Cyber Secured Building Management Systems
Author: Daniel Ehrenreich, Consultant and Lecturer, SCCE
When dealing with Industrial Control Systems (ICS), most people consider the typical utility applications and the Critical Infrastructure Protection (CIP) as the main segments. However, the overall ICS activity is much broader and includes communication backbones, transportation, public safety sirens, manufacturing, etc., also considered as ICS, and often known as Operation Technology (OT) and Supervisory Control and Data Acquisition (SCADA). In this article, I’ll specifically point out another segment called Building and Energy Management Systems (BEMS), which is also known as Building Automation System (BAS) or Building Management Systems (BMS).
While for IT cyber security we are always concerned about Confidentiality-Integrity-Availability (CIA), for ICS/SCADA/OT including BEMS/BAS we say Safety-Reliability-Productivity (SRP). These systems control a wide range of operations in buildings such as: electricity supply, backup generators and uninterrupted power supplies (UPS), heat, ventilation, air-conditioning (HVAC), elevators, water and sewage, smoke and fire, CCTV surveillance, door locking, etc. This paper also refers to the specific risks and defenses for buildings where Data Centers (DC) reside.
Applicable risks for BEMS/BAS
Some of the applicable control solutions which you may find in buildings are supplied by the vendor of the system (fire extinguishing, generator control, elevator control, etc.), while other control solutions such as monitoring of electric power breakers, smoke detectors, door locking, CCTV, water and sewage, etc., are built with standard ICS or SCADA components and software. Prior to elaborating on the cyber security topic, it is important to mention that every ICS architecture must be designed with safety in mind:
- The system must behave safely even if a sensor or the control device fails or a bug is activated.
- The system must not enter an unstable mode if an authorized person makes a mistaken action.
- Internally or externally generated cyber-attack must not affect the safe and stable operation.
When elaborating on BEMS/BAS, a cyber-attack may interfere with the normal life of people in the building. Some of these attacks may cause slight inconvenience, while others might lead to evacuating the building and even a panic action. Some applicable examples are listed in Table 1 below:
Cyber-attack surface for BEMS/BAS
The majority of cyber-attacks on organizations start with a damaging social engineering activity, such as phishing and spear phishing. Other attacks are possible by an attacker entering the facility (cleaning personnel, service provider, pizza or birthday gift delivery, etc.), who may insert a USB into a PC while waiting for the tip in your office. The following are few scenarios of incidents, which may affect your BEMS/BAS operation:
- When dealing with BEMS/BAS related cyber security, the most critical risk is caused by poor guarding of the entrance to the facility. Cyber security experts say that if you cannot assure physical security, then it is not worth worrying about cyber risks, as the easiest way to attack a system is by accessing one the computers or devices connected to the Ethernet – intranet network.
- According to publications, the majority (60-90%) of “successful” cyber-attacks are possible due to negligent behavior of people (simple passwords, reuse of office password for social media, responding to suspicious mails, allowing remote accessing of your computer, etc.). Once the attacker connects to your IT network, he may easily compromise several security barriers and launch the attack.
- The majority of BEMS/BAS are maintained by outsourced service providers. They conduct periodic inspections, repair or replace what is needed, and are granted with “unlimited freedom” (!). An unfortunate human error or a sabotage action by an authorized serviceman may cause the disabling of a safety device (i.e. overheat sensor), change the calibration, etc. They may intentionally replace a controller with a malverized unit, leave on-site a remote access modem (risky backdoor), or change critical programs by using his own laptop PC which might be infected prior to his arrival.
- BEMS/BAS often utilize controllers, some which are not configurable to perform a process, just to monitor a device or perform a simple ON/OFF command. These are either low cost Programmable Logic Controllers (PLC) or low cost Direct Digital Control (DDC) devices. When supplied, they are configured with a published username and password which is the standard “factory default”.
- Today we frequently hear about Industrial Internet of Things (IIoT) devices (industrial sensors, CCTV camera, etc.) which are installed at remote, often unmanned locations and communicate via a wireless network with the control center or a PLC which supervises their operation. An attacker may initiate a Man-in-the-Middle (MitM) type attack and introduce fake indications to the control center.
