During the President’s recent State of the Union address, one of the key initiatives identified dealt with the issue of cybersecurity. This was supported by a new White House initiative focused on protecting critical infrastructure from attacks. What is interesting about this initiative is that it is much broader then just computer networks and IT systems, expanding its scope to industrial systems, including those used to control the power grid and critical infrastructure. This, and other recent industry efforts, has raised questions about security and the level of protection against potential attacks for BAS.
Traditionally, building systems (including BAS) have been protected partially through obscurity, and largely through physical protection. Gaining access to a building’s control system and enabling or disabling systems, or even changing setpoints, required accessing the building and entering mechanical and electrical rooms, which are typically secured. However, as we have moved toward control systems that are network (or Internet) enabled, it is now possible to access these systems through the building network or even remotely through the Internet.
At the same time, the systems have become increasingly less obscure. Older, proprietary BAS could only be accessed through a desktop computer application. This was typically located in a secured area and was protected by user name and password. As we have moved to open systems including those that utilize BACnet, LonTalk, and Tridium Niagara, it becomes possible to access the systems using tools other than a workstation, leading to more paths for potential breaches. In fact, one of the goals of an open protocol control system is to make communications easy, which in turn can make these systems potential targets for attacks. Many within the industry have long been aware of this potential vulnerability, but recent events have led to a broader awareness of this issue.
There is work going on within the industry to better protect systems, including changes to the open protocol standards as well as software patches and improvements from suppliers, along with new products coming on the market intended to provide added protection. In the meantime, however, there are several recommended approaches that should be used to provide security protection for any BAS. These include:
- Physical security. Protecting access to communication links, networks, and workstations within the building remains critical. This includes placing controllers, network routers, and locked cabinets within a secured room. It also means common sense measures such as not using default passwords or writing the password on a post-it note attached to the workstation.
- Network security. The best option today to protect systems that are on shared networks is the use of a Virtual Local Area Network (VLAN). A VLAN uses software within the network to limit communications to only those nodes that are authorized. A well-configured VLAN will only allow for dedicated ports to talk to each other and will typically lock this to a set of specific addresses. Set up and maintained properly, a VLAN is the best tool available for protecting BAS information. Beyond the VLAN the use of an Internet firewall, which limits communication between the building network and the public Internet is also required.
- Regular software updates. Just like you need to keep the software on your PC up to date, regular updates of BAS devices are also required. Working with your controls contractor or systems integrator is recommended.
While arguably the risk of an attack on a BAS is less serious than that of a power plant, it is still a risk and one that we cannot afford to allow to become reality. Follow this issue, and utilize designs to protect systems accordingly. ES