our website: www.reliablecontrols.com

* Levi Tully, Application Engineering Manager, Reliable Controls Corporation.
* Translation and adaptation: Rodolfo Zuñiga, Application Engineer - Latin America of Reliable Controls Corporation ([email protected]).

References

  • BBC. Hackers 'hit' US water treatment systems. (2011, November 21). Retrieved January 28, 201 8, from http://www.bbc.com/news/technology-15817335
  • Granzer, W., Praus, F., & Kastner, W. (2010, November). Security in Building Automation Systems. IEEE Transactions on Industrial Electronics, 57(11), 3622-3630. doi:10.1109/TIE.2009.2036033
  • O'Harrow Jr., R. (2012, July 11). Tridium's Niagara Framework: Marvel of connectivity illustrates new cyber risks. Retrieved January 28, 2018, from https://www.washingtonpost.com/investigations/tridiums-niagara-framework-marvel-of-connectivity-illustrates-new-cyber-risks/2012/07/11/gJQARJL6dW_story.html?utm_term=.e743b8a75b7c
  • Paul. IBM Research Calls Out Smart Building Risks. (2016, February 05). Retrieved January 28, 2018, from https://securityledger.com/2016/02/ibm-research-calls-out-smart-buildingrisks/
  • Paul. (2016, November 08). Update: Let's Get Cyberphysical: Internet Attack shuts off the Heat in Finland. Retrieved January 28, 2018, from https://securityledger.com/2016/11/lets-get-cyberphysical-ddos-attack-halts-heating-in-finland/
  • Snyder, L. (2014, December 17). Hackers Pose Threat To Building Automation Systems - Facilities Management Building Automation Feature. Retrieved January 28, 2018, from http://www.facilitiesnet.com/buildingautomation/article/Hackers-Pose-Threat-To-Building-Automation-Systems--15557?source=part
  • Stoneburner, G., Hayden, C., & Feringa, A. (2004). SP 800-27 Rev A: Engineering Principles for Information Technology Security (A Baseline for Achieving Security), Revision A. National Institute of Standards and Technology, Information Technology Laboratory: Computer Security Division. Gaithersburg: NIST. Retrieved November 17, 2015, from http://csrc.nist.gov/publications/PubsSPs.html#SP800  
  • Zetter, K. (2013, June 03). Researchers Hack Building Control System at Google Australia Office. Retrieved January 27, 2018, from https://www.wired.com/2013/05/googles-controlsystem-hacked/
  • Zetter, K. (2013, June 03). Vulnerability Lets Hackers Control Building Locks, Electricity, Elevators and More. Retrieved January 28, 2018, from https://www.wired.com/2013/02/tridium-niagara-zero-day/
Duván Chaverra Agudelo
Duván Chaverra AgudeloEmail: [email protected]
Jefe Editorial de las revistas AVI Latinoamérica, ACR Latinoamérica, Ventas de Seguridad, Zona de Pinturas, Aftermarket Internation, Gerencia de Edificios, TV y Video, y Director Académico en Latin Press, Inc,.
Comunicador Social y Periodista con experiencia de más de 18 años en medios de comunicación. Apasionado por la tecnología y por esta industria.

No comments

• If you're already registered, please log in first. Your email will not be published.

Leave your comment

In reply to Some User
The HVAC/R sector will meet in Panama with ACR Latin America

The HVAC/R sector will meet in Panama with ACR Latin America

Panama. ACR Latin America invites the Panamanian community in the air conditioning and refrigeration sector to an integration night that will take place on April 24 at the Hotel Riu Plaza.

Refrimundo announces the ninth edition of the Refricon 2025 National Air Conditioning Congress

Refrimundo announces the ninth edition of the Refricon 2025 National Air Conditioning Congress

Costa Rica.  Refrimundo announced the ninth edition of the National Congress of the Day of the Technician: Refricon 2025, which will take place next Saturday, May 24, at the Convention Center of...

Smart ventilation allows cruisers to reduce their fuel consumption by up to 10%

Smart ventilation allows cruisers to reduce their fuel consumption by up to 10%

International. Demand-driven technology optimizes energy use in galleys and staterooms on cruise ships. A key improvement in HVAC systems could be setting the course for more efficient and...

Case study: Lagleyze Hospital reinforces the safety of its operating theatres with new air conditioning technology

Case study: Lagleyze Hospital reinforces the safety of its operating theatres with new air conditioning technology

Argentina. The Hospital Oftalmológico Pedro Lagleyze has just incorporated a new air conditioning system that will allow optimal conditions of temperature, humidity and air purity to be maintained...

MAHLE launches bionic radial blower inspired by the penguin: quieter, more efficient and compact

MAHLE launches bionic radial blower inspired by the penguin: quieter, more efficient and compact

International. MAHLE presented an innovation that promises to transform air conditioning systems in the automotive industry: a bionic radial blower that reduces noise by 60% and improves efficiency...

Marcelo Contreras assumes the presidency of the Chilean Chamber of Refrigeration and Air Conditioning

Marcelo Contreras assumes the presidency of the Chilean Chamber of Refrigeration and Air Conditioning

Chile. The Chilean Chamber of Refrigeration and Air Conditioning A.G. announced the appointment of Marcelo Contreras Barrera as its new president for the period 2025-2026.

Siemens appoints Miguel D'Alessio as new CEO in Colombia

Siemens appoints Miguel D'Alessio as new CEO in Colombia

Colombia. Focused on sustainability, industrial digitalization and energy storage, Siemens, a global technology company for the electrification, automation and digitalization of industries and...

Finalists of the CALA AWARDS will travel as guests to RefriAméricas Santo Domingo

Finalists of the CALA AWARDS will travel as guests to RefriAméricas Santo Domingo

Latin America. Applications for the prestigious CALA AWARDS 2025 will be open until May 10. This award, organized by ACR Latin America, is a unique opportunity to highlight the best air conditioning...

Copeland to Showcase Innovative Cold Chain Solutions at Global Cherry Summit 2025

Copeland to Showcase Innovative Cold Chain Solutions at Global Cherry Summit 2025

Chile. Copeland, a global provider of sustainable climate solutions, will participate in the Global Cherry Summit 2025, which will be held on April 22 at the Monticello Conference Center, in San...

Carrier Receives Double Recognition at the 2025 Environment + Energy Leader Awards

Carrier Receives Double Recognition at the 2025 Environment + Energy Leader Awards

United States. The company was awarded in the Energy Innovation and Software Implementation categories for its Abound solutions, which optimize energy consumption in more than 2,500 stores in the...

Free Subscription
Remember Me
SUBSCRIBE TO OUR NEWSLETTER
DO YOU NEED A SERVICE OR PRODUCT QUOTE?
LASTEST INTERVIEWS
SITE SPONSORS










LASTEST NEWSLETTER
Ultimo Info-Boletin