Select your language

Building Automation and Cybersecurity (II)

Second part of this article based on the protection of building automation systems.

by Levi Tully*

In the first part of this article published in issue 22-1 (January /February) we analyze the cybersecurity aspect of automation systems and the importance of protecting these valuable assets against threats and vulnerabilities. Now we will look at some recommendations to apply to these systems.

It is possible to follow very simple recommendations to facilitate this protection:

- Publicidad -

System design and configuration
1. Supplier security recommendations.
to. Request that security recommendations be sent as a qualifying element.
b. Ensure that recommendations are followed.
c. Audit the configuration.
2. Network integrity.
to. Install on secure networks.
b. Do not open gaps in the firewall with incoming connections.
c. Use non-standard ports.
d. Have a dedicated network for the automation system.
3. Encryption.
to. Data transmission.
b. Storage and transmission of credentials.
c. Install a BACnet virtual private network (VPN).
4. Contingency and recovery plan.
to. System audits.

Authentication
1. Disable public access.
to. Disable or change all default credentials.
2. Assign unique credentials for each user and process.
to. Define user roles and permissions.
b. Set least privileges.
c. Use credential audits to disable unused accounts.
3. Apply password management policies.
to. Use of strong passwords.
b. Regular change of passwords.
c. Consider using passphrases.
4. Enable automatic disconnection due to inactivity.

Server Configuration
1. Supplier security recommendations
to. Request that security recommendations be sent as a qualifying element.
b. Ensure that recommendations are followed.
c. Audit the configuration.
2. Secure the operating system server.
3. Secure the software server.
4. Maintain the security of the servers.

External influences
1. Implement physical security.
2. Use virtual private networks (VPNs).
3. Train users.

BACnet is the ASHRAE standard for an open building automation protocol. The ANSI/ASHRAE 135-2016 A Data Communication Protocol for Building Automation and Control Networks is designed to standardize communications between building automation devices regardless of their manufacturer, enabling data exchange and interoperation of equipment and systems. This ideal is facilitated by technology that incorporates a few core values including (ASHRAE SSPC 135,2018):

  • Designed for control, operation and monitoring in the building automation domain.
  • Powerful data and service model that reaches semantic definitions.
  • Interoperability between versions and suppliers.
  • Large installed base.
  • Scalability (Including support for low-cost twisted pair networks).
  • Scope of the network security architecture.

Some fundamental components of BACnet communication in Ethernet and IP networks are warning signs for IT professionals and present challenges to protection schemes in compliance and adherence to common security controls already established in the IT domain. The traditional BACnet/IP data link:

1. Transmit data in plain text format, putting the confidentiality and integrity of the data at risk.
2. Communication on IP networks requires static IP addresses for BACnet broadcast management.
3. Requires firewall port entry, penetration, and forwarding rules.
4. It is perceived as an outdated data transport method.
Penetrating a facility's firewalls with standard, open-protocol, and easily accessible requests and responses is a risk to data confidentiality and integrity, however, access from outside a trusted LAN is often crucial to data availability.

- Publicidad -

Following the traditional model of remote connectivity for BACnet/IP and IP networks, firewall entry rules and port forwarding are common.

The RC-RemoteAccess BACnet Virtual Private Network (B/VPN) is expressly designed to strengthen the synergy between BACnet and traditional methodologies while providing protection schemes that are inherently adhered to the security controls commonly established in the IT domain using secure WebSocket connections over TLS.

A B/VPN network meets the requirements of modern IP infrastructure and IT security. The use of Transport Layer Security (TLS) enables the secure exchange of NPDU packets across a wide range of IT environments. The latest in TLS technology facilitates secure BACnet communication.

A B/VPN network introduces a new model that eliminates the need for inbound connections through the firewall by facilitating secure outbound connections.

B/VPN networks are based on a logical distribution and link model that provides protocol-based connections between client and server nodes. The connection is initiated from the client node to the server or distributor.

Once the B/VPN client/server model is established, communications are bidirectional. Through this model, operators and technicians can access their BACnet facilities remotely, and BACnet networks can be securely combined using an established model analogous to a traditional VPN but designed for BACnet data transmission.

- Publicidad -

B/VPN networks have modernized and revolutionized the integration of BACnet and IT.

Where is the cybersecurity of building automation systems a concern? Here... wherever it is here. All building automation systems should be properly secured. All facilities deserve to be protected in a timely manner.

When should we start thinking about the cybersecurity of building automation systems? Now.

The goal of securitization should be to "improve business capabilities by mitigating risk to an acceptable level" (Stoneburner, Hayden, & Feringa, 2004).
For more information about cybersecurity you can visit our website: www.reliablecontrols.com

* Levi Tully, Application Engineering Manager, Reliable Controls Corporation.
* Translation and adaptation: Rodolfo Zuñiga, Application Engineer - Latin America of Reliable Controls Corporation ([email protected]).

