Defending against cyber threats to building management systems
Daniel Paillet from Schneider Electric explains why security for building management systems (BMSs) should now be a priority for FM providers.
Until recently, monitoring of building management systems (BMSs) security has never been an issue. The threat of cyber attacks now looms large, however, meaning more attention must be paid to the integrity of a BMS.
While well-understood protocols exist for monitoring and protecting computers and data centres, BMSs are often ignored, despite being a growing concern inside and outside of the buildings industry.
Building and access control systems are computers that monitor and control building operations, such as air-conditioning, electrical power, electronic card reading, elevators, fire alarms and fire suppression, heating, lighting, ventilation and video surveillance. These systems are increasingly connected to other information systems and the internet.
While this advancement in technology improves automation and enables remote operations, it also exposes these systems to possible cyber attacks.
Until recently, no one was addressing the potential cyber risks to these types of systems. They were still considered ‘an emerging issue’ – until experts began to alert government agencies that such systems were not designed with cyber security in mind.
According to defence force intelligence unit, the Australian Signals Directorate, cyber attacks on Australian businesses and government increased by 20 percent in 2014, with banking and finance, resources and energy, defence capability and telecommunications the most commonly targeted sectors.
In the US, these threats continue to attract the attention of the country’s Department of Homeland Security (DHS). From 2011 to 2014, the number of cyber incidents involving industrial control systems, including building and access control systems, rose by 74 percent, according to the DHS.
The financial costs of these types of incursions run into the hundreds of billions of dollars annually. One international law enforcement agency estimates that victims lose about US$400 billion each year worldwide – making it a bigger criminal enterprise than the global trade in marijuana, cocaine and heroin combined.
The financial impact on companies varies from country to country and among sectors, but the one common feature is that cyber attacks are costing companies more money every year.
Defence in Depth applied to operations
Defence in Depth is an information security strategy that integrates people, technology and operations in order to establish penetration barriers across multiple protection layers in support of the critical missions of an organisation.
Though normally associated with information technology (IT) security, Defence in Depth should also be applied to operations technology (OT) systems such as BMS. There is a difference in how this approach is applied to OT versus IT. IT systems are focused on the core security triad of confidentiality, integrity and availability of information (in that order of priority).
In the case of a BMS, however, the security triad consists of availability of operational assets as the first priority, integrity/reliability of the operational process as second priority and confidentiality of operational information as a third priority.
The deployment of such a multidisciplinary defence approach across system levels requires a cost-benefit balanced focus on the three primary levels of people, technology and operations.
The sources of threats are not only invisible hackers that are patrolling the internet in search of soft targets. The category of people threats can include both internal employees and outsiders. Techniques that people use to threaten systems include:
- Phishing – in this case, the act of defrauding an online account of financial information is executed by the scammer appearing to be a legitimate company or website.
- Spear phishing – this is an email that appears to be from a legitimate business or person. The email is in fact from some criminal enterprise that wants to retrieve a credit card number, password or financial information from your personal computer.
- Advanced persistent threats (APT) – these are network attacks where an unauthorised person gains access to a targeted network and stays on the network undetected for a long period of time. APT attacks are intended to steal information from organisations.
More technologically oriented threats include: malware, key loggers, USB key drops, Pwn Plug and Pineapple (a battery powered wireless hacking device).
Defence in Breadth
Defence in Breadth, which is a supplement to Defence in Depth, is defined as: a planned, systematic set of multidisciplinary activities that seek to identify, manage and reduce risk of exploitable vulnerabilities at every stage of the system, network or sub-component life cycle (system, network or product design and development, manufacturing, packaging, assembly, system integration, distribution, operations, maintenance and retirement).
In short, Defence in Breadth uses multiple types of security devices within each security layer.
In order to understand the differences between Defence in Breadth and Defence in Depth, consider the following antivirus example: Defence in Depth uses anti-malware as one type of defence. Defence in Breadth may employ multiple anti-malware applications. It is prudent to deploy both approaches because one antivirus software package may detect a virus that another will miss.
Use of one vendor’s antivirus software on an email server and use of a different vendor’s software on PCs, workstations and servers potentially casts a broader net of protection (in this case against viruses).
In the realm of BMS, Defence in Depth/Breadth includes security of gateways, meters and controllers. Construction of such defence architecture begins when the manufacturers of these components pursue a Secure Development Life Cycle at the manufacturing level for BMS-related devices and software.
This process allows for the development of hardened devices and software that can be resilient against attacks.
Within the realm of a BMS, cyber security needs to address more than the commonly recognised deliberate attacks from disgruntled employees, industrial espionage and/or terrorists.
In some cases, user error, equipment failure or natural disasters can make the system vulnerable. These can create weaknesses in the system defence perimeter that can allow an attacker to penetrate the network, gain access to control software and alter load conditions to destabilise the system in unpredictable ways.
For maximum protection, conventional IT security solutions should be incorporated into the BMS networks, in terms of access controls, network hardening, and authentication and authorisation. Enhancing availability and reliability of the network helps to build customer confidence in the cyber security characteristics of the BMS.
The weakest links in any IT or BMS are the people who administer and use the systems. Their actions, either intentional or unintentional, can increase the security risk to systems.
Unintentional actions include unsecured laptops, workstations and work areas, and not following proper processes and procedures (like password management, including not revoking credentials and access when an employee leaves the company). Intentional actions include insider threats such as sabotage, fraud, theft or leaking of intellectual property or classified/confidential information.
The threat of social engineering
Social engineering in the context of cyber security refers to one person who influences another individual who is in possession of a computer (and who has internal access to particular networks and/or databases) to follow their instructions under false pretences.
For example, a caller could pose as someone from IT support asking for his or her credentials or other sensitive information. There are literally thousands of variations to social engineering attacks. The criminal’s imagination is the only limit to the number of ways he or she can socially engineer affected users.
In general, any act that influences a person to take an action that may or may not be in his or her own best interest is considered as social engineering.
Social engineering is the easiest path from which to gain unauthorised access into a BMS. To defend against such attacks, companies must train their organisations, contractors and business partners, in order to resist the threats. This can include awareness training as part of the on-boarding process when new people or outside firms are brought into the organisation.
Some organisations deploy threat modelling in order to anticipate the various series of events that could lead to a security breach. In the case of BMS, threat modelling would include identification of accessible entry points, and a clear definition of contractor and user access rights. Policies, processes and training then need to be developed surrounding the outputs of that threat model.
Senior management support
Creating a security policy and network infrastructure for BMS will require the support of senior management. The work involved in maintaining robust defence in depth and breadth is ongoing. As attacks become more common and sophisticated, processes and procedures need to be developed that secure BMS networks. Training of people who manage BMS networks is a critical success factor.
Vigilance and due diligence should include a disciplined maintenance of the BMS systems with the latest updates, and evolving the strategies that account for Defence in Depth/Breadth security architectures. Training of end users/employees should occur on a regular basis in order to guard against social engineering malfeasance.
Such investments will benefit the organisation by reducing incidences that result in loss of revenue, and by safeguarding the organisation’s reputation with customers and partners.
The author, Daniel Paillet, is currently cyber security lead architect for Schneider Electric, US. His background includes working in the US Department of Defense on various security projects, and he has over 15 years of security experience in information technology, operational technology, retail, banking and point-of-sale. This article appeared in the February/March edition of Facility Management.