Digitising Building Automation Systems: A Cybersecurity Perspective
Author: Andrea Carcano, Co-founder of Nozomi Networks
Digitising Building Automation Systems
Whether we realise it or not, buildings and facilities are becoming “smarter” by the day. With this increased connectivity, they are becoming more technologically efficient, and enabling the workers inside them to be more productive.
The cost, however, is an increase in electricity consumption. In the US for example, over 70% of the electricity produced is consumed by commercial buildings, along with almost 40% of greenhouse gas emissions.
Therefore, digitising building automaton systems like HVAC, energy, lighting control, video surveillance, access controls, elevator controls and their associated sensors, cameras and devices can help to reduce this energy consumption, improve occupant comfort, keep total cost of ownership low, operate building systems efficiently and increase the lifecycle of utilities.
However, these operational benefits likely outweigh any potential cybersecurity challenges that connectivity brings in the decision-making process. In fact, those that run most of today’s smart buildings are being confronted with shrinking resources, scarce cybersecurity talent and the issues that arise as IT converges with OT.
The digital transformation of the building automation sector also involves moving away from older proprietary systems and adopting edge-to-cloud computing architectures. This has resulted in the deployment of lower cost sensors, both wired and wireless, to gather as much data as possible becoming the new normal. Yet, at the same time, the industry has a considerable infrastructure of legacy building automation systems, applications, devices, and networks that underlies it, which must be managed, maintained and gradually modernised.
According to Larry O’Brien at ARC Advisory Group, managing cyber risk for smart buildings, like traditional ICS sectors such as manufacturing and electric utilities, brings about its own specific challenges.
IT/OT Convergence – Many end users and owner-operators in the building automation sector still view IT and OT cybersecurity as separate challenges. However, attackers are already exploiting gaps between IT and OT defences. For example, spam phishing is commonly used to gain privileges and entry into OT systems. Hackers are using HVAC and other poorly defended OT systems as entry points into data centres and corporate IT networks.
OT Systems Incorporate More IT – The rise of the Internet of Things, Industry 4.0, and other sweeping technology initiatives are creating a huge wave of IT adoption at every level of the building system architecture. Edge computing devices are already replacing proprietary controllers in a variety of applications. ARC sees the adoption of a wider range of cheaper, smarter, more pervasive sensors.
Aside from the functions performed by the systems and their unique sensing requirements, it will be increasingly difficult to distinguish between building automation systems and enterprise-level systems from a computing perspective.
The Rise of OT-level Cyberattacks – Cyberattacks on smart buildings, along with related attacks on smart cities and infrastructure, can have wide-ranging impacts and can pose risks to human safety.
An attack in a large public building or structure (particularly in a densely populated area), could potentially cause chaos.
Cyber-physical assets in smart buildings, cities, and infrastructure are becoming more distributed, particularly when you look at the new trend towards monitoring entire fleets of buildings from a centralised location.
On a campus or in a medical complex, these systems cover multiple city blocks and can be crucial to the overall functioning of a city or community.
Expanded Attack Surface – Today’s smart buildings feature many systems and interconnections. These broaden the threat landscape for an attack. In the case of the Target retail chain hack, the HVAC system was accessed and used to gain entry to financial systems to steal the credit card information of over 40 million people.
Insecure Protocols – Exploiting insecure industrial protocols is another way attackers can disrupt operations. This is particularly true for building automation systems. Popular protocols like BACnet and LonWorks are not inherently secure and, like protocols used in the manufacturing sector, have their own vulnerabilities. Sophisticated attackers are aware of these gaps and have easy access to the documentation needed to construct commands designed to disrupt the operation of controllers and other devices.
Controlling Cyber Risk
Good cybersecurity starts with people, process and technology. Building owner-operators should be aware that cybersecurity is a risk that they can’t afford to ignore; therefore, making important hires of people who are adept at handling cybersecurity issues and following a process when new connected technology is introduced.
From a security technology perspective, a key part to any cybersecurity strategy, especially when it comes to building automation and adding connectivity to any environment, must be visibility. After all, as the old saying goes, “you can’t protect what you can’t see.”
And it’s not just the physical surveillance visibility, but all the potential “ins” an attacker can use to gain a foothold into a building and its systems: connection points, Wi-Fi or Bluetooth enabled devices, email, ports accidentally left open, and the list goes on. This is further evidence of IT and OT convergence, which are still viewed as separate entities. As part of the visibility process, this mindset needs to change because the increasingly connected buildings of now, and the future, will blur the lines between the two.
The tangled webs of connectivity need just one exposed attack path for attackers to navigate their way through an entire system. So, owner-operators should look for solutions that integrate IT/OT/IoT in order to give them the most complete view of their building automation systems environments with centralised management and the ability to continuously monitor for vulnerabilities, threats and anomalies which could point to cyberattacks in the building automation environment.
As a result of automation, buildings can be more environmentally friendly, efficient and comfortable. But these connected facilities could equally become dangerous in the hands of a determined attacker.
Therefore, cybersecurity must be one of the main considerations given to any building automation project, putting the “smart” into smart buildings.
Andrea Carcano is an expert and international leader in industrial network security, artificial intelligence and machine learning. He co-founded Nozomi Networks in 2013 with the goal of delivering a next generation cybersecurity and operational visibility solution for industrial control networks.
Nozomi Networks accelerates digital transformation by protecting the world’s critical infrastructure, industrial and government organizations from cyber threats. Our solution delivers exceptional network and asset visibility, threat detection, and insights for OT and IoT environments. Customers rely on us to minimize risk and complexity while maximizing operational resilience.
As Chief Product Officer Andrea defines the vision for Nozomi Networks’ products and he is the voice of the customer within the organization. In this role he draws on his real-world experience as a senior security engineer with Eni, a multinational oil and gas company, as well as his academic research.
With a passion for cybersecurity that began in high school, Andrea went on to study the unique challenges of securing industrial control systems. His Ph.D. in Computer Science from Università degli Studi dell’Insubria focused on developing software that detected intrusions to critical infrastructure control systems. His Masters in Computer Science from the same institution involved creating malware designed to take advantage of the lack of security in some SCADA protocols and analyzing the consequences.
Follow Us
Digitising Building Automation Systems: A Cybersecurity Perspective
