Select your language

Cybersecurity in operational technology in automation

automatización

Building automation systems require important protection measures against latent security risks and unauthorized access.

By Levi M. Tully*

People and property are paramount to the mission of most organizations. To reduce risk, organizations close doors to properly secure facilities, pay significant attention to the security of information technology (IT) networks and infrastructures. However, unless they take specific steps to secure their operational technology (OT) systems, their personnel and property, along with their operational readiness, are very likely to be exposed to significant risk.

Hidden in the engine rooms and ceilings of modern buildings are complex electrical and mechanical systems that protect the health and well-being of people and the facilities they serve. A building automation system uses networks of microprocessors and sensors to automatically monitor the built environment and manipulate its equipment to delicately balance a healthy indoor environment with efficient use of resources.

- Publicidad -

Like IT systems, building automation systems create, process and store electronic data. When a building automation system integrates with IT systems and infrastructure to monitor and manipulate physical processes, it becomes an OT system.

Although similar, OT systems differ significantly from IT systems. The logic that runs in an OT has a direct and immediate effect on the physical world. This influence can present a significant risk to health and safety of human lives, serious damage to the environment, financial impact, and a negative influence on an organization's ability to execute its mission (Stouffer et al., 2015).

Unauthorized access to OT systems and data is increasingly exploited to cause inconvenience to tenants, disrupt facility operations, and damage equipment or facilities (ASHRAE SSPC 135, 2020). It can pose a significant risk to an organization's reputation. Just as we protect IT assets from unauthorized access through cybersecurity, OT systems must provide protection commensurate with the security controls already in place in the IT domain. These controls must be commensurate but appropriate to the different needs of OT, which requires protections that are not common in the IT field (Granzer et al., 2010; Boeckl et al., 2019).

The underlying principle is known as hardening, or the process of improving the security of an information system by reducing vulnerability exposure. Risk cannot be completely mitigated; the goal of hardening is to enhance business mission or capabilities by mitigating risk to an acceptable level (Stoneburner et al., 2004). For OT systems, this means preserving data integrity and availability.

Each organization must conduct an objective assessment of the potential impact on normal business operations in the event of an OT incident and must balance security controls with performance requirements. There are many public and private resources and standards for comprehensive OT cybersecurity. Fortunately, common sense and a few simple steps can drastically improve the protective posture of any OT system.

Before you start
A qualified vendor backed by the system manufacturer is ideally positioned to provide secure design recommendations that reduce vulnerabilities in your hardware and software. Request OT strengthening expertise as a vendor qualification and work closely with a qualified vendor to establish strengthening guidelines appropriate to your organization's needs.

- Publicidad -

Insurance by design
Articulate appropriate cybersecurity protection measures and acceptance criteria during the design phase rather than during execution or commissioning. IT and OT networks are different, with different requirements for access, security, and performance. Their vulnerabilities expose installation and operational readiness to separate risks.

Consider segregating these disparate systems into dedicated network zones with a single access point and common security requirements (ISA/IEC 62443, 2019). This improves the security and resilience of IT and OT networks while minimizing interaction and interdependencies. Physical separation is ideal but not strictly necessary.

During the design phase, develop a continuity and recovery plan appropriate to your organization's needs and resources for a security or network incident. Designate an entity that is responsible for OT's cybersecurity plans, execution, and response. If this is not the entity responsible for IT security, the two should coordinate closely (Stouffer & Pillitteri, 2021). At a minimum, a continuity plan should consider the following:

* What is the process for keeping assets patched and updated?
* What is the response to a network incident or outage? How can the OT be separated from the network and operated in isolation?
* What is the process for system backup? Frequent backup and secure storage of OT databases, operational logic, and configuration minimize recovery and downtime.

Secure deployment
Work closely with your provider to ensure reinforcement guidelines are followed during implementation. Until properly protected, isolate embedded devices, physical and virtual workstations, and servers from production networks and the Internet.

Patch and update operating systems and applications using the resources of the manufacturer or a trusted source. Audit configuration with the vendor at delivery time and prior to deployment.

- Publicidad -

Direct access to the network or the Internet through OT devices often presents a significant security vulnerability and circumvents authentication and protection measures. Carefully disable or authenticate and monitor technologies such as cloud-based services, mobile broadband, Wi-Fi, LoRaWAN, Bluetooth, and Near Field Communication (NFC) that can provide unmanaged or unattended access to the local network zone or the Internet.

Open protocol OT systems transmit data in plain text using publicly defined standard processes. This is crucial for interoperability between components, but poses a significant security vulnerability as it exposes data to manipulation. User credentials must always be encrypted in transmission and storage. Local transmission of interoperable data is acceptable for most applications. However, when you cross network boundaries, the data must be encrypted and a mechanism must be implemented to authenticate the source and destination.

The American Society of Heating, Refrigerating and Air-Conditioning Engineers (ASHRAE) standard for OT interoperability, BACnet, has evolved to deliver robust information security for data exchange across a wide range of IT environments (ASHRAE SSPC 135, 2020). Encryption of BACnet data over BACnet virtual private networks and secure connection networks is widely available.

User account management simultaneously represents one of the most effective access control mechanisms and the most dangerous vulnerabilities for effective network security. To ensure accountability, each user should be assigned unique credentials and permissions appropriate to the intended level of system access and interaction.

