Select your language

Building Automation and Cybersecurity (II)

Second part of this article based on the protection of building automation systems.

by Levi Tully*

In the first part of this article published in issue 22-1 (January /February) we analyze the cybersecurity aspect of automation systems and the importance of protecting these valuable assets against threats and vulnerabilities. Now we will look at some recommendations to apply to these systems.

It is possible to follow very simple recommendations to facilitate this protection:

- Publicidad -

System design and configuration
1. Supplier security recommendations.
to. Request that security recommendations be sent as a qualifying element.
b. Ensure that recommendations are followed.
c. Audit the configuration.
2. Network integrity.
to. Install on secure networks.
b. Do not open gaps in the firewall with incoming connections.
c. Use non-standard ports.
d. Have a dedicated network for the automation system.
3. Encryption.
to. Data transmission.
b. Storage and transmission of credentials.
c. Install a BACnet virtual private network (VPN).
4. Contingency and recovery plan.
to. System audits.

Authentication
1. Disable public access.
to. Disable or change all default credentials.
2. Assign unique credentials for each user and process.
to. Define user roles and permissions.
b. Set least privileges.
c. Use credential audits to disable unused accounts.
3. Apply password management policies.
to. Use of strong passwords.
b. Regular change of passwords.
c. Consider using passphrases.
4. Enable automatic disconnection due to inactivity.

Server Configuration
1. Supplier security recommendations
to. Request that security recommendations be sent as a qualifying element.
b. Ensure that recommendations are followed.
c. Audit the configuration.
2. Secure the operating system server.
3. Secure the software server.
4. Maintain the security of the servers.

External influences
1. Implement physical security.
2. Use virtual private networks (VPNs).
3. Train users.

BACnet is the ASHRAE standard for an open building automation protocol. The ANSI/ASHRAE 135-2016 A Data Communication Protocol for Building Automation and Control Networks is designed to standardize communications between building automation devices regardless of their manufacturer, enabling data exchange and interoperation of equipment and systems. This ideal is facilitated by technology that incorporates a few core values including (ASHRAE SSPC 135,2018):

  • Designed for control, operation and monitoring in the building automation domain.
  • Powerful data and service model that reaches semantic definitions.
  • Interoperability between versions and suppliers.
  • Large installed base.
  • Scalability (Including support for low-cost twisted pair networks).
  • Scope of the network security architecture.

Some fundamental components of BACnet communication in Ethernet and IP networks are warning signs for IT professionals and present challenges to protection schemes in compliance and adherence to common security controls already established in the IT domain. The traditional BACnet/IP data link:

1. Transmit data in plain text format, putting the confidentiality and integrity of the data at risk.
2. Communication on IP networks requires static IP addresses for BACnet broadcast management.
3. Requires firewall port entry, penetration, and forwarding rules.
4. It is perceived as an outdated data transport method.
Penetrating a facility's firewalls with standard, open-protocol, and easily accessible requests and responses is a risk to data confidentiality and integrity, however, access from outside a trusted LAN is often crucial to data availability.

- Publicidad -

Following the traditional model of remote connectivity for BACnet/IP and IP networks, firewall entry rules and port forwarding are common.

The RC-RemoteAccess BACnet Virtual Private Network (B/VPN) is expressly designed to strengthen the synergy between BACnet and traditional methodologies while providing protection schemes that are inherently adhered to the security controls commonly established in the IT domain using secure WebSocket connections over TLS.

A B/VPN network meets the requirements of modern IP infrastructure and IT security. The use of Transport Layer Security (TLS) enables the secure exchange of NPDU packets across a wide range of IT environments. The latest in TLS technology facilitates secure BACnet communication.

A B/VPN network introduces a new model that eliminates the need for inbound connections through the firewall by facilitating secure outbound connections.

B/VPN networks are based on a logical distribution and link model that provides protocol-based connections between client and server nodes. The connection is initiated from the client node to the server or distributor.

Once the B/VPN client/server model is established, communications are bidirectional. Through this model, operators and technicians can access their BACnet facilities remotely, and BACnet networks can be securely combined using an established model analogous to a traditional VPN but designed for BACnet data transmission.

- Publicidad -

B/VPN networks have modernized and revolutionized the integration of BACnet and IT.

Where is the cybersecurity of building automation systems a concern? Here... wherever it is here. All building automation systems should be properly secured. All facilities deserve to be protected in a timely manner.

When should we start thinking about the cybersecurity of building automation systems? Now.

The goal of securitization should be to "improve business capabilities by mitigating risk to an acceptable level" (Stoneburner, Hayden, & Feringa, 2004).
For more information about cybersecurity you can visit our website: www.reliablecontrols.com

* Levi Tully, Application Engineering Manager, Reliable Controls Corporation.
* Translation and adaptation: Rodolfo Zuñiga, Application Engineer - Latin America of Reliable Controls Corporation ([email protected]).