- Deployment of IoT and IIoT devices which participate in an extended ecosystem is aimed at delivering valuable operating and cost benefits. However, adding these devices to the network also increases the cyber-attack surface and makes it easier for adversaries to compromise your BEMS/BAS.
Cyber defense solutions
According to the scenarios mentioned above, BEMS/BAS may include a dozen different, independently operating control systems. Some are a part of the supplied assembly, and some may be built by an integrator using Commercial Off the Shelf (COTS) components and software. In order to manage the building operation, the cyber security expert must deploy several defense measures, each tuned to guard a specific segment:
- Separation to zones between control networks: While technically possible to combine all control processes under a single ICS operation, this method is not desirable. Adversaries might approach the least secure site and penetrate through it, laterally expanding to all BEMS/BAS operations.
- Preventing data exchange among unrelated PLCs: Your experts must detect which PLCs absolutely must communicate each with other, and all other links shall be blocked. If needed, you may link these PLCs via DI/DO or analog signal AI/AO as an alternative to the Ethernet connection.
- Deployment of Intrusion Detection System (IDS): Use of IDS is a good method for detecting anomaly behavior on some sections of the BEMS/BAS. IDS can be directed to communication processes or control process anomalies and it may also effectively help detecting Zero-Day attacks.
- Sanitizing process performing CDR: These kiosks perform Content Disarm and Reconstruct (CDR) and lead to detection of malverized files in an imported media. This process can only be used for standard files (*.jpg, *.doc, *.gif, etc.) but not for files which contain application/control programs.
- Industrial firewall: Firewalls are not a new technology and are widely used for IT cyber defense. Deployment of a SCADA-Aware firewall in BEMS/BAS networks requires that the selected device and its software are capable of handling BEMS/BAS protocols like: BACnet, MODBUS, DNP 3.0, etc.
- Performing strong authentication: This topic refers to several segments: a) direct connection of an external PC to the HMI, b) connection to any control device (PLC), c) access via the internet by an authorized person. Very important to limit the time and allow as short as possible remote connection.
- Secure link between the HMI and PLCs: The encryption is mandatory for connection with remote devices where you face MitM risk and worry about data leak. However, the encryption will not protect your system when the attacker performs a “replay attack” (same message multiple times).
- Unidirectional Diode for data exporting: This mechanism is effective when you are concerned about injection of a malverized script into a BEMS/BAS network from the IT network. Important to note that this method will not protect you against internally generated attacks (A USB plugged into a computer).
- Physical security around control sites: This topic was already mentioned, but worth saying again, that physical security is an absolute precondition to cyber security. Therefore, protect your remote sites at every segment of the BEMS/BAS where an adversary may access your network.
- Hardening procedure: According to the information mentioned above, today we are using COTS hardware and software for building some parts of the BEMS/BAS architecture. Therefore, it is highly important that all unused services and connection ports (hardware and software) are disabled.
- Secured access to HMI and engineering stations: These computers are located in the control room and engineers’ room. In order to simplify the operation, the access to the HMI may allow all users to log-in with the same credential. The Engineering station is highly critical and must be strongly protected.
- Cyber secured maintenance for all BEMS/BAS sections: This is a critical topic, as an external service person can freely work on site and any of his actions may lead to a harmful incident. Deployment of software changes and updates shall be rather delayed and done only after extensive testing.
BEMS/BAS system architects, integrators and operators must be aware of potential harm from cyber-attacks targeted to generate data leak, damage and panic in buildings, campuses and data-center operations. Therefore, managers in charge of new BEMS/BAS project and those maintaining an existing facility must receive the needed budgets and human resources for strong cyber defense.
C-level executives need to be well aware of the inconvenience which cyber-attacks may cause to their customers and financial damage to their own organization. Last but not least, they must worry about their own reputation and future in case of negligent handling of BEMS/BAS cyber security making the attack possible.
Daniel Ehrenreich, BSc. is a Consultant and Lecturer acting at Secure Communications and Control Experts, teaching at cyber security colleges and presenting at ICS cyber defense conferences; Daniel has over 25 years’ engineering experience with electricity, water, gas and power plants systems as part of his activities at Tadiran, Motorola, Siemens and Waterfall Security. Selected as Chairman for the ICS Cybersec 2018, taking place on 11-10-2018 in Israel.