Effective ways to protect building management systems from cyber attacks
How to effectively monitor building management systems (BMSs) continues to emerge as an issue in FM with the threat of cyber attacks looming large on organisations.
Building and access control systems are computers that monitor and control building operations, such as air-conditioning, electrical power, electronic card reading, elevators, fire alarms and fire suppression, heating, lighting, ventilation and video surveillance. These systems are increasingly connected to other information systems and the internet.
While this advancement in technology improves automation and enables remote operations, it also exposes these systems to possible cyber attacks.
Until recently, no one was addressing the potential cyber risks to these types of systems. They were still considered ‘an emerging issue’ – then experts started to alert government agencies that such systems were not designed with cyber security in mind.
Now, there are a number of techniques and methods organisations can explore to help defend against cyber threats to BMSs.
Defence in Depth is an information security strategy that integrates people, technology and operations in order to establish penetration barriers across multiple protection layers in support of the critical missions of an organisation.
Though normally associated with information technology (IT) security, Defence in Depth should also be applied to operations technology (OT) systems such as BMS. There is a difference in how this approach is applied to OT versus IT. IT systems are focused on the core security triad of confidentiality, integrity and availability of information (in that order of priority).
Defence in Breadth, which is a supplement to Defence in Depth, is defined as: a planned, systematic set of multidisciplinary activities that seek to identify, manage and reduce risk of exploitable vulnerabilities at every stage of the system, network or sub-component life cycle. In short, Defence in Breadth uses multiple types of security devices within each security layer.
Within the realm of a BMS, cyber security needs to address more than the commonly recognised deliberate attacks from disgruntled employees, industrial espionage and/or terrorists.
For maximum protection, conventional IT security solutions should be incorporated into the BMS networks, in terms of access controls, network hardening, and authentication and authorisation. Enhancing availability and reliability of the network helps to build customer confidence in the cyber security characteristics of the BMS.
The weakest links in any IT or BMS are the people who administer and use the systems. Their actions, either intentional or unintentional, can increase the security risk to systems.
Social engineering, in the context of cyber security, refers to one person who influences another individual who is in possession of a computer (and who has internal access to particular networks and/or databases) to follow their instructions under false pretences.
Social engineering is the easiest path from which to gain unauthorised access into a BMS. To defend against such attacks, companies must train their organisations, contractors and business partners, in order to resist the threats. This can include awareness training as part of the on-boarding process when new people or outside firms are brought into the organisation.
Creating a security policy and network infrastructure for BMS will require the support of senior management. The work involved in maintaining robust Defence in Depth and Defence in Breadth is ongoing. As attacks become more common and sophisticated, processes and procedures need to be developed that secure BMS networks. Training of people who manage BMS networks is a critical success factor.
Such investments will benefit the organisation by reducing incidences that result in loss of revenue, and by safeguarding the organisation’s reputation with customers and partners.
This article is an abridged version of the Schneider Electric white paper, titled: Defending Against Cyber Threats to Building Management Systems.