References

  • BBC. Hackers 'hit' US water treatment systems. (2011, November 21). Retrieved January 28, 201 8, from http://www.bbc.com/news/technology-15817335
  • Granzer, W., Praus, F., & Kastner, W. (2010, November). Security in Building Automation Systems. IEEE Transactions on Industrial Electronics, 57(11), 3622-3630. doi:10.1109/TIE.2009.2036033
  • O'Harrow Jr., R. (2012, July 11). Tridium's Niagara Framework: Marvel of connectivity illustrates new cyber risks. Retrieved January 28, 2018, from https://www.washingtonpost.com/investigations/tridiums-niagara-framework-marvel-of-connectivity-illustrates-new-cyber-risks/2012/07/11/gJQARJL6dW_story.html?utm_term=.e743b8a75b7c
  • Paul. IBM Research Calls Out Smart Building Risks. (2016, February 05). Retrieved January 28, 2018, from https://securityledger.com/2016/02/ibm-research-calls-out-smart-buildingrisks/
  • Paul. (2016, November 08). Update: Let's Get Cyberphysical: Internet Attack shuts off the Heat in Finland. Retrieved January 28, 2018, from https://securityledger.com/2016/11/lets-get-cyberphysical-ddos-attack-halts-heating-in-finland/
  • Snyder, L. (2014, December 17). Hackers Pose Threat To Building Automation Systems - Facilities Management Building Automation Feature. Retrieved January 28, 2018, from http://www.facilitiesnet.com/buildingautomation/article/Hackers-Pose-Threat-To-Building-Automation-Systems--15557?source=part
  • Stoneburner, G., Hayden, C., & Feringa, A. (2004). SP 800-27 Rev A: Engineering Principles for Information Technology Security (A Baseline for Achieving Security), Revision A. National Institute of Standards and Technology, Information Technology Laboratory: Computer Security Division. Gaithersburg: NIST. Retrieved November 17, 2015, from http://csrc.nist.gov/publications/PubsSPs.html#SP800  
  • Zetter, K. (2013, June 03). Researchers Hack Building Control System at Google Australia Office. Retrieved January 27, 2018, from https://www.wired.com/2013/05/googles-controlsystem-hacked/
  • Zetter, K. (2013, June 03). Vulnerability Lets Hackers Control Building Locks, Electricity, Elevators and More. Retrieved January 28, 2018, from https://www.wired.com/2013/02/tridium-niagara-zero-day/
Duván Chaverra Agudelo
Duván Chaverra AgudeloEmail: [email protected]
Jefe Editorial en Latin Press, Inc,.
Comunicador Social y Periodista con experiencia de más de 16 años en medios de comunicación. Apasionado por la tecnología y por esta industria.

No comments

• If you're already registered, please log in first. Your email will not be published.

Leave your comment

In reply to Some User
Register for the Building Automation Webinar: Keys to Understanding Modbus and BACnet

Register for the Building Automation Webinar: Keys to Understanding Modbus and BACnet

International.  On March 27, 2025, ACR Latin America will offer a webinar focused on building automation protocols, with an emphasis on understanding Modbus and BACnet.

Scientists develop the first elastocaloric air conditioner on a commercial scale

Scientists develop the first elastocaloric air conditioner on a commercial scale

International. Researchers at the Hong Kong University of Science and Technology (HKUST) have developed the first elastocaloric air conditioning system with cooling capacity on a commercial scale.

Daikin recognized among the

Daikin recognized among the "Clarivate Top 100 Global Innovators 2025"

International. Daikin Industries has been selected as one of the Clarivate Top 100 Global Innovators 2025, a distinction awarded by Clarivate, a global information services company based in London,...

Condensation Control: A Challenge for HVAC System Efficiency

Condensation Control: A Challenge for HVAC System Efficiency

International. Condensation damp represents a major challenge in the air conditioning of buildings, affecting energy efficiency, indoor air quality and occupant comfort.

Honeywell to Convert Its Refrigerant Business to a Standalone Company: Solstice Advanced Materials

Honeywell to Convert Its Refrigerant Business to a Standalone Company: Solstice Advanced Materials

United States. Honeywell announced that its refrigerant business will be renamed Solstice Advanced Materials as part of its plan to become an independent, publicly traded company in the U.S.

SODECA revolutionizes fire safety with a simulation of its pressurization system

SODECA revolutionizes fire safety with a simulation of its pressurization system

International. SODECA's BOXPDS has surprised with an innovative live demonstration of its evacuation route pressurization system. The system creates a barrier against smoke in just three seconds.

Resideo will invest more than 4.9 million dollars in Aguascalientes to install corporate office

Resideo will invest more than 4.9 million dollars in Aguascalientes to install corporate office

Mexico. The U.S. company Resideo announced an investment of more than 4.9 million dollars (99 million Mexican pesos) to establish a corporate office in Aguascalientes, from where it will provide...

Webinar: Building Automation Protocol: Understanding Modbus and BACnet

Webinar: Building Automation Protocol: Understanding Modbus and BACnet

Topic: Building Automation Protocol Overview: Understanding Modbus and BACnet By: Camilo Olvera, Sales Manager for Mexico Armstrong Fluid Technology Alejandro Hernández, Distribution Manager –...

Six Marketing Trends for HVAC Companies in 2025

Six Marketing Trends for HVAC Companies in 2025

The HVAC industry is in a stage of limitless transformation, driven by technology, sustainability and the evolution of the expectations of all consumers. By Andrea Álvarez*

Mabe to invest $668 million in Mexico through 2027, despite tariffs

Mabe to invest $668 million in Mexico through 2027, despite tariffs

Mexico. The multinational Mabe announced an investment of 668 million dollars in Mexico between 2025 and 2027, regardless of the tariffs imposed by the United States.

Free Subscription
Remember Me
SUBSCRIBE TO OUR NEWSLETTER
DO YOU NEED A SERVICE OR PRODUCT QUOTE?
LASTEST INTERVIEWS
SITE SPONSORS










LASTEST NEWSLETTER
Ultimo Info-Boletin