Making BAS Accessible — But Protected From Cyberattack
The Target hacking debacle is still under investigation, but there are lessons to be learned on protecting personal information.
Chances are you have heard about the data breach at Target that occurred late last year, in which customers’ information including credit card numbers were obtained through a cyberattack.
The details are still under investigation, and the results of what is found could have a major impact on both network and credit card security. During this ongoing investigation, information about the attack has been appearing online and in the media. Some of this information has been fairly accurate, while other parts have been speculation. For example, the website www.KrebsOnSecurity.com revealed that the credentials to access the Target network were stolen from an HVAC and refrigeration contractor. This information appears to be accurate, but the site then went on to speculate that the contractor may have had access to the Target network in order to monitor the control systems for HVACR and refrigeration. That turned out to be false; the contractor had access to get work orders and to submit invoices. But even having this issue raised has caused concern for many owners about control systems being a potential security weakness.
While this may not have been the case with the Target attack, there are several security concerns including protecting from attacks both within and from outside of the network. Internal protection is best handled through the use of a VLAN within an enterprise network or with a protected, dedicated controls network. Remote access, however, is more complicated.
One of the benefits of today’s BAS solutions is that they can be readily accessed both on site and remotely. Most systems are web-based, so there isn’t even any software required. Remote access provides many benefits, including the ability for the building operator to see systems from anywhere, and to get support from contractors and the design team without having them on-site. The challenge is to provide remote access for those who are authorized but not to allow remote access to be an entry point for a hacker who may attempt unauthorized access to the control system or other network assets. Here are some solutions to consider.
When the control system is on the owner’s enterprise network, remote access is generally controlled by IT. The owner’s IT group is generally able to provide remote access using standard tools. For example, a contractor may need to have network VPN access that may require special tokens, passwords, or in some cases, a dedicated laptop. This approach generally provides a good level of security but can take time to set up, and management can be a challenge.
BAS on the Internet
To simplify remote access, systems can be installed with a BAS router directly connected to the internet through a DSL, wireless, or cable modem. This approach makes access easy, but it can expose both the BAS and potentially other devices on the network to an attack. In the past, we have counted on this being “security through obscurity,” but as cyberattacks become more sophisticated, this is becoming a risky approach.
Vendors are starting to offer specialized firewalls intended to provide limited network access for BAS systems. These firewalls are generally a combination of hardware and software to provide authentication and access. One product to evaluate is the Lynx Spring Cyber Pro (http://lynxcyberpro.com), which can be used either on an enterprise network or from a dedicated facilities network. The use of a specialized network security device may provide the best of both worlds — providing the security benefits of a VPN with the simplicity and flexibility of having the system directly on the netw