This means carefully controlling who can access the system, what they can see, and what they can modify. Proper user account management is fairly simple, but often ignored or taken for granted, and should include the following steps:

* Disable public and default user accounts.
* Enable automatic closure of inactive user accounts.
* Minimize superuser administrators. Consider dual authorization so that no individual user can change security controls or credentials.
* Consider a role-based access system that ranks users by the specific permissions required to perform daily tasks rather than the people performing the tasks (Reliable Controls, 2019).
* Implement the least privilege. Start with zero confidence for every role. Add access and permissions only when proven necessary for operational efficiency (Stouffer & Pillitteri, 2021).
* Enforce a reasonable password management policy with appropriate strength. Consider passwords that are hard to guess but easy to remember. Unnecessarily complex password requirements often result in poor personal security hygiene and vulnerable passwords (e.g. recorded in Post-it notes).

Safe operation
As the system goes live it is important to take inventory of OT assets. Document the devices that make up the system and how each asset is used. Identify the most critical assets. Check and delete all unauthorized assets. It is essential to maintain good safety hygiene. Keep assets up-to-date and fully patched.

Train users on why cybersecurity is an organizational priority, on their responsibilities, and on how to look for things out of the ordinary that may be evidence of a cybersecurity incident. Regularly audit trader activity and disable unused accounts. Revoke access that is not strictly necessary. Disable accounts immediately when someone leaves the organization (Stouffer & Pillitteri, 2021).

The health and well-being of people and property in the built environment depends on complex mechanical and electrical systems that are critical to operational readiness and consume significant resources. OT's poor cybersecurity is a clear and present threat to our people and our property. A thoughtful approach to OT system security doesn't have to be onerous or complex.

Even a simple strategy enhances mission capabilities by mitigating risk to an acceptable level. Properly operated and secured, these systems ensure the comfort and well-being of the facilities and their occupants.

* Levi M. Tully is executive vice president of sales for Reliable Controls Corporation in Victoria, British Columbia, Canada. You can reach him on [email protected].

Duván Chaverra Agudelo
Duván Chaverra AgudeloEmail: [email protected]
Jefe Editorial en Latin Press, Inc,.
Comunicador Social y Periodista con experiencia de más de 16 años en medios de comunicación. Apasionado por la tecnología y por esta industria.

No comments

• If you're already registered, please log in first. Your email will not be published.

Leave your comment

In reply to Some User
Climate comfort meets efficiency and environmental sustainability in a Caribbean mall

Climate comfort meets efficiency and environmental sustainability in a Caribbean mall

Colombia. It recently began the installation of a modern air conditioning system, parking lot ventilation and solar energy in the Buenavista Shopping Center, in the city of Barranquilla.

AHRI Latam announces LBNL call for Mexican HVAC manufacturers

AHRI Latam announces LBNL call for Mexican HVAC manufacturers

Mexico. Lawrence Berkeley National Laboratory (LBNL) is leading an initiative to evaluate opportunities for the advancement of energy-efficient cooling technologies in the country.

Mitsubishi Electric and AWS sign memorandum of understanding

Mitsubishi Electric and AWS sign memorandum of understanding

International. In this way, Mitsubishi Electric Corporation and Amazon Web Services (AWS) will work together in cloud services and data centers.

Advansor to launch a plug-and-play reversible CO2 heat pump

Advansor to launch a plug-and-play reversible CO2 heat pump

International. Advansor's new solution seeks to position itself as a sustainable alternative to heating systems based on fossil fuels.

Emergent Cold LatAm obtains sustainable certification in Central America

Emergent Cold LatAm obtains sustainable certification in Central America

Guatemala. Emergent Cold Latin America has obtained a new EDGE Advanced certification for sustainable construction, this time for its unit in the Guatemalan town of Palín.

Reliable Controls launches new controller for automation systems

Reliable Controls launches new controller for automation systems

International. The company Reliable Controls has specified that it is the MS/TP model corresponding to its RC-FLEXone BACnet building controller.

Air conditioning for cancer patients: a success story

Air conditioning for cancer patients: a success story

Mexico. The optimization of air conditioning systems in a hospital has become a crucial factor for the well-being of patients and medical staff.

Vertiv and Compass Datacenter develop combined air and liquid cooling system

Vertiv and Compass Datacenter develop combined air and liquid cooling system

International. Vertiv and Compass Datacenters announced a collaboration to develop the first-of-its-kind solution that will facilitate future AI deployments.

Thermostats for BACnet networks

Thermostats for BACnet networks

Contemporary ControlsThe BASstat series of communicating thermostats produced by Contemporary Controls provides seamless integration into BACnet/IP (Wi-Fi) or BACnet MS/TP (EIA-485) networks.

Condensate pumps

Condensate pumps

HartellPlenum-rated condensate pumps are a Hartell solution for ventilation areas and air distribution chambers, backed by decades of proven performance. In addition, these pumps improve the safety...

Free Subscription
SUBSCRIBE TO OUR NEWSLETTER
DO YOU NEED A SERVICE OR PRODUCT QUOTE?
LASTEST INTERVIEWS
SITE SPONSORS










LASTEST NEWSLETTER
Ultimo Info-Boletin