References

  • BBC. Hackers 'hit' US water treatment systems. (2011, November 21). Retrieved January 28, 201 8, from http://www.bbc.com/news/technology-15817335
  • Granzer, W., Praus, F., & Kastner, W. (2010, November). Security in Building Automation Systems. IEEE Transactions on Industrial Electronics, 57(11), 3622-3630. doi:10.1109/TIE.2009.2036033
  • O'Harrow Jr., R. (2012, July 11). Tridium's Niagara Framework: Marvel of connectivity illustrates new cyber risks. Retrieved January 28, 2018, from https://www.washingtonpost.com/investigations/tridiums-niagara-framework-marvel-of-connectivity-illustrates-new-cyber-risks/2012/07/11/gJQARJL6dW_story.html?utm_term=.e743b8a75b7c
  • Paul. IBM Research Calls Out Smart Building Risks. (2016, February 05). Retrieved January 28, 2018, from https://securityledger.com/2016/02/ibm-research-calls-out-smart-buildingrisks/
  • Paul. (2016, November 08). Update: Let's Get Cyberphysical: Internet Attack shuts off the Heat in Finland. Retrieved January 28, 2018, from https://securityledger.com/2016/11/lets-get-cyberphysical-ddos-attack-halts-heating-in-finland/
  • Snyder, L. (2014, December 17). Hackers Pose Threat To Building Automation Systems - Facilities Management Building Automation Feature. Retrieved January 28, 2018, from http://www.facilitiesnet.com/buildingautomation/article/Hackers-Pose-Threat-To-Building-Automation-Systems--15557?source=part
  • Stoneburner, G., Hayden, C., & Feringa, A. (2004). SP 800-27 Rev A: Engineering Principles for Information Technology Security (A Baseline for Achieving Security), Revision A. National Institute of Standards and Technology, Information Technology Laboratory: Computer Security Division. Gaithersburg: NIST. Retrieved November 17, 2015, from http://csrc.nist.gov/publications/PubsSPs.html#SP800  
  • Zetter, K. (2013, June 03). Researchers Hack Building Control System at Google Australia Office. Retrieved January 27, 2018, from https://www.wired.com/2013/05/googles-controlsystem-hacked/
  • Zetter, K. (2013, June 03). Vulnerability Lets Hackers Control Building Locks, Electricity, Elevators and More. Retrieved January 28, 2018, from https://www.wired.com/2013/02/tridium-niagara-zero-day/
Duván Chaverra Agudelo
Duván Chaverra AgudeloEmail: [email protected]
Jefe Editorial de las revistas AVI Latinoamérica, ACR Latinoamérica, Ventas de Seguridad, Zona de Pinturas, Aftermarket Internation, Gerencia de Edificios, TV y Video, y Director Académico en Latin Press, Inc,.
Comunicador Social y Periodista con experiencia de más de 18 años en medios de comunicación. Apasionado por la tecnología y por esta industria.

No comments

• If you're already registered, please log in first. Your email will not be published.

Leave your comment

In reply to Some User
Mirage and Conalep Navojoa promote the training of refrigeration and air conditioning technicians

Mirage and Conalep Navojoa promote the training of refrigeration and air conditioning technicians

Mexico. Mirage announced a strategic alliance with the Plantel Conalep Sonora Navojoa to strengthen the training of new technicians in the sector.

New commitment to thermoacoustics for more efficient heat pumps

New commitment to thermoacoustics for more efficient heat pumps

United States. Copeland has invested in BlueHeart Energy, a Dutch startup developing thermoacoustic technology for more efficient and sustainable heat pumps.

Reliable Controls Appoints Sean Roukey as Business Development Executive

Reliable Controls Appoints Sean Roukey as Business Development Executive

International. Reliable Controls has appointed Sean Roukey as its new Business Development Executive for the Northeast United States.

KNX LATAM revolutionizes automation in Latin America with the Virtual Building Automation Days

KNX LATAM revolutionizes automation in Latin America with the Virtual Building Automation Days

Chile. Next Thursday, April 10th, KNX Latin America will hold the Virtual Building Automation Days, registration is free of charge.

GreenYellow and La Fazenda inaugurate a sustainable refrigeration system

GreenYellow and La Fazenda inaugurate a sustainable refrigeration system

Colombia. A new energy-efficient refrigeration system was installed at the La Fazenda refrigeration plant in Puerto Gaitán, Meta.

Officine Mario Dorin announces ambitious expansion plan at its Florence headquarters

Officine Mario Dorin announces ambitious expansion plan at its Florence headquarters

International. Officine Mario Dorin, a refrigeration company, has announced a major expansion plan at its headquarters in Florence, Italy.

Copeland expands its presence in Latin America with a new office in Chile

Copeland expands its presence in Latin America with a new office in Chile

Chile. As part of its regional growth strategy, Copeland has opened a new office in Santiago, Chile, strengthening its presence in the HVACR market.

Environment and UNDP recognize ten women for their contribution to the protection of the ozone layer

Environment and UNDP recognize ten women for their contribution to the protection of the ozone layer

Dominican Republic. Within the framework of International Women's Day, the Ministry of Environment and Natural Resources and the United Nations Development Program (UNDP) highlighted the work of ten...

Register for the Building Automation Webinar: Keys to Understanding Modbus and BACnet

Register for the Building Automation Webinar: Keys to Understanding Modbus and BACnet

International.  On March 27, 2025, ACR Latin America will offer a webinar focused on building automation protocols, with an emphasis on understanding Modbus and BACnet.

Scientists develop the first elastocaloric air conditioner on a commercial scale

Scientists develop the first elastocaloric air conditioner on a commercial scale

International. Researchers at the Hong Kong University of Science and Technology (HKUST) have developed the first elastocaloric air conditioning system with cooling capacity on a commercial scale.

Free Subscription
Remember Me
SUBSCRIBE TO OUR NEWSLETTER
DO YOU NEED A SERVICE OR PRODUCT QUOTE?
LASTEST INTERVIEWS
SITE SPONSORS










LASTEST NEWSLETTER
Ultimo Info-Boletin