Cybersecurity of building automation systems

(This article was originally published on AutomatedBuldings.com.)

On August 31, 2016, Optigo Networks hosted an online round table to provide for a peer exchange on trends in cybersecurity of Building Automation Systems (BAS). Participants included building operations security officials from a major North American government agency, bank, university, and municipality, as well as two volunteers with BACnet International.

“Cybersecurity is a hot topic in the building automation systems industry right now,” said Optigo Networks CEO Pook-Ping Yao, who moderated the forum. “Our round table discussion was very informative and provided some interesting insights that we’d like to share with the larger BAS security community. While respecting the privacy of the participants who wish to remain anonymous, we believe the entire sector can benefit from our exchange and we are pleased to provide the following highlights.”

Changes to the BACnet Protocol

BACnet recently released additions to its standard for advisory public review. BACnet’s Dave Robin and Carl Neilson of the Network Security Working Group, commented on some of the challenges the communications protocol is trying to address.

“We’re trying to make it so BACnet vendors can simply flip a switch at both ends and the security aspects are built in as a point of commissioning,” said Robin. “It’s not something you have to learn to navigate through Linux manuals and figure out how to turn on some obscure feature.”

Robin also commented on the protocol’s proposal regarding tunneling sites. “You see raw BACnet traffic that is running across the internet unprotected… the users know it and they know it’s bad. This aspect of protecting the tunnel from point A to point B is a deployment scenario I can see being quickly adopted. There’s a strong demand for solutions when information has to go across the public internet.”

We need a new version of PTP [point-to-point] – a secure route between routers. Something BACnet people can turn on without needing to understand the IT stuff.

“The solution that’s currently out for public review rides on IT technologies,” added Neilson. “That was one of our fundamental goals. We’re not security experts, so let’s focus on what we’re good at and let the security aspects be dealt with by the people who are good at that. Our industry has to become more responsive and provides those types of updates.”

Enforcing security in an insecure world

Written into the BACnet services standard specification is the requirement that users change the default username and password after their product is set up. However, this condition is not enforceable and is beyond the capability of the protocol.

Too many times, companies deploy their products with default passwords and never change them. This is exacerbated when organizations hire other companies to install equipment for them. There is currently no mechanism to audit sites or the product implementation to ensure these vendors are doing the work properly.

“Customers need to specify all the way down that things need to be properly secured in VLAN or VPNs or whatever. You don’t want someone to walk off the job and have something out on the public internet and not realize they’ve left behind a security risk,” said Robin.

BAS vulnerability

The building automation system industry is used to a long lifetime for its communicating devices. However, once these systems have IP addresses, security becomes an issue. One round table participant identified BAS’ as the next targets for hackers, particularly large runs of devices that are manufactured with the same embedded version of Linux and the same version of SSL stacking.

“They need to be patchable. We’re entering a new era where everything we put on the network uses secure technology. Everything that claims to be secure must be upgradable… must be patchable,” he said.

The segmentation solution

Segmentation was advocated for organizations with many distinct sites. The round table’s banking representative’s company, for instance, has thousands of locations across the United States.

If your security team has its eyes on your datacenter where your building technology device is and they notice an alarm or an alert, how do they know whether to send someone with a gun or someone with a wrench?

“While we’d like some of our building technology devices to be able to share some information, we’re looking at segmentation relative to our corporate network and even further segmentation between our corporate security devices and our building technology devices,” he said.

Diverse portfolios rely on integrators and VARs. Boiler plate language is needed so integrators take ownership of how the systems are configured. Otherwise, organizations are left with open systems that are vulnerable to anyone with a browser who can discover them.

“We’re having to change an industry here,” said one round table participant. “This is not an IT industry where these security components have been built into these systems from the start. We have to address the security risk of the highest profile areas initially. We can’t get to everything and we may even have to disconnect some things and go back to manually operating these systems until we can get controls in place.”

Specification control is another challenge.

The banking participant’s company has created a comprehensive inventory for every asset that has an IP address. The issue of who does this work arises: should it be your real estate people; the people in the field; maintenance teams? Often these people do not understand the difference between an IP address and a DNS. Yet, IT staff typically do not understand the myriad of building controls and would never think to look at a boiler, for example, to see if it has an IP address.

“When we look at this industry and the changes that are occurring, it may be that the building technology or property manager/maintenance manager of the future comes out of networking engineering school,” suggested Neilson.

Adding to your BAS